The General Data Protection Regulation and Children: The Information Commissioner's draft guidance
NEWS
In this latest General Data Protection Regulation (GDPR) consultation, the Information Commissioner (ICO) has its sights set on organisations that handle the personal data of minors. Given the variety of organisations that deal with children within the charity sector alone, producing one-size-fits-all guidance was never going to be an easy task, but – in our view – the ICO has made a reasonably good fist of it.
Who is a child for these purposes?
The Data Protection Act 1998 (and the European Directive that gave rise to it) said nothing specific about children: by contrast, the GDPR does. A "child" for these purposes is as per the UN Convention on the Rights of the Child[1], meaning anyone under the age of 18.
There has been some confusion around age of "data majority", because the GDPR also allows Member States to set an age between 13 and 16 where children are deemed old enough to give a data consent in certain online contexts (see below). The UK has chosen 13, which is more or less in line with the existing ICO view (and fixed rule in Scotland) that 12 is the age at which a child of average maturity – while not legally of majority – begins to understand their own data privacy rights.
That broad assumption is not changing for GDPR purposes. This means, for example, that from around this age parents will still need the child's authority to exercise data subject rights on behalf of the child, including the new "Right to be forgotten" and the existing right of subject access. There will still be occasions when children's data ought to be shared with parents (and others) in pursuance of lawful interests, even if consent cannot be obtained: however, it is an indication of the delicate and often very circumstantial balancing considerations that come into play around how to handle information about a child.
It is important not to let these overlapping and sometimes complex considerations around age detract from the basic principles underpinning the GDPR and children. While data protection rights belong to the individual not the parent (and older children have a degree of self-determination in this regard), the new law recognises that children may be vulnerable and require particular protection all the way up to 18. This ranges from being fully informed about uses of their data at the outset, to the ability to change their mind later.
What does the new law say?
The Recitals to the GDPR (the introductory section, which sets out the principles underpinning the legislation) state:
"Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data."
The Recitals elaborate on this, noting (among other things) that:
- the principle of transparency requires data controllers to make all information easy to understand. This means that where the information is addressed to children, it must be set out in clear and plain language – often requiring a separate Privacy Notice;
- the right for individuals to withdraw consent is particularly relevant where the person concerned gave consent when they were a child;
- where organisations rely on "legitimate interests" rather than consent – a legal basis that must be balanced against the individual's rights and interests – that test must lend particular weight to the interests of a child;
- children should not be subject to automated decision-making processes (including profiling[2]), where these have a legal or similarly significant effect on them.
The GDPR has special rules applicable to data controllers who offer "information society services"[3] to children. Only those aged 13 or over can consent to use of their personal data for these services. Where the child is younger, data controllers will need the consent of someone who has parental responsibility for the child and make reasonable efforts to ensure the adult who gives that consent genuinely does have parental responsibility.
The substantive provisions of the GDPR reinforce the need for information addressed to children to be in an intelligible and easily accessible form, making this a legal requirement. Where such parental consent is relied on, the ICO's draft guidance still suggests it is "good practice" to have a separate Privacy Notice aimed at children and the responsible parent.
In other respects, children have the same rights as adults concerning their personal data. As above, for older children (and certainly teenagers) data controllers must therefore take care to ensure that those with parental responsibility only exercise these on the child's behalf with proper authority and in the child's best interests.
What the guidance contains
The guidance begins with a bullet point "at a glance" summary of the paper's themes. Following that is a checklist for organisations to use as a compliance tool. This covers various matters, including: general GDPR compliance; the legal bases for processing a child's personal data; marketing to children; and privacy notices.
There is an "about this guidance" section, which sets out the purpose of the paper. The next section describes what new obligations the GDPR imposes (and what won't change). After that, we are onto the meat of the guidance, which addresses specific issues:
the general approach you should take to processing children's personal data;
- what to think about when choosing a legal basis for processing children's personal data;
- the rules about information society services and consent;
- marketing to children [4];
- what to do if you want to profile children or make automated decisions about them;
- how the right to be informed about how personal data will be processed applies to children – including language and presentation;
- what rights children have over their personal data;
- how the right to have personal data erased applies to children.
Each of these sections unpacks the law and offers practical advice on the steps organisations should take to ensure they comply with it. As is usual for ICO guidance, the paper contains links to other guidance – and to the GDPR itself – for those wanting to dig deeper into particular subjects.
Is it accurate and helpful?
Because of the variety of organisations that deal with children's data, the guidance is set at a high level. Although it provides examples of how the law would apply in certain circumstances, the ICO is (understandably) more concerned with companies selling in-app extras to children than with charities hoping to persuade under-18s to sign up to their newsletters, and the examples reflect those priorities.
One area it has avoided, but which is considered in the ICO's draft consent guidance, is the question of re-consenting when a child hits a certain age and the data controller is relying on a prior parental consent. This is one of the areas of most practical impact on organisations, and so it is disappointing this is not run through in any detail.
Even so, the draft does a good job of explaining the law and offering practical suggestions on how to meet its requirements. The checklists towards the beginning of the paper should prove particularly useful, though it goes without saying that compliance should not be treated as a tick box exercise (in this case, a literal one).
Implications for charities
At the risk of stating the obvious, it is not only children's charities that need to be mindful of the need to comply with the GDPR when processing children's personal data.
Some charities offer separate services to adults and children; others undertake activities aimed primarily at adults that are, nonetheless, also accessed by minors. These charities, too, will need to ensure they are ready for the new law – and the ICO has kept such "hybrid" organisations in mind when drafting the guidance. It is also worth remembering that the term "marketing" applies to the promotional and fundraising activities of charities, so the GDPR rules on marketing to children should not be overlooked.
The good news is that the GDPR doesn't represent a fundamental change in the law. Indeed, as the guidance points out, organisations currently adhering to best practice may already be meeting the new standards.
Even so, complacency would be foolhardy. To date, the ICO's GDPR guidance papers have not undergone radical changes between consultation and final publication, so it will be worth taking a look at the draft guidance and checking that your charity is ready for the changes, rather than waiting until the final version is published, which may give you only a little time to put any necessary systems in place. Furthermore, as the guidance says, this is a supplementary paper and should be read alongside the ICO's ever-expanding main GDPR guidance.
Next steps
The consultation closes on 28 February. At the time of writing, the ICO has not given a date for publication of the final version. Given that the GDPR takes effect on 25 May, we would hope to see it before then. However, the ICO has managed expectations in this regard before now and it seems almost certain that at least some guidance will not be finalised until GDPR is already upon us.
Similarly, there are specific provisions that will affect children (in particular around education and child abuse data) written into the current Data Protection Bill that also need to be in force by 25 May. There is no realistic prospect of having guidance around that in time when the text (which will become the Data Protection Act 2018) is not even yet finalised.
The ICO is preaching calm and stressing that good practice in this area should already be clear. Less reassuringly, however, in the same breath it has stressed that a lack of guidance will not therefore be a valid excuse for falling short in one's practices. In the meantime, if anything is unclear or you have any questions, please contact us for advice.
If you require further information on anything covered in this briefing please contact owen.o'[email protected] or [email protected] or your usual contact at the firm on 020 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances. © Farrer & Co LLP, February 2018.
--------
[1] Although this definition did not make the final draft of GDPR it is the relevant framework for EU institutions.
[2] "Profiling" means "any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her".
[3] These are defined as services "normally provided for remuneration, at a distance, by electronic means...".
[4] The heading in the draft actually says "What if I want to market Children?", which is the only startling error in the paper.