Data protection requirements

All processing of personal data of children needs to comply with the data protection principles of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') (i.e. lawfulness and fairness, transparency, data minimisation, data accuracy, purpose limitation, storage limitation, confidentiality, and integrity). Next to this, the GDPR sets out specific requirements for processing children's personal data.

Legal grounds for processing

The GDPR provides for additional conditions for lawful processing of children's personal data. For example, processing necessary for the performance of a contract can only take place if a contract is lawfully concluded under national law, taking into account the age of the child. Also, for the processing necessary for the purposes of the legitimate interests of the controller or third party, it is relevant that children's data is processed. A balancing test carried out this purpose must be taken into account. Moreover, Article 8 of the GDPR provides that parental consent is required for processing of personal data in relation to the offering of information society services directly to a child below 16 years. The notion of offering an information society service directly to a child is interpreted broadly. In the  Netherlands, a child has to be 16 years old in order to give consent. In case that the child is not 16 years old, the controller must take reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child, taking available technology into consideration (see also these FAQs from the European Commission¹).

Transparency

Because children merit specific protection under the GDPR, they must be informed in clear and plain language that they can easily understand². Regulatory guidance states that this particularly includes ensuring that the vocabulary, tone and style of the language used is appropriate to and resonates with children³. This regulatory guidance refers to the child-centred language used in the 'UN Convention on the Rights of the Child in Child Friendly Language⁴.

Apart from using child-centred language, there are additional, more visual methods to comply with GDPR transparency rules. Regulatory guidance provides suggestions how information may be presented, and what may be an appropriate format to inform children, including 'just in-time' contextual pop-up notices, 3D touch or hover-over notices and privacy dashboards. In addition to a layered privacy statement, non-written means include, for example, videos and smartphone or Internet of Things voice alerts, cartoons, animations, infographics, or flowcharts could be used.

National guidance and enforcement

Guidance

National guidance from the AP concerning the protection of children's personal data is currently  limited. In a statement published prior to when the GDPR entered into force, the AP stated that organisations must check whether parental consent actually was given where personal data of children under the age of 16 is being processed⁵.

The Code, which was drawn up on behalf of the Dutch government, provides valuable insights for companies that aim to promote the rights of the child in the development of digital services. The next section discusses the most important aspect of the Code.

Public enforcement

While national guidance is limited, it is clear that the protection of children has a high priority for the AP. In April 2021, the AP has imposed a fine of €750,000 on a video-sharing social networking company for violations of transparency obligations enshrined in the GDPR. In particular, the AP's investigation report concluded that the company had violated the GDPR by not informing children in an understandable language about  to the processing of their personal data⁶. In addition, the AP takes the view that children must be informed in local language about the processing of their personal data. Hence, providing children with a privacy notice in English only does not meet the transparency obligations according to the GDPR⁷. This fine imposed stressed the importance to make use of child-centric language when informing children about the processing of their personal data.

Private enforcement

Protection of children is not only on the agenda of the AP, but may also be pursued by private organisations via class actions. The national class-action law allows a foundation or association to bring a legal claim, including a claim for damages, to court to protect similar interests of people. The legal claim must have a sufficiently close connection to the Dutch jurisdiction. Class actions have been initiated by Dutch NGO Stichting Onderzoek Marktinformatie, and jointly by the Dutch consumer organisations Consumentenbond and Stichting Take Back Your Privacy for alleged breaches of the privacy of children.

The Code

The Code aims to support developers and designers to promote the rights of the child in the context of the development of digital services. The Code consists of ten principles which are operationalised by means of implementation examples. Whereas the principles are in themselves not legally enforceable, they are based on laws and regulations which are legally binding, such as the United Nations Convention on Child Rights,¹¹ the Charter of Fundamental Rights of the European Union,¹² and the GDPR.

Principles

The Code contains the following ten principles:

1. Put the best interests of the child first in the design

This is the guiding principle throughout the Code and requires that a digital service designed for children must take all principles of the Code into account. The performance of a child impact assessment prior to development and during the life cycle of the digital service may help to weigh this principle carefully against other interests.

2. Involve children and their expectations in the design

This principle requires to consider the target group (including age group) the digital service intends to address, and to design the service from the perspective of the group with the most limitations. According to this principle, it is recommended to connect with the children's world and communicate in a way that is appropriate to the development stage of the children concerned.

3. Process personal data in a way that is lawful for children

This principle states that the personal data of children may only be processed as far as this is done in in accordance with the law. It mentions the principle of data minimisation and the importance to be aware of the age category a child because parents may need to be involved (see section legal grounds above).

4. Ensure transparency in a way that is understandable and accessible to children

This principle mentions the transparency requirements as set out above and recommends to design tools within the digital service which allow children to enforce their (data protection) rights. When doing so, age and developmental stage of the child should be taken into account.

5. Conduct a child rights-based PIA

This principle requires to conduct standard child rights-based Privacy Impact Assessment ('PIA') as children are considered vulnerable users. This PIA should be regularly used in order to continuously assess the impact of the digital service.

6. Provide a child-friendly privacy design

This principle requires not to process more personal data than strictly necessary for the fulfilment of the specific purpose of the service. Furthermore, it refers to the principle of Privacy by Design and Default enshrined in the GDPR and recommends to make use of an 'opt-in' regime, standard accessible built-in options to delete data, and to include notifications when the geolocation or microphone functionality is on.

7. Avoid profiling children

Considering that children are vulnerable data subjects, this principle requires to switch profiling functions off by default, unless there is a compelling reason from the child's point of view no to do so and appropriate safeguards are in place.

8. Prevent economic exploitation of children at all times

This principle requires the prevention of exploitation-oriented designs of digital services, such as encouraging in-app purchases, the use of gambling elements and personalised data-driven marketing. It requires to be transparent about the commercial aspects of a service and prevents putting pressure on children to use a product. Furthermore, the use of techniques that encourage purchases from children must be avoided.

9. Avoid design harmful to children at all times

This principle aims to avoid the development of services which may be harmful to children. The latter might be the case if the design exploits the vulnerability of children, does not prevent children from potentially harmful content and behaviour, or if the mental, social, cognitive, or physical development of the child is adversely affected (e.g. excessive use of the service). The principle recommends to take a precautionary approach ('better safe than sorry').

10. Develop industry guidelines

This principle states that the private sector plays an important role in developing and offering digital services. Therefore, the principle encourages companies to contribute to the well-being of children by drawing up guidelines within the industry - preferably in consultation with children.

How the code benefits companies

Overall, the Code provides companies with substantive guidance by means of a set of principles and related practical implementation recommendations. The Code aims to Companies can certainly benefit from the Code and the Code seems to be most helpful when considered prior to the development of digital services intended for children. Furthermore, the annex of the Code contains recommendations on how to communicate with children about privacy according to five relevant age groups. These recommendations aim to provide practical guidance on how to inform children about the processing of their personal data in accordance with the transparency obligations enshrined in the GDPR.

Chantal van Dam Senior Associate
chantal.vandam@​hoganlovells.com
Hogan Lovells LLP, Amsterdam

1. https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/are-there-any-specific-safeguards-data-about-children_en
2. Recital 58 GDPR
3. Article 29 Working Party, Guidelines on transparency under Regulation 2016/679WP260 rev.01.
4. https://sites.unicef.org/rightsite/files/uncrcchilldfriendlylanguage.pdf
5. https://autoriteitpersoonsgegevens.nl/nl/nieuws/mag-ik-onder-de-avg-gegevens-van-kinderen-verwerken
6. https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/boete_tiktok.pdf
7. Ibid.
8. https://www.unicef.org.uk/what-we-do/un-convention-child-rights
9. Charter of Fundamental Rights of the European Union, OJ C 326, 26.10.2012, p. 391–407