The Danish EU Presidency is promoting GDPR reform to increase competitiveness by introducing SME-friendly amendments, such as restricting data rights in low-risk situations, rationalising DPIAs, and requiring prior mediation procedures before lodging complaints, the eutechloop.com article states. These are in line with the precedent established by the Commission’s simplification plan in May this year, which gives small and mid-cap companies, those with less than 750 employees, targeted relief from GDPR reporting requirements on keeping records of processing activities (GDPR Art. 30).

In addition, the proposal introduces a definition of SME and SMC in Art. 4 of the GDPR and extends the scope of the GDPR’s Art. 40 and 42 to the SMCs, which refer to codes of conduct and certification. 

According to an insideprivacy.com article, the following Danish proposals may make it easier for European organisations to process personal data as they:  

• Define a minimum threshold for when data subject rights apply (Art. 12-20 GDPR). 
• Clarify when DPIAs are required and consider exemptions or simplifications for SMEs (Art. 35 GDPR). 
• Make the data subject’s right to complain to the supervisory authority conditional upon certain criteria (eg, prior engagement with the data controller) (Art. 77 GDPR).  
• Exempt data controllers from having to notify certain data breaches to the supervisory authority, such as “uncomplicated and clearly defined” breaches (Art. 33 GDPR), etc.

At the moment, the EU is reevaluating its digital policies. This is partly motivated by Mario Draghi’s report on the bloc’s lapsed productivity and technology use, but also is fueled by the ongoing political pressure from Washington to ease digital regulations to unlock trade. 

Provisions of data reform in the UK are already in place

On the 20th of August, a set of provisions of the new Data Use and Access Act 2025 entered into force, establishing provisions on ‘overriding’ and data breach notification, plus reporting and progress requirements in relation to the use of copyright works in the development of AI systems. The Bill applies to all data controllers, processors, and electronic communications service providers handling personal data.

It introduces new sections to the UK Data Protection Act 2018 to prevent relevant enactments passed after the Bill’s commencement from overriding main data protection legislation requirements (eg, it establishes that data subject rights cannot be overridden unless an express contrary provision is made). The Bill also mandates personal data breach notifications to the Information Commissioner within 72 hours of becoming aware of the breach, digitalpolicyalert.org sums up.

In parallel, the Information Commissioner’s Office is consulting on draft changes to how we handle data protection complaints. The Data Use and Access Act places new requirements on organisations to have a complaints process specifically for data protection-related issues,  such as providing an electronic complaints form. They also must acknowledge your complaint within 30 days and respond to it ‘without undue delay’.  

Stay up to date! Sign up to receive our fortnightly digest via email.

Another consultation aims to address the new lawful basis of “recognised legitimate interests”. It will provide a presumption of legitimacy to processing activities for certain pre-approved public interest purposes, including activities such as crime prevention, public security, safeguarding, emergency response, and sharing personal data to help other organisations perform their public tasks.

Cybersecurity of digital products in Switzerland

The Swiss Federal Council, meanwhile, decided to strengthen the cyber resilience of digital products. Despite the importance of preventing or quickly addressing such vulnerabilities, Switzerland currently lacks clear cyber resilience requirements. This new legislation will set out cybersecurity requirements for the development and commercialisation of products with digital components, establish rules for market surveillance of these products, and lay the groundwork for banning the import and sale of insecure devices.

The new legislation will take into account the international context, including the EU’s Cyber Resilience Act, which came into force on 11 December 2024, with a draft corresponding bill to be submitted for consultation by Autumn 2026. 

Documentation requirements under DORA

What documentation requirements do companies have to fulfil under DORA? The German Federal Financial Supervisory Authority (BaFin) has published an overview with graphic attachments to help companies navigate these requirements. Companies have had to apply the European Digital Operational Resilience Act’s regulation since 17 January 2025. DORA aims to make the European financial market more secure against cyber risks and incidents affecting information and communication technology (ICT). 

More guidance on the DORA application can be found here. 

Software updates and patch releases

Most software needs updating after its initial release to address bugs, newly identified vulnerabilities, and revisions to features and functionality. But software patches and other changes can introduce new cybersecurity and privacy risks and can impair operations if not managed effectively. To support successful, secure software updates and patches, the US National Institute of Standards and Technology, (NIST), has finalised modifications to its catalogue of security and privacy safeguards to assist both the developers who create patches and the organisations that receive and implement them in their own systems.

More from supervisory authorities

Public cloud and data protection: ISO/IEC 27018 has provided guidance for protecting personally identifiable information (PII) in public cloud services, specifically when the cloud service provider acts as a PII processor. As cloud computing becomes the default mode of service delivery, organisations must ensure that personal data stored and processed in the cloud is properly safeguarded. ISO/IEC 27018 helps cloud providers meet legal, contractual, and ethical obligations regarding PII. It supports compliance across jurisdictions, enhances customer trust, and provides a clear structure for data protection in the cloud.

IT security label: Manufacturers of smart security solutions can now apply for the IT security label from the German Federal Office for Information Security (BSI). The connected home is part of everyday life for many people. This includes smart security technology, such as app-controlled alarm systems, smart motion sensors, mechatronic security devices (smart locks), and networked smoke detectors. In addition to the physical protection of their own four walls, consumers should also consider the cybersecurity of their digital security solutions. With the IT security label, the IT security features of smart security technology are transparent for buyers, and help manufacturers highlight their products on the market. 

Protecting child data online

To improve children’s online safety, the European Commission has adopted guidelines for the protection of minors under Art. 28 of the Digital Services Act (DSA). This requires platforms accessible to minors to implement appropriate and proportionate measures to ensure a high level of privacy, security and protection of minors, including: 

• Age verification and default settings.
• Interface design that does not encourage prolonged use of the platform by adolescents. 
• Limits on the processing of behavioural data and prioritising explicit signals from minors regarding desired content.
• Clear rules regarding harmful content and behaviour, the establishment of coordinated moderation policies, and allowing for the possibility of human review in cases of harmful content.

At the same time, parental controls are best used as a complement to other measures, as they are often not equally effective due to different family situations.

Is it permissible to offer a discount for consenting to receive commercial communications?

The Latvian data protection authority states that a small additional benefit (for example, a symbolic discount that the customer can choose to use or not) may be permissible if it does not affect access to the service itself. That is to say, consent is not included as a non-negotiable part of the conditions for using the service in its essence, for example, purchasing in an online store. 

It is important to ensure that the benefits offered, which are associated with consent to the processing of personal data, do not create a feeling of pressure on customers. Namely, the intended amount of benefits should be small enough not to create the feeling in the customer that, by not providing consent to the processing of their data, they will receive a significantly less advantageous offer, thus affecting the person’s right to freely decide on the processing of their data.

The section intended for entering contact information for receiving news must clearly state the purpose of data processing – sending commercial communications, and must also contain a function (most often a tickable box) in which the person clearly expresses his/her wish to receive such communications. Information on the withdrawal of consent and its consequences must also be made easily accessible. In this section, the advantage that the vendor, for example, gives to customers who have shown interest in receiving news should be indicated only as additional information. 

GDPR (non) compliance trends

Some advancements in GDPR compliance are detailed in the Icelandic data protection authority’s 2024 report. It is good to note that the biggest Icelandic insurance firms, which make automated decisions on applications and requests for offers for health and life insurance, largely comply with the data privacy laws. The agency has placed a greater emphasis on protecting children’s privacy. Businesses started to monitor closely how kids behave when playing computer games online. Additionally, a business that handles Icelandic genetic analysis is facing legal challenges, and the public sector was sanctioned for improper handling of minors’ data in education.

In parallel, the Maltese data protection regulator, in its annual report, revealed that the majority of complaints received were about CCTV-related cases, while other major areas of compliance included data subject access requests and their shortcomings (increasingly in cross-border situations), unsolicited direct marketing and disclosure to third parties, data security and information obligation by data controllers, cookie banners and, finally, AI use. 

Cancelling membership “not easy”

According to the US FTC’s recent case against the operators of LA Fitness, “not easy” is an understatement for consumers seeking to cancel their LA Fitness memberships or related services. For in-person cancellations, LA Fitness designated only one employee (even though multiple employees can initiate memberships). This has effectively restricted cancellations to whenever that person is available at the gym, often during hours when consumers are typically at work. 

The FTC alleges that consumers who try to cancel via mail faced similar challenges. LA Fitness has instructed consumers to print and mail a hard-to-find cancellation form. Although consumers have been able to cancel by mail without the form, LA Fitness doesn’t disclose which details must be included in the cancellation notice. The company also instructs consumers to send cancellation requests via registered or certified mail. Finally, LA Fitness reinforced these unlawful practices by training staff to reject such emails or phone calls. 

In other news

YouTube settlement: Google and YouTube have agreed to pay $30 million to settle a long-running class action alleging they unlawfully collected data from children under 13 to serve targeted ads without parental consent. The Google class action settlement, filed in a California federal court, proposes a fund to compensate an estimated 35-45 million children who watched YouTube videos between July 2013 and April 2020. 

“Pay or Ok” illegal: According to the Noyb privacy advocacy organisation, the Austrian Federal Administrative Court upheld a previous ruling by the country’s data protection authorities that the Austrian daily DerStandard had breached the GDPR by launching “Pay or Okay.” Users must be allowed to object to or give selected permission for each processing purpose, according to rulings from the court. DerStandard was the first news website in Austria to implement a “pay or okay” policy. Customers were forced to consent or pay for a monthly subscription, rather than having a free choice to accept or reject the online tracking of hundreds of third parties.

Non-cooperation with the authority: The Swiss FDPIC has filed a criminal complaint against Add Conti GmbH for failure to cooperate in an investigation. Following several complaints from affected individuals, the FDPIC opened an investigation on 4 June. The FDPIC requested the company answer a list of questions within 30 days. The FDPIC expressly reminded Add Conti GmbH of its obligation to cooperate in the proceedings and of the fact that deliberate refusal to cooperate is punishable by a fine of up to CHF 250,000. Although the letter was delivered, the FDPIC received no response. 

Add Conti was collecting personal data of persons residing in Germany without their knowledge and making it available to German companies for advertising purposes. In addition, the company was not responding to requests for information and deletion.

Major cyberattack on Swedish municipalities

On 23 August, a cyberattack on Miljödata disrupted services in around 200 municipalities, several major private businesses and universities and colleges, with concerns over stolen sensitive data, news outlets report. The Swedish data protection regulator confirmed that it has already received around 200 reports of cyber incidents. Managers and HR use the affected systems to handle medical certificates, rehabilitation matters, and the reporting and management of work-related injuries. The attacker has encrypted personal data, preventing businesses from accessing it, but the reporting parties are unaware of how the data has been otherwise affected. In many cases, this concerns information about employees, such as health and union membership.

‘Personalisation’ in AI systems

The Future of Privacy Forum explains the subject of ‘Personalisation’, which refers to features of AI systems that adapt to an individual user’s preferences, behaviour, history, or context. Personalisation techniques can include long-term memory knowledge bases, short-term conversation history, user and system prompts, settings, and fine-tuning the model after training.

For example, an AI instructor may be able to track a student’s progress on certain subjects, recall their learning interests and level, and modify explanations as necessary. According to some scholars, an AI system must have a complete understanding of its user, including their present emotional state, to be useful in even more sensitive or private situations, such as mental health.

A user’s personal information, including prejudices and stereotypes, may be reflected in some of the data they provide to the chatbot or what the algorithm deduces from their interactions. Last but not least, an AI system (such as the newest AI agents by Google, Meta, Anthropic, Microsoft, OpenAI ) that has received or observed user data may be more likely to share that information with third parties in an effort to complete a task without the user’s consent.

In case you missed it

Face photo morphs: America’s NIST issues guidelines to help organisations detect face photo morphs and deter identity fraud. Face morphing software, which combines photos of different people into a single image, is being used to commit identity fraud. Thus, morph detection software, which has grown more effective in recent years, can help flag questionable photos.  However, the most effective defence against the use of morphs in identity fraud is to prevent morphs from getting into operational systems and workflows in the first place.  

Single-image detection, in the best cases, can detect morphs as often as 100% of the time (at a false detection rate of 1%) if the detector has been trained on examples from the software that generated the morph.  However, accuracy can degrade to well below 40% on morphs generated with software unfamiliar to the detector. Differential detectors are more consistent in their abilities, in the best cases, with accuracy ranging from 72% to 90%, across morphs created using both open-source and closed-source morphing software, but they require an additional genuine photo for comparison.

The post Data protection digest 18-31 Aug 2025: Greater simplification of GDPR, ‘personalisation’ in AI systems appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

Wi-Fi tracking

The Spanish data protection regulator AEPD has published guidelines for personal data processing activities that incorporate Wi-Fi tracking technologies. Wi-Fi tracking identifies and tracks mobile devices based on the Wi-Fi signals they generate, detecting their existence in a certain region and determining movement patterns. Practical uses may be found in shopping malls, museums, public places, transit, and huge events to assess capacity, analyse traffic movements, and track dwell times. 

Because technology may make it possible to follow people’s movements without their knowledge or with a valid legal reason, Wi-Fi tracking may cause significant privacy problems. A prior Data Protection Impact Assessment (DPIA) must be completed, despite the possibility that the person in charge of the tracking may not be fully aware of their responsibility, given the risk factors. Using these technologies also requires the provision of easily understandable information via, among other things, voice alerts, public signs, visible information panels, and information campaigns.

Providing public Internet access

Many spaces offer internet access to their users: hotels, restaurants, media libraries, museums, transport, etc. Those responsible for this access provision are subject to legal obligations to retain “traffic data” and to comply with data protection principles according to the French regulator CNIL. “Traffic data” is the technical information which includes, for example, the IP address that can be used to identify the device used, the date, time and duration of each connection, or data that can be used to identify the addressee of the communication, (e.g. the telephone number called). 

In principle, this information should be erased or anonymised. However, some legal texts derogate from this rule by requiring bodies to keep them, to allow the investigation and prosecution of criminal offences by the police, gendarmerie and justice services. What data should be kept and for how long, read the original guidance (In French). 

Credit bureau databases

The information available in databases about the financial obligations of individuals may adversely affect the possibility of receiving loan services, states the Latvian data protection authority DVI. To reduce credit risk, promote responsible and honest commitment, and ensure more effective availability of credit information, credit information bureaus collect a wide amount of credit information on natural persons based on the powers specified in regulatory acts, following deadlines set by law. 

As a result, the mere fact that an individual has not granted permission for their information to be included in databases or that they do not wish for it to be collected does not imply that unlawful processing of personal data is taking place. Normative acts specify in detail the sources from which a credit bureau gets its data and the circumstances under which users of credit information are permitted to add details about personal debt to the database, (such as late payments, court orders, or client approval). Should an individual think that inaccurate data is there in the database, they ought to get in touch with the bureau or the source of the credit obligations information by sending a formal objection, as well as attaching copies of the supporting documents. 

More official guidance

AI application: The German data protection authorities have published joint guidance on AI and data protection. It is primarily aimed at those responsible for using AI applications – developers, manufacturers and providers of AI systems. It covers many aspects of AI systems from legal bases, transparency obligations and data subject rights along with warnings regarding special categories of personal data and checking results for accuracy and discrimination. Finally, certain usages of AI applications may be inadmissible from the outset. For example, according to the upcoming EU AI Act, “social scoring” and biometric real-time surveillance of public spaces are considered either completely prohibited or only permitted under very strict exceptional conditions.

Privacy-related survey: Meanwhile in Canada, a new survey states that 12% of businesses across the country collect personal information from minors. Although just 6% of Canadian companies say that they currently use AI, nearly a quarter indicated that they intend to use this emerging technology in the next five years. Actions that businesses report taking to manage their privacy obligations include:

• designating a privacy officer (56%)
• having procedures to deal with complaints (53%)
• having internal privacy policies (50%)
• having procedures to deal with access requests (50%)
• providing staff with privacy training (33%)

Car and consumer data: The US Federal Trade Commission reminds us that while connectivity can let drivers do things like play their favourite internet radio stations or unlock their car with an app, connected cars can also collect a lot of data about people. Companies that feed consumer data, (which may include sensitive information like location or biometric data), into algorithms may be liable for harmful automated decisions, (eg, affect their insurance rates). Finally, if a company gathers a lot of sensitive data and shares it with foreign parties, it may cause problems for national security.

Legal processes

Germany’s DSA adjustments: The German Digital Services Act, (DDG), came into effect on 14 May, creating the essential national framework required to effectively implement the EU Digital Services Act, (DSA), including adjustments in jurisdictions and duties of information, summarises a Taylor Wessing law blog. In particular, this requires changes to a website’s legal notice if it still expressly refers to the Telemedia Act and the Telecommunications Telemedia Data Protection Act, which no longer apply. 

The DSA and its member-state implementing acts apply to all digital services across the EU. Among many things, the DSA sets out rules for advertising on online platforms, including a ban on using certain personal data for advertising purposes. The national data protection authorities generally will enforce rules in this area, along with assigned national regulatory authorities. Meanwhile, the compliance for very large online platforms and very large online search engines remains with the Commission in Brussels. 

Combating child abuse online: On 15 May, the amending EU regulation, (derogation from ePrivacy Directive), which allows providers of so-called number-independent interpersonal communications services, (eg, messaging services), the use of specific technologies for the processing of personal and other data to detect online child sexual abuse on their services, and to report and remove it, will now be enforced until 3 April 2026. This prolongation also insists on comprehensive reporting and comparable statistics to be submitted to the authorities and the Commission, available in a structured format. 

Child safety online code of practice

In the UK, communications regulator Ofcom sets out more than 40 practical steps that digital services must take to keep children safer in its draft recommendations: a) introduce robust age checks to prevent children from seeing harmful content; b) ensure that algorithms which recommend content do not operate in a way that harms children; c) harmful material must be filtered out, (‘safe search’ setting), or downranked in the recommended content etc.

The new UK Online Safety Act imposes strict new duties on services, (“user-to-user services” and “search services”), that can be accessed by children, including popular social media sites, apps and search engines. Firms must first assess the risk their service poses to children and then implement safety measures to mitigate it. In some cases, this will mean preventing children from accessing the entire, (or a part of), a site or app. Some platforms will be required to publish annual transparency reports, such as information about the algorithms they use and their effect on users’ experience, including children. 

Algorithmic management abuse

Privacy International, (PI), reports that companies are increasingly tracking their workers and deploying unaccountable algorithms to make major employment decisions over which workers have little or no control or understanding. While gig economy workers, content creators and warehouse operatives are at the sharp end of the algorithmic black box, opaque and intrusive surveillance practices are embedding themselves across many industries and workplaces. PI monitors and records these cases by country and by industry and catalogues harms. 

More enforcement decisions

Telephone operator: In Finland, the data protection regulator considers that a telecom operator has the right to keep the data of its mobile phone customers for three years after the end of the customer relationship. The time limit stems from the fact that, according to the law, debts expire in three years. If the information were deleted earlier than that, the company would not have the opportunity to defend itself in a situation where a customer or other creditor makes claims, (invoicing or complaints). In the related case, the customer had asked the telecom operator to delete all the data about him. The operator had not agreed to the request, despite the customer relationship ending more than ten years earlier. 

Car rental: In the UK, a car rental management trainee was fined, (approx. 800 euros), after unlawfully obtaining customer data. An internal audit found he accessed over two hundred records of customer data concerning 25 different rental branches. He was dismissed for gross misconduct shortly thereafter. The company did not consent to the manager obtaining this data, stating that accessing this information fell outside of his role and there was no business need for him to do so. 

Exam monitoring: The Danish data protection authority has completed an inspection of Roskilde Katedralskole’s use of software for examination monitoring. The school did not carry out a sufficient risk assessment and as a result, failed to ensure data protection through design. It should have been taken into account that the examination and monitoring took place using the student’s computer. It should be possible for students to shield confidential information against unintentional disclosure during exams. Policies could, for instance, advise students to use a different browser throughout the test that does not save their data. 

Data security

Ransom attacks: The potential harm caused by recent ransom attacks is explained by the UK National Cyber Security Centre. Some groups started to conduct ‘data theft and extortion only’, without deploying ransomware and encrypting victims’ systems. These tactics, whether it’s ransomware encryption or extortion-only, show how cybercriminals will adopt whatever technology, (or business model), allows them to best exploit their victims. 

For example, criminals employ ransomware attacks to disrupt logistics companies that need the data to function but favour extortion-only attacks against healthcare services, (where patient privacy is paramount). Data stolen in a “least-worse case” scenario is system data,  (necessary for the victim’s IT operations to function). In a worst-case scenario, sensitive personal data, (such as medical or legal information), is compromised. Read more about the main causes of security breaches here. 

Health apps: According to Netskope’s recent analysis, the average user in the healthcare sector interacts with an average of 22 cloud apps per month. However, the top 1% of users,  public and professional, engaged with 94 applications every month. Since its peak a year ago, the percentage of malware downloads across all sectors via cloud applications has progressively declined, averaging around 50%, (the other half originates from standard websites). The inverse is true for the healthcare sector, where cloud apps account for nearly 40% of all malware downloads, up from roughly 30% a year earlier.

The Azorult, Amaday, and Trojan NjRat were three of the most common malware families that targeted the healthcare industry.

Big Tech

Facebook/Instagram investigation: The European Commission has launched an investigation into Facebook and Instagram based on the Digital Services Act. The suspected infringements cover Meta’s policies and practices relating to deceptive advertising and political content on its services. They are also concerned about the non-availability of an effective third-party real-time civic discourse and election-monitoring tool ahead of the elections to the European Parliament, against the background of Meta’s scrapping, (on August 14), of its real-time public insights tool CrowdTangle without an adequate replacement.

The Commission also suspects that the mechanism for flagging illegal content on the services and the user redress and internal complaint mechanisms are not compliant with the requirements of the Act and that there are shortcomings in Meta’s provision of access to publicly available data to researchers. The opening of proceedings is based on a preliminary analysis of the risk assessment report sent by Meta in 2023. Read more allegations in the original publication.

The post Data protection digest 3 – 17 May 2024: Wi-Fi tracking, exam monitoring, data theft and extortion appeared first on TechGDPR.

Due to their age and general level of maturity and education, children are considered to be vulnerable and granted special rights in the eyes of the majority of jurisdictions. This is internationally recognised through, for example, the United Nations’ Convention on the Rights of the Child. This vulnerability is considered across different areas of legislation, including data protection, leading to specific provisions being included in the GDPR, such as Art. 8, laying the conditions for information society services to process children’s data.

Art. 8 GDPR’s requirements and the age of digital consent

Art. 8 of the GDPR is the only article that regulates the processing of children’s personal data specifically. It provides that the processing of personal data of children is lawful when the child is at least 16 years old (age of digital consent), or, if below that age, only where consent has been given by the holder of parental responsibility for said child. The GDPR also allows for the individual member state to independently legislate on whether the age limit can be lower than 16, so long as it is no lower than 13. Countries such as Germany and the Netherlands have opted to stick to the standard already established by the GDPR, while others, including Belgium and the UK prior to its departure from the EU, have lowered the threshold to the lowest possible age of 13. Notably, the UK’s current data protection provision still maintains that the age of digital consent is 13.

With this provision, the inevitable consequence is to first and foremost ensure that the age of a data subject is appropriately verified, in order to assess whether these rules apply and take the appropriate steps. However, recent cases and studies have shown that it is inherently difficult to gain consent of a parent or guardian, as there are no appropriate mechanisms in place to ensure that children are being truthful about their age.

Growing concerns about the processing of children’s data

One of the main issues that information society services face in regards to the processing of children’s data, is that these services are not aware that many of the users are actually under the age of digital consent. So far, the majority of these platforms have been relying on relatively lax forms of self declaration, meaning that the platforms offer services on the legal assumption that the user is responsible for declaring their age truthfully, which leads to users easily lying about their age to gain access to platforms where no extra assurance is required. 

UK’s Ofcom research has shown that for platforms such as TikTok and Facebook, which only required users to indicate their date of birth, the vast majority simply indicated a date of birth that would indicate that the user is older than they actually are. The main issue with this is that this may set up young users to be exposed to content that is not safe for their age, and also expose them to unlawful collection of their personal data from these platforms. 

It is therefore unsurprising that Meta and TikTok have been the two biggest companies being fined for violations in regards to misuse of children’s data by the Irish and UK’s data protection authorities respectively. In fact, the UK’s ICO noted that TikTok had been aware of the presence of under 13s in the platform but it had not taken the right steps to remove them. 

It becomes clear that the development and implementation of more stringent age assurance techniques is necessary to ensure that personal data of children is only processed in accordance with GDPR standards. Whilst the EU is yet to come up with specific guidelines in regards to this matter, the UK has published the Children’s Code, to be applied to online services likely to be accessed by children as a code of practice.

Age assurance mechanisms

Amongst 15 other standards that the Code implements, there is the need to ensure that the product and its features are age-appropriate based on the ages of the individual users. To be able to do so, the code requires that the age of users is established with the appropriate level of certainty, based on the risk level of the processing and taking into account the best interest of the child. Therefore, it is also crucial under the code, to carry out a Data Protection Impact Assessment (DPIA) prior to the processing of children’s data, to evaluate said risk level.

The code suggests some additional age assurance mechanisms that information society services may put in place, and the UK’s children’s rights foundation 5Rights has identified additional ones and its possible use cases, advantages and risks. Some of these include: 

• Hard Identifiers, such as sharing one’s ID or Passport or other identifying information. Those are considered to provide a high level of assurance, but raise concerns in regards to data minimisation and might otherwise lead to a disproportionate loss of privacy. Organizations are generally advised to implement appropriate storage limitation periods for those, limited to what is needed to verify an individual’s age once, making it tricky to demonstrate having checked that information, for compliance. Youtube and Onlyfans are examples of ISS that makes use of this mechanism to give access to age-restricted content.
• Biometric data relies on the use of artificial intelligence to scan for age-identifiers on a person’s face, natural language processing or behavioral patterns. It is more commonly used through facial recognition. However, it presents a high degree of risk due to the use of special categories of data, risk of discrimination by biased artificial intelligence and the effective profiling that takes place. Whilst it does provide a high level of assurance, it also requires a very stringent mechanism in place in order to ensure data is processed safely. GoBubble is a social network site made for children in schools that has been using this kind of age assurance technology, by requesting users to send a selfie upon sign up. Meta is also currently in the process of testing this method of age assurance, by working with Yoti, one of the leading age assurance technology developers.

• Capacity testing allows services to estimate a user’s age through an assessment of their capacity. For example, through a puzzle, language test or a task that might give an indication of their age or age range. Whilst this is a safe and engaging option for children, and does not require the collection of personal data, it might not be as efficient at determining the specific age of a user. The Chinese app developer BabyBus uses this type of methodology in its app, by providing a test where users are asked to recognise traditional Chinese characters for numbers.

More examples and use cases of age assurance mechanisms are provided in the 5Rights report. 

Therefore, although it may be difficult to strike a balance between appropriately verifying users’ age prior to sign up, and avoiding over-intrusive measures to do so, it is apparent that solely relying on the user being truthful about their age is no longer sufficient for the majority of platforms, especially when processing vast amounts of personal data, sensitive data or use personal data for targeted advertising. With the growing number of very young children accessing the internet, it is important to ensure that they are protected, their fundamental rights respected, and relevant data protection provisions are fulfilled. In recent years, large steps have been made in the development of alternative secure identity and age verification technologies. The tools are therefore available for organizations to ensure that their GDPR requirements are also met in this respect. 

TechGDPR is a consultancy based in Berlin offering GDPR compliance assessments, DPO-as-a-service retainers and hourly consulting. TechGDPR consultants help assess the vendors you wish to purchase your solutions from, navigate the complexity of international data transfers as well as guide you through the most compliant roll-out of the solutions you have purchased. TechGDPR routinely trains product development, HR, marketing, sales and procurement teams in understanding data protection requirements.  It offers an online training course for software developers, system engineers and product owners.

The post Processing children’s data and implementing age assurance mechanisms appeared first on TechGDPR.