Data protection laws are changing, and children’s online rights are now at the forefront of the debate.
The European General Data Protection Regulation (‘GDPR’) comes into force in the UK on May 25th 2018. It will give individuals greater control over their personal data and make it easier for them to access it. The ambition behind the EU-wide regulation is to strengthen citizens’ rights and build trust in the digital age. Whilst the GDPR acknowledges that children (those under 18) merit “specific protections” in relation to their data, it offers little guidance on what this higher standard means in practice.
In September 2017, Government introduced the Data Protection Bill (‘the Bill’). The Bill sets our UK-specific derogations from the GDPR, it standardises UK data protection law and confirms that the UK will continue to comply with the GDPR post-Brexit. During the passage of the Bill, Baroness Kidron, with the support of Lord Ashton of Hyde (Parliamentary Under-Secretary, Department for Digital, Culture, Media and Sport), Lord Stevenson of Balmacara, (Labour Spokesperson), Baroness Harding (Conservative Peer and former CEO of TalkTalk) and Lord Clement-Jones (Liberal Democrat Spokesperson), tabled a set of amendments, introducing the ‘Age-Appropriate Design Code’ (‘the Code’). The Kidron amendments were adopted by Government and now sit at clauses 123-126 of the Bill.
When creating the Code, the Information Commissioner – the UK’s data regulator – is required to consider the development needs of children: that a child’s capacity to act and understand is limited by vulnerabilities and immaturities associated with their age and development stage. The Commissioner must also consider the UK’s obligations as a signatory to the UN Convention on the Rights of a Child, including the obligation to act in the “best interests” of a child.
Aspects of design for which higher standards will be set for children include:
The Code has widespread support, including from senior politicians and peers across the political spectrum, as well as from children’s charities, the NSPCC and the Children’s Society.
In drawing up the Code, the Information Commissioner must consult with children, parents, child advocates, child development experts and trade associations. The Information Commissioner has 18 months from the date on which the Bill is passed to draft the Code. It will then be laid before Parliament for approval. As the first step in its consultation process, the Information Commissioner’s Office will shortly publish an open Call for Evidence, which will be available on their website.
The Code is a statutory code and must be taken into account by the Commissioner when exercising her duties. Organisations who ignore it risk fines of up to £18 million or 4% of global turnover.
The introduction of a high standard of data protection and rights for children is welcomed by 5Rights. The Code is an important step in recognising that a child is a child – even online.
“I hope that all of us can now continue to work to make certain that the same principle is reflected in every aspect of a child’s digital life. There is still much to do. It is stated on the face of the bill that the Code must meet the development needs of children and that the regulator must take account of children, parents and those who advocate for children’s rights online, as well as industry. It is up to us all to make sure that the Code is robust, meaningful and effective for children.” – Baroness Kidron, Founder of 5Rights