The processing of children’s personal data is afforded special protection under both the Data Protection Act 2018 (the "Act") and the GDPR. In addition, the Irish Data Protection Commission (the "DPC") published a comprehensive guide entitled “Children Front and Centre: Fundamentals for a Child-Oriented Approach to Data Processing” (the “Fundamentals”). The Fundamentals introduced 14 child-specific data protection interpretative principles for organisations to follow when processing children’s data. The Fundamentals include services that are directed at or intended for, or are likely to be accessed by children. In Ireland, for data protection purposes, while a child is somebody under the age of 18 years, the age at which a child can give consent in respect of social media services is 16.
The DPC's focus on organisations processing children's personal data has not softened since the publication of the Fundamentals. As many readers will be aware, in September 2022, Meta Platforms Ireland Limited (aka Instagram) was fined €405million for breaching the GDPR. Just one year later, in September 2023, TikTok was also fined for similar breaches.
In both cases, the DPC found that the organisations had breached several provisions of the GDPR including Article 24 and Article 25, as they had failed to "implement appropriate technical measures" to ensure that child users "rights and freedoms" were protected and that the data protection principles were implemented. The DPC also found that they had breached Article 5 as they failed to have regard to the fundamental principles of lawful data processing and in particular, the principle of "data minimisation".
Interestingly, the ultimate sanctions were not proposed by the DPC. The DPC submitted a draft decision to all Supervisory Authorities Concerned (CSAs), for the purpose of Article 60(3). While there was broad consensus on the DPC’s proposed findings, objections were raised by some CSAs.
The DPC was unable to reach consensus with the CSAs on the subject-matter of the objections and referred the objections to the EDPB for determination pursuant to the Article 65 GDPR dispute resolution mechanism. Among other issues, the CSAs issued objections concerning the legal basis for processing and the determination of the fine. The DPC subsequently made amendments to its draft decisions following the dispute resolution process.
In light of the engagement between the DPC and CSAs, the DPC is clearly not alone in its scrutiny of organisations that process children's personal data. Indeed, Iceland, Poland and Italy have all imposed fines on organisations that failed to comply with the GDPR when processing children's personal data. Most recently, the Netherland's data protection authority, Autoriteit Persoonsgegevens ("AP"), expressed concerns about the collection of children's personal data by organizations using generative artificial intelligence ("A.I.") and ChatGPT was suspended in Italy for various reasons including until it agreed to add a button for Italian users to confirm that they were over 18 prior to accessing the service or that they are over 13 with consent from their parents.
There is still a lot of ambiguity and uncertainty around the processing of children's data. We would urge organisations that are processing children's personal data in Ireland and beyond to become familiar with the Fundamentals or obtain bespoke advice to your organisation. The alternative is to face a possible investigation and a significant fine by the DPC.