EU Data Protection Board adopts age assurance statement with guiding principles

With age check legislation coming to the fore of discussions about online safety, the European Data Protection Board (EDPB) has adopted a statement on age assurance that lists ten principles for compliant processing of personal data.

A release from the EDPB says the goal is to create a “consistent European approach to age assurance, to protect minors while complying with data protection principles,” including the General Data Protection Regulation (GDPR).

Anu Talus, chair of the EDPB, says “age assurance is essential to ensure that children do not access content that is not appropriate for their age. At the same time, the method to verify age must be the least intrusive possible and the personal data of children must be protected. The principles put forward by the EDPB will help the industry to assess an individual’s age in a way that is compliant with data protection principles, while protecting children’s wellbeing.”

The EDPB’s guidelines are positioned to be adopted throughout EU member states. Data protection regulators in Ireland and Spain have already issued statements in support. In a release, the deputy commissioner for Ireland’s Data Protection Commission (DPC), Jennifer Dolan, says “the DPC was delighted to have been a co-rapporteur on this important statement on age assurance published by the EDPB.”

The Spanish Data Protection Agency (AEPD) notes that it has promoted the EDPB guidelines alongside its collaborators from Ireland, as well as regulators in France and Germany.

EDPB’s 10 guiding principles for compliant age assurance technology

The EDPBs’ principles are extensive, with the ten interrelated points addressing issues across the age assurance spectrum.

First, age assurance must “respect the full complement of natural persons’ fundamental rights and freedoms, and the best interests of the child should be a primary consideration for all parties involved in the process.”

Second, “age assurance should always be implemented in a risk-based and proportionate manner that is compatible with natural persons’ rights and freedoms,” and “service providers should adopt a risk-based approach when designing and operating their services.”

Third, “age assurance should not lead to any unnecessary data protection risks for natural persons,” especially related to sensitive data such as biometrics and location tracking. “This requires the selection of age assurance approaches that fully comply with the principle of data protection by design and by default.”

Next, age assurance providers and “any third party involved in age assurance should only process the age related attributes that are strictly necessary for their specified, explicit and legitimate Purpose.” In other words, data minimization, or minimal necessary data, and a clear purpose for collecting whatever data is needed.

Point number five says age assurance must be effective: technology should “demonstrably achieve a level of effectiveness adequate to the purpose for which it is carried out.” This will be evaluated on accessibility, reliability and robustness, i.e. age assurance that can “deal with unexpected situations and resist reasonably likely attempts to trick or bypass the system.”

Six addresses lawfulness, fairness and transparency, and says “service providers and any third party involved in age assurance should ensure that the processing of any personal data for the purposes of age assurance is lawful, fair and transparent to users.” Transparency means clearly telling people what data is being collected and why, which parties are involved, how long it will be retained for and whether it will be shared.

“Transparency in the context of age assurance is particularly important when it comes to children. Service providers must ensure that they convey transparency information to children, when concerned, in a way that is clear and easy for them to understand.”

Point seven concerns automated decision-making, any instance of which in the context of age assurance should comply with the GDPR. “If applicable, service providers and any third party involved should provide suitable measures to safeguard natural persons’ rights and freedoms and legitimate interests.” This underlines the importance of regulatory compliance when selecting providers of algorithmic age assurance services.

That said, “the EU legislator has opted for a broad definition of automated decision-making that requires examination on a case-by-case basis.”

The eighth guiding principle on age assurance is data protection by design and by default. “Age assurance should be designed, implemented and evaluated taking into account the most privacy-preserving available methods and technologies in order to meet the requirements of the GDPR and effectively protect the rights of data subjects.”

The ninth principle is security. “Service providers and any third party involved in age assurance should implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” This one comes with a bit of tough medicine: “In practice, given the increasing legal pressure to implement age assurance and the number of providers that may be subject to such rules, the occurrence of security breaches should be expected.” The idea is to do as much as possible to prevent them, and to respond when they do occur.

Finally, the tenth principle is accountability. “Age assurance should operate under a governance framework, ensuring that all processes and systems are designed, implemented, revised, documented, assessed, used, maintained, tested or audited in a way that meets data protection regulations and other legal requirements.”

Article Topics

age verification  |  biometrics  |  children  |  data protection  |  Europe  |  European Data Protection Board (EDPB)