The European Data Protection Board has told the European Commission that it should consider the GDPR in its guidelines on the protection of minors under the Digital Services Act.
9664.jpg)
Shutterstock.com/Jarretera
The EDPB published its preliminary assessment this month on the European Commission’s draft guidelines on article 28 of the DSA, under which providers of online platforms must implement measures to ensure “a high level of privacy, safety and security of minors on their service”.
The EU data protection body called for a greater integration of the GDPR where the regulations overlap on governing children’s safety online. It said it welcomed the publication of the European Commission’s draft guidelines last month, which provided “very clear and practical recommendations on what measures providers of online platforms should take to improve the security, safety and privacy of minors”.
The EDPB highlighted the crossover between the children’s online safety regime and data protection, saying that “the safety and security of children online is a major and growing concern that must be balanced with the need to respect the privacy and the protection of personal data of all internet users, including children”.
The EDPB emphasised that the DSA said it was intended to complement “in particular the GDPR and the ePrivacy Directive”.
The EDPB then pointed to examples where the commission could reference the GDPR requirements on protecting children online.
Examples
“We propose to generally discourage the use of algorithmic age estimation because of the current high rates of false positives and negatives, and the significant degree of interference with users’ fundamental right to data protection.”
“Important to flag that providers will also have obligations pursuant to the GDPR in terms of assessing risk of a service and that compliance with these guidelines does not obviate a controller from their data protection compliance obligations, e.g. having to carry out a DPIA.”
“Article 28 (1) DSA is intended to provide protection to minors, and not for all kinds of commercial purposes. The measures in question should therefore be considered in that specific framework. Given the circumstance that the feedback from minors in the context of recommender systems is intended to protect minors against certain unwanted and / or inappropriate content, the EDPB is of the opinion that such information may not be used for the (commercial) purpose of (fine-tuning) personalised (targeted) advertisements to minors, or to enrich the user profile for commercial purposes.”
“We consider that more clarity is needed on ‘’interoperable one-stop-shop tools’’. We believe that children must be able to ‘object’ against the use of a tool by a guardian if such is in the best interest of the child. (For example, when a parent is abusive towards a child, the child should take action against the use of any tools for guardians). This would also be in line with the spirit of article 15(4) GDPR.”
The EDPB said the commission should highlight that all measures adopted by providers of online platforms to comply with article 28 should also comply with the GDPR, and that data protection authorities are the only competent authorities to assess such compliance. The comments further said that the guidelines should “reference the importance of cooperation between all competent regulators and authorities” to ensure that article 28 DSA and the GDPR requirements were applied “in a consistent and coherent manner”.
The EDPB said it plans to publish additional guidance in the context of its children’s guidelines and the interplay between GDPR and DSA.
The European Commission did not respond to a request for comment.