The following is a guest post by Clare Feikert-Ahalt, a senior foreign law specialist at the Law Library of Congress covering the United Kingdom and several other jurisdictions. Clare has written numerous posts for In Custodia Legis, including 100 Years of “Poppy Day” in the United Kingdom; Weird Laws, or Urban Legends?; FALQs: Brexit Referendum; and The UK’s Legal Response to the London Bombings of 7/7.
The Law Library recently published a report titled Children’s Online Privacy and Data Protection for Ireland. This adds Ireland to the Law Library’s report on this subject that cover 10 jurisdictions: the European Union (EU) and its member states of Denmark, France, Germany, Greece, Portugal, Spain, Sweden, and Romania, and the non-EU member of the United Kingdom (UK).
As Ireland is a member of the European Union, it must follow the General Data Protection Regulation (GDPR), which took effect in all EU member states, plus the UK, on May 25, 2018. Ireland implemented the Data Protection Act in 2018 to give effect to certain aspects of the GDPR in its domestic laws. This Act also established the Data Protection Commission (DPC), which is the national independent authority in Ireland that supervises the GDPR and ensures it is implemented.
Children’s personal data is provided with special protection under both the 2018 Act and the GDPR. In December 2020, the DPC published a draft code, titled Fundamentals for a Child-Oriented Approach to Data Processing (known as “the Fundamentals”), under the Data Protection Act. The Fundamentals aim to clarify the principles in the obligations under the GDPR and set “high-level obligations” that organizations must take before processing children’s data, and highlight that the best interests of the child take precedence over any legitimate business interests.
Since the Law Library’s report was published, on November 19, 2021, the DPC published a report into the findings of the public consultation on the Fundamentals. In this report, the DPC concluded “[t]he best interests of the child must ground the actions of all data controllers, and there must be a floor of protection below which no user, and in particular no child user, drops” and that it is satisfied that the broad approach of applying the Fundamentals to services that are likely to be accessed by children is the correct one to take, but stated that it will add text to help clarify this, and some of the other Fundamentals, further.
The DPC stated that it will work to finalize the Fundamentals and publish them. It notes that once the Fundamentals are published in their final form they “will have immediate effect and there will be no lead-in period for compliance.” The DPC has stated that this is because the Fundamentals are not a statutory code, nor are they, in essence, new obligations for organizations, noting:
the GDPR is now more than 3 years into its application. Organisations which process children’s personal data – particularly in the digital sectors where business models are predicated upon the processing of personal data for the provision of services – should throughout that period, in line with their accountability obligations under GDPR, have been constantly keeping their child protective measures under review and revision in order to achieve the higher standards of protection which the GDPR requires in relation to the processing of children’s data.
Thus, once the DPC publishes the Fundamentals in their final form they will enter into effect and the DPC will consider an organization’s compliance with the Fundamentals when assessing whether it has met the obligations of the GDPR.
Subscribe to In Custodia Legis – it’s free! – to receive interesting posts drawn from the Law Library of Congress’s vast collections and our staff’s expertise in U.S., foreign, and international law.