AEPD publishes analysis on the protection of children in the digital environment

  • The document focuses on the obligation to comply with data protection principles, along with other regulations that complement or deepen the protection of minors.
  • Today, many internet services implement strategies based on reacting once the damage has already occurred, rather than developing proactive policies.
  • The Agency underlines the importance of having an age verification system that maintains the burden of proof on the person who is aged to access content and never in the child.
     
Nota técnica internet seguro por defecto

(2 October 2024). The Spanish Data Protection Agency (AEPD) has published ‘A Safe Internet by default for children and the role of age verification’, in which it analyses how children and adolescents can be protected on the internet without this entailing surveillance and invasion of the privacy of all users, and without exposing children to being located and exposed to new risks. This analysis focuses on the obligation to comply with the data protection principles set out in the General Data Protection Regulation (GDPR), together with other regulations that complement or deepen the protection of minors.

The document shows different strategies for protecting children and adolescents (children and adolescents) on the internet, identifying different use cases: protection against inappropriate content, safe environments for children, consent to the processing of personal data and child-friendly design. Each use case analysed is subject to different regulatory frameworks and, as a common framework, to the GDPR for the processing of personal data.

The published analysis explains that, at present, many internet services have strategies based, at best, on reacting once damage or impact has already been identified. One variation is to enable internet service providers to know who is a minor, as with the creation of dedicated NNA spaces or accounts. These strategies require intrusive intervention in the form of surveillance or profiling that violates the privacy of all users: they allow the child to be located and easily accessible to any malicious actor, to legitimise the processing of additional personal data of NNA, to adapt messages to make decisions that are not their own, or to hide purposes of profiling in relation to misleading or addictive patterns, loyalty, recruitment, consumption or monetisation of personal data.

The Agency collects examples and good practices to protect children from risks related to access to content for adults, such as contact with people who may endanger them, procurement of products and services, monetisation of their personal data, induction of addictive behaviours affecting their physical or mental integrity and other aspects.

The Agency also underlines the importance of having an age verification system that maintains the burden of proof on the person who is aged to access content, and never on the child. Thus, the child must not prove that he or she is a minor or show its nature in order for content, contacts, behaviours or contracts to be blocked.

The implementation of an age verification system requires that internet services be adapted so that it is effective, does not create new risks, does not allow minors to be located and does not result in the loss of freedoms for all internet users. To do so, such adaptation should comply with the principles of minimisation of the processing of personal data by design and by default.

The Agency recalls that decisions to manage the risks to which minors are subject should have a personal data protection impact assessment (DPIA). To pass a DPIA, it is necessary to comply, inter alia, with the principle of data minimisation and, in the case of age verification, the system does not need to verify a specific age or date of birth, but only the exceedance of the established age threshold.