On September 2, 2020, the United Kingdom’s (‘UK’) Information Commissioner’s Office (‘ICO’) published the final version of the Age Appropriate Design Code (‘Code’), which seeks to provide for various regulatory standards towards protecting data of under-age (child) users over the internet. It was first submitted to the Secretary of State in November 2019, after a year-long public consultation process, following which it has come into force after parliamentary deliberations. The Code, by nature, is not a new ‘law’, but a statutory code of practice added under Section 125(1)(b) of the Data Protection Act, 2018 (‘the Act’). It prescribes certain practices (namely fifteen in number), that an organization/website providing online services need to take up in the course of protecting the best interests of a user that is ‘likely’ to be under the age group of 18 (eighteen) years and applies to Section 123 of the Act which talks about Information Society Services (‘ISS’) accessed by children.
Features of the Code
The Code contains 15 (fifteen) practices that have been listed in detail, that information service providers need to adhere to., either if they are a service specifically targeted towards under-age users, or if their users are ‘likely’ to be under-age. The fundamental premise behind the Code involves the protection of the basic freedoms of a child under the law (including expression, thought, religion, association, and religion), protection from their exploitation (economic or sexual, including other forms), and upholding of their privacy. The Code is domestic legislation in its totality, but it aims at regulating the behaviour of the ISS Providers in such a way, that is compliant to the various provisions of the General Data Protection Regulation (‘GDPR’). Furthermore, the aim of the Code is that the data processed is considered to be ‘fair’ in nature concerning risks and dangers faced by underage users on the internet/related services under the GDPR. (In terms of definition by the GDPR, an ISS would include all forms of services provided over an electronic medium, including services such as applications, games, toys, connected devices, and websites. However, services such as government websites, police services, websites that just provide information, broadcasting services, telephony services, and preventive and/or counselling services do not fall under the ambit of a relevant ISS, as per Section 123 of the Act.)
The various prescribed practices for the under-age user (child) include:
(i) Ensuring the best interests of the underage user in the course of any service provided by the ISS;
(ii) Conducting a Data Protection Impact Assessment (‘DPIA’)(procedure listed in the Code) by the ISS, before a service is released to ensure and safeguard underage users from potential risks that might arise against their basic rights and freedoms;
(iii) A risk-based approach in terms of Age-Appropriate Application (‘AAA’) needs to be taken to recognise the age of the individual user so that the Code can be applied over them accordingly. This can be done in two ways: a) either by establishing the age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from the data processing of the ISS; or b) by applying the standards in this code to ALL the users of the ISS instead without segregating into specific ages;
(iv)There needs to be transparency in respect of the privacy information and terms of use provided to the underage user by the ISS. At all times, they must ensure that the information provided to under-age users must be prominent, concise, and in clear language suited to be understood by them.
(v) In no way shall the data of the under-age user be used detrimentally, as per the industry practice codes, regulatory procedures, or/and legislations.
(vi) Careful attention must be paid to the ISS’ policies and community standards, which includes, but is not limited to privacy policies for users, age restrictions on access, behaviour rules, and content display policies.
(vii) The default settings of the ISS must be set at ‘high privacy’ by default (unless they can demonstrate an authentic reason for a different default setting. However, the best interests of the child have to be kept in mind).
(viii) At all points in time, there must be data minimisation ensured in terms of collection of data of the underage user.
(ix) There should be no data shared and/or disclosed by the ISS unless there is a compelling reason to not do the same, with the best interests of the child kept in mind. However, there is no mention of whether a government entity/Court could mandate the sharing of such data.
(x) The option of geolocation services should be turned off by default by the ISS unless there is a compelling reason to not do the same, with the best interests of the child kept in mind. Furthermore, they must provide an obvious sign for under-age users when location tracking is active. At the end of the session, location tracking should be turned off by default.
(xi) At all points in time, the under-age users shall be notified about any parental controls by the ISS; further, if they are provided with such controls, appropriate information about the same shall be provided to them at all points in time.
(xii) At all points in time, the under-age user’s data and information shall not be profiled, and the option shall be turned off by default, unless there is a compelling reason to not do the same, with the best interests of the child kept in mind. Furthermore, it should only be allowed if there are requisite safeguards in the course of protecting the under-age user from any risks/detrimental effects. Examples of safeguards as listed in the Code include ‘contextual tagging’, robust reporting procedures, and elements of human moderation. It could also include the ISS’ own editorial controls over the content displayed, but adhering to the codes of conduct or other regulatory provisions that are in place as per the laws.
(xiii) At no point in time shall nudge techniques are to be made use of to extract data and/or make a selection of options that compromise the privacy of the under-age user. (Nudge techniques, as defined by the Code are ‘design features which lead or encourage users to follow the designer’s preferred paths in the user’s decision making. For example, in the graphic below the large green ‘yes’ button is presented far more prominently then the small print ‘no’ option, with the result that the user is ‘nudged’ towards answering ‘yes’ rather than ‘no’ to whatever option is being presented’).
(xiv) If there are any connected toys and devices to a particular ISS’ website/product either in a physical or online format, then they must ensure they include effective tools that enable conformance to the Code at all points in time.
(xv) At all points in time, the ISS must ensure that there are online tools provided to the under-age users that are prominent and accessible, which assists in exercising their basic freedoms, data protection, and privacy rights, and report any concerns to the authorities.
At the end of the Code, there have been directives given to the ISS towards setting up of systems and records that demonstrate compliance at all points in time. Adequate training and policies towards staff members and overall functioning should be in place too. In terms of the enforcement, the ICO will take steps in ensuring the conformance of ISS towards the Code, address complaints and grievances and take action against defaulters if they fail in complying with any provisions. They can also issue notices, warnings, reprimands, enforcement or penalty notices, and/or charge fines up till EUR 20, 000,000 (twenty million) (which will be EUR 17,500,000 (seventeen million and five hundred thousand)once the UK GDPR comes into effect), or charge 4% (four percent) of the annual turnover of the company. The enforcement of the Code and the use of children’s data as per the GDPR have been carried forward under the ICO’s Regulatory Action Policy (‘RAP’).
BlockSuits Comments
Preliminary observations that raise a cause of concern around the Code include how the ISS is to target its audience, the circumstances towards following the same, and the implications in the process. Every ISS (local or international) that provides a service in the UK is expected to adhere to the provisions of the Code, even if the use of the same is not targeted towards under-age users, but is ‘likely’ to be accessed by them. In a way, this opens the floodgates for service providers to filter the data of all users, to determine whether under-age users will be accessing the same. More than just increasing the compliance costs, this puts the data of citizens (irrespective of age category) under the constant radar of the ISS, which needs to abide by its conduct towards the Code by taking forward such an activity. Furthermore, there is an absence of any technical guidelines/directives that aid the ISS to carry forward their operations to achieve the provisions of the Code. This puts all the service providers at their risk in terms of the utilisation of technologies and economic impacts, without any precise direction provided by the ICO as a threshold/standard that acts as a model to be followed.
Another compelling point to look into is that of the overall financial impact of the Code, which will extend to pan-European and international ISS providers as well, although it is a domestic statutory practice, and not under the GDPR per se. There has been no assessment/calculation made in this regard, and therefore there are no concrete statistics to rely on the additional amount an ISS will need to spend in the course of adhering to this Code. Apart from this, some concerns arise with the model that is to be followed to ensure transparency, prevent detrimental risks, publicise community and policy standards, and utilisation of parental controls and online tools. As a whole, these processes seem to be cumbersome and intimidating to be understood and utilised by an under-age user, due to their lack of awareness and the sensitivity of data involved.
The Code has come into force on September 2, 2020, with a 12 (twelve) month transition period, during which industry stakeholders and entities need to adapt towards these provisions into their regular practice. Although it has been assured by the lawmakers that the Code is achievable and will not cause additional hurdles for service providers, the practicality of the Code is certainly not unbarred by critique.
Authored by Mustafa Rajkotwala, Officer, Data and Innovations, BlockSuits.
Comments