The European Data Protection Board (EDPB) has issued its first meaningful statement on age assurance in the digital environment.
While it does not introduce fundamentally new concepts, this statement is significant as it shapes age assurance regulatory expectations within Ireland and Europe, alongside Comisiún na Meán’s online safety code and the Data Protection Commission’s (DPC) Child Fundamentals.
Overview of the EDPB Statement
The EDPB outlines ten principles for processing personal data when determining an individual’s age or age range, acknowledging the three primary categories of age assurance: age estimation, age verification, and self-declaration. Each principle is based on existing General Data Protection Regulation (GDPR) requirements, a summary of which is outlined below:
1. Rights and Freedoms
Age assurance must respect all fundamental rights, with the child’s best interests being a primary consideration. This includes their right to data protection, protection from violence and all other forms of exploitation.
2. Risk-Based Assessment of Proportionality
Providers should adopt a risk-based approach, demonstrating the necessity and proportionality of age assurance measures by assessing risks to children’s rights. They must also respect users’ rights and freedoms by conducting a Data Protection Impact Assessment (DPIA) when necessary to balance safety measures with data protection. The EDPB also adds that a Child Rights Impact Assessment (CRIA) can form part of a DPIA.
Outside the realm of the GDPR, there was an indication from the EU’s European Board for Digital Services’ board minutes late last year that CRIAs will be recommended via guidelines by the EU in the context of Article 28 Digital Services Act compliance. We will continue to monitor any development in this regard.
3. Prevention of Data Protection Risks
Age assurance must not lead to unnecessary tracking, profiling, or personal data risks. Viable alternative age assurance methods and technologies should be provided to users who cannot or do not wish to use a specific method of age assurance due to the data protection risks they present.
While not specific to this EDPB statement, there is some relevance and application here with the EDPB’s recent Opinion on AI models, which we previously discussed here. In this opinion, the EDPB considers location and financial data “types of ordinary personal data” that reveal highly sensitive information about individuals. This may be potentially relevant if used (particularly location data) for tracking/profiling, etc.
4. Purpose Limitation and Data Minimisation
Controllers should collect only the personal data necessary, adequate, and relevant for their intended purposes, ensuring data minimisation aligns with the principles of necessity and proportionality. For instance, the EDPB suggests that a tokenised approach may be used where a third-party provider verifies age, and the service provider only sees if the user is over or under a certain age threshold.
5. Effectiveness
Age assurance should be broadly accessible, offering alternative methods for those at risk of discrimination and complying with accessibility legislation. It must be reliable in determining age-related requirements, with appropriate redress mechanisms for affected users. Additionally, age assurance should be robust, capable of handling unexpected situations and resisting attempts to bypass the system.
6. Lawfulness, Fairness, and Transparency
Service providers must have a valid legal basis and ensure clear, transparent communication about age assurance processes. Transparency is particularly important when it comes to children, and service providers must ensure they convey information to children, when concerned, in a way that is clear and easy for them to understand.
Again, while not specific to this EDPB statement, there is some relevance and application here with the EDPB’s recent Opinion on AI models. In the opinion, the EDPB considered alternative approaches to meeting transparency requirements such as media campaigns, e-mail campaigns using graphic visualisation, FAQs, transparency labels/cards, and annual transparency reports voluntarily.
7. Automated Decision-Making
If automated systems are used, safeguards such as human intervention and appeal mechanisms must be in place. Particular attention should be taken when children are concerned. The statement also states that depending on the architecture of the age assurance process, controllers must identify who the data subject should contact to exercise their rights.
8. Data Protection by Design and Default
Controllers must ensure data protection by design and default, avoiding unnecessary access to personal data and regularly updating systems to reflect technological advancements. The EDPB recommends using state-of-the-art technologies (i.e. Privacy Enhancing Techniques) that favour user-held data and secure local processing, allowing properties like ‘unlinkability’ and selective disclosure, single-use credentials, zero-knowledge proofs, etc.
9. Security
Given the legal pressure to implement age assurance, controllers need to implement and maintain appropriate technological and organisational measures to detect and react promptly to breaches and ensure the resilience and availability of the age assurance system. The EDPB adds that breaches should be expected and, as such, providers should be ready for them.
The EDPB provides that the ability to promptly restore the availability of age assurance after a security breach, should also be considered essential. It is crucial to ensure the resilience of the age assurance ecosystem, favouring the existence of different alternatives and loosely coupled parties that do not depend so much on each other that the failure or breakdown of one would cause significant access limitations. This principle has cross over with the Network and Information Security 2 Directive requirements for digital providers (see our NIS2 article series here).
10. Accountability
Providers must maintain governance frameworks to define responsibilities, ensure age assurance is auditable, and promote transparency and trust among data subjects.
Practical Implications: Another Layer in a Patchwork of Rules
As things stand, the ‘rules’ for age assurance in Europe consist of a patchwork of legal frameworks from the GDPR, the Digital Services Act and the Audiovisual Media Services Directive – each of which implies or explicitly requires age assurance. However, the specifics remain unclear and are left to providers to determine.
For those operating in the online space, especially where user bases are primarily children, it is essential to use this statement as a reference point. While EDPB statements are non-binding, this latest development provides a road map towards GDPR compliance, as it will be taken into account by data protection authorities from an enforcement and supervision perspective. This statement is a positive move towards providing stakeholders with greater clarity in this area.
If you would like to discuss the implications of this statement in further detail to determine any necessary actions to ensure compliance, please contact Rachel Hayes, Laura Casey, or your usual William Fry contact.
Contributed by Laura Casey, Caoimhe Neill.
