Some Reflections on Working Document 1/2008 of Article 29 Data Protection Working Party
By Diego Ramos
Traditionally, it has been pointed out that one of the main differences between the US and the European Union legal systems is the manner in which they regulate privacy. Whilst the European Union prefers a transversal approach, in which general principles and categories apply to all the potential groups of data subjects, US legislators favour the view that each group shall be protected in a specific manner. In other words, in the US, privacy is a concept that holds a slightly different meaning depending on the profile of the individual that claims such right. Patients undergoing medical treatment and children are groups that deserve their privacy to be protected, yes, but each of them in a distinct manner.
The European approach is hardly groundless. It has a lot to do with the internal structure and the overall purposes of the Union. Harmonization of national legislations is one of the main goals, and a goal that would likely fail if emphasis were to be put on the peculiarities of individual groups of data subjects instead of defining general categories. Leaving politics aside, the facts are that the current Working Document 1/2008 of Article 29 Data Protection Working Party (the Document) was released in February, almost one decade after the 1998 Children's Online Privacy Protection Act (COPPA) was enacted in the US. Given that the Document is not legally binding and that its main conclusion is that the current legal framework in the European Union is adequate, in general terms, to protect children's privacy in the Union, it is envisageable that the gap between the US and the European Union on this particular point of law will remain.
It would be extremely unfair to conclude that the European approach regarding children's privacy is somehow defective. Exactly the opposite. Enforcement on privacy cases involving children has been particularly strong and effective in Europe in recent years. Public opinion across the European Union would normally reflect agreement with the Document in that the level of protection given to children's privacy in Europe is up to the best standards. However, it is also true that the Article 29 Data Protection Working Part (the "WP") has understood that the delivery of the Document was demanded by the public now. At the same time, some member states have recently modified their internal privacy regulations to deal specifically with privacy issues affecting people under age. There is a general perception that, without destroying the pillars of European privacy law, children's privacy merits at least a public discussion in order to detect possible threats and to put in place corrective measures. Launching this discussion is indeed the declared aim of the Document. For this and other reasons, it deserves a positive welcome from us.
The Document is, certainly, not intended to mark a departure from any of the European privacy principles. Exactly the opposite. A significant part of it is devoted to clarify how children's privacy fits perfectly into the framework of the United Nations declarations and conventions on Human Rights and Children Rights and of the Directives 45/96/EC and 2002/58/EC. The Document avoids becoming too specific, and instead of that, it deals, under different forms and contexts with two key questions: (1) the balance between the child's overall interests and her/his privacy and (2) the conflict between the rights of the parents/guardians/representatives and those of the child her/himself. It also stresses the importance of applying stricter security measures when handling children's personal information, a concern that recalls in part the COPPA's underlying rationale.
The first question is, in our opinion, wisely examined. Children cannot exercise their rights to the same extent that an adult can. They require additional support in many areas of their lives and, in a number of cases, limited breaches of privacy may be unavoidable in order to grant such special protection in an effective way. Nevertheless, this does not mean that data controllers may behave just like they wish when dealing with information belonging to children. The information should be used only for legitimate purposes and under the rule of proportionality, so that, even if the purposes are legitimate, no excessive use can take place. Biometric screenings and in-school purchases by pupils are some cases in which the WP expresses, rightly, concern.
The second question is even more difficult to evaluate. People under age form a non-homogeneous group. A newly born baby and a teenager just under the legal age may not be treated in the same way. In the first case, the legal representatives of the child should be entitled to receive almost all, if not all (scenarios of conflict of interest are not entirely out of sight), the personal information concerning the newborn. In the latter, the data subject should be likely allowed to express her/his opinion on the collection, processing and transfer of her/his personal information.
Trying to provide a reference that may be valid for all the member states, the Document recommends that the child shall be consulted on privacy matters when reaching a given age and/or showing an adequate degree of understanding and reasoning. A practical difficulty may be that, in some territories of the European Union, children over a given age and showing this personal maturity are already allowed to consent data collection, processing and transfer on their own, a step ahead from mere consultation. In that context, as well as in the cases in which serious health or personal decisions are involved, the Document brings forward the difficult position in which the data controller may find itself. A more intense role by data protection authorities appears to be the most sensible approach when such potential conflicts of interests arise. A recommendation in the sense that consent language shall be adapted to the mentality and linguistic skills of the data subjects under age (a good measure already implemented by some member states) is also included. Eventually, by requiring that data are kept to date to reflect the evolution of the child, and ultimately destroyed when the child ceases to be such, the WP highlights the importance of this principle for this group of data subjects in particular.
The Document acknowledges explicitly that it could not (and it had no intention to) cover every possible topic regarding children's privacy. Special attention is paid to the risks for children's privacy at the school, which is good but still not limited. Outsourcing of transportation, catering and recreational activities cause many personal information flows around the school and not within it. Both children and services' suppliers would deserve some guidance on how to address the issues that usually arise in the course of these types of activities.
Furthermore, it is clear to everyone that 50 years ago children shared their time between the school and places where their parents or guardians could monitor them comfortably. Nowadays, the Internet has made possible that children, no matter what age and no matter how closely supervised, behave themselves very much like adults in a wide range of online activities, without anyone noticing. The biggest risk may come from that direction. Both an open public discussion and some additional regulation may be required.
In general terms, the Document is extremely consistent and realistic in its views. A proposal that will, however, be open to debate, is the suggestion that schools should become more active in privacy enforcement tasks. If the message for schools is that, by avoiding the collection of sensitive information, reducing the volume of information they collect about their pupils and processing the data only for legitimate and proportional purposes, they would be doing the right thing, promoting a leading role of the schools in the enforcement process may create some disruption. Having said this, it is obvious that the school remains the place where everything, including respect for privacy and privacy rights, shall be taught
Diego Ramos is a partner at DLA Piper Madrid, where he heads the firm's Technology, Media and Commercial group. He specializes in advice and counsel in all aspects of Spanish and European privacy and data protection law. Diego has practiced technology, privacy and data protection law for more than 16 years and provides advice to a large number of clients (both in Spain and worldwide) on issues such as: database registration, international data transfers, negotiations with Data Protection Commissioners, legal defense against investigations and sanctions from the Spanish Data Protection Commissioner, data protection implications of international outsourcing, best practices in handling workforce personal information, and legal implications of data protection security rules.