



UK Data Protection Watchdog wrote to Apple and Google for details on how to rate the app to determine the age rating that applies following concerns raised by online child safety charities. I did.

This move follows the enforcement of the Age Appropriate Design Code in the United Kingdom in September this year. This imposes a requirement to prioritize the protection of privacy and security for digital services that children may access.

In today’s statement, information commissioner Elizabeth Denham said that her office is now conducting an “evidence-gathering process to identify compliance with code and thus with underlying data protection laws.” Said that.

The Information Commissioner responded to a letter from the 5Rights Foundation. This is a digital child safety charity that conducted a survey to investigate norm compliance during the summer. He states that he has found 12 “systemic” violations, including inadequate age guarantees. Misinformation about the minimum age of a game in the app store. Use of dark patterns and nudge. Data-driven recommendations that pose a risk to children. Routine failure to implement community standards. The default privacy setting is low. There are many others.

“In this process, ICOs take a systematic approach. Intervene with operators of online services that are likely to harm children with information that may indicate inadequate compliance with privacy requirements. “I’m focused,” Denham wrote in response to the 5Rights Foundation. As part of this work, ICO contacted Apple and Google. “To inquire about the extent to which the risks associated with processing personal data are factors in determining an app’s age rating.”

The tech giant was contacted for comments on the development.

Both operate an app store and apply age limits to downloadable apps. This means that the platform is included in the scope of the code.

However, ICO has not picked out Apple and Google. Today, the ICO states that it is addressed to a total of 40 organizations in the three technology sectors (social media / messaging) that we consider to be the most risky for children. Games; and video / music streaming — “determine suitability criteria individually”.

Following the charity, he wrote to nine more companies, highlighting many concerns and adding that the total number of digital services under review by regulators will be close to 50.

The ICO does not publish a complete list of technology companies that are subject to code compliance questions.

Also, the 5Rights Foundation does not appear to publish a list of companies expressing concern (although its name has been passed on to regulators).

The response to the ICO also directly refers to testimony to Facebook whistleblower Franceshausen’s recent legislators. This includes warnings about the toxicity of platforms like Instagram to the developing brain of teens. list.

Charity Chair Baroness Kidron helped drive a set of code heading criteria first established by the ICO as part of the UK’s existing data protection legislation.

The norm came into effect only in early September, but the standard was published early last year. The ICO has chosen to give it a long grace period to comply with the business.

So, in a sense, it’s hard to argue that an established company didn’t have enough time to make the necessary changes.

Moreover, while ICOs do not accurately have a reputation as active enforcers of digital rights, child safety groups like the 5Rights Foundation appear happy to suspend enforcement for extended periods of time. not.

“Rather than requiring an overall redesign of service systems and processes so that data collection practices are in the best interests of children, the code is interpreted as introducing a small number of safeguards. There is a danger. ”5Rights Foundation warns in the letter. “If the code has real value in protecting the safety and rights of children in a digital environment, the ICO needs to make sure that it is really respected.”

Kidron also said that the “systematic” nature of the problem, as revealed by a 5Rights Foundation study, is likely to be followed by “many”, although the problem was identified before the code that goes into effect this fall. Suggests. Violation “and the guidance will be published.

In her response, Denham suggested a timeline for next spring for the ICO to take some action, writing: Our regulatory options are based on that careful understanding and we look forward to taking the next step in the spring of 2022. “

But it’s worth noting that she wrote the “next step” rather than the actual execution.

This is far more of an ICO dance trying to “encourage” improvements from the tech industry and muscle enforcement on platform giants, as seen in the case of systematic violations of data protection legislation by the ad: tech industry. It suggests that it has a long potential (the ICO has been “investigating” for years without enforcement.

See, for example, the discussion in the second half of Denham’s letter to Kidron on the “Stakeholder Roundtable.” She states she plans to collect evidence regarding the use of age-guaranteed technology. Specifically, “Used to signal the scope of further regulation. Actions related to age guarantees.”

Regarding age guarantees (also known as technologies and techniques used to determine a user’s age and whether they are underage / underage), a 5Rights Foundation study found “many” services with age restrictions. I did. Easy access for children under the age of use, including adult-only services. “

He also reports that he has found services that say he does not collect personal data from children, but states that “many” of these are under-aged or use age-guaranteed that can be easily bypassed. (They can just lie, such as asking the child to enter their birthday).

“If these services don’t identify child users, it’s unclear how they endorse their own privacy policy or can implement the code,” the charity warned in a letter. I will continue to do it.

However, the question of how the platform can comply with cCode elements such as “age guarantee” requirements is not exactly simple.

Last month, the ICO sought proof of age guarantee. In a comment on this topic that was published at the same time, regulators provided interim guidance to digital service providers. He recommended a risk-based approach and suggested that platforms and apps that pose a “high” risk to children should apply all relevant code standards. To all users to ensure that the risk is “mitigated”. Alternatively, introduce an age guarantee measure that “gives the user’s age the highest possible level of certainty” (which may mean age verification rather than age estimation).

For low-risk or medium-risk services, the ICO suggested applying all relevant code standards to all users to ensure that the risk was “low”. Or “introduce an age guarantee that gives the child user a level of certainty of age that is proportional to the potential risk to the child.”

Therefore, there is a unique subjectivity in how the platform assesses risk and chooses mitigations to apply.

Opinions also highlight the challenges of digital services that balance the requirements for protecting privacy with the application of (potentially) intrusive age-guaranteed technologies, the ICO writes: It should be done to ensure these respects and to comply with data protection laws. “

Regulators have also promised to revisit their views in line with the code review planned for 2022 — “for the rapidly evolving state of the age-guaranteed market, broader legislation and evolving policy outlook. NS”.

Expect muscle coercion to rain in areas where privacy and safety intersect and even conflict, where there is no simple solution that fits all the right solutions everywhere for services and users of all kinds. Well, that’s right. It’s unlikely.

Denham’s long letter is not only packed with warnings and qualifications that begin with managing expectations, but also coded with the aim of promoting “proportional protection that strengthens social engagement with the digital world.” I am assembling. All of this suggests that her office is more practical and prefers tweaks-the tweaks adhere to the norms more than some child safety charities (and age-guaranteed technology providers) prefer. Approach for.

The UK Government is also in the process of discussing a “reform” of the domestic data protection system. This can hinder ICO independence in favor of prioritizing data-based “innovation”. As a result, ICOs could be in dire straits and destroy domestic privacy rights in the not too distant future.

Time will tell you how this works. However, British child safety activists can be as frustrated as British privacy advocates. British privacy advocates say the country has updated its data protection regime (at least on paper) to set teeth …

“As a regulatory agency, we hope you understand that ICOs always face tough choices about how to deploy limited resources,” Denham warns Kidron. “Therefore, our initial focus is on the greatest potential harm cases of non-compliance across multiple criteria.”

She also warns that the ICO will stay in that lane, for example by not applying the code criteria retroactively.

Denham’s letter also notes that regulators are unable to address certain concerns raised by charities. Future online safety legislation as an appropriate law for that. Regulations focused on content directed by Ofcom rather than ICO.

“ICO will continue to work with DCMS [the Department for Digital, Culture, Media and Sport]Ofcom, as the intended online security regulator, and other agencies to secure a place to act under current regulations are trying to prevent minor access. However, the solution to this problem is not honestly located in the code or in data protection, so ICO cannot be assured that it will be fully addressed, “she adds.

