Key Takeaways:
- On 28 March 2024, Singapore’s Personal Data Protection Commission (“PDPC”) published a set of Advisory Guidelines on the PDPA for Children’s Personal Data in the Digital Environment (“Advisory Guidelines”).
- The Advisory Guidelines seek to clarify how the provisions of the Personal Data Protection Act 2012 (“PDPA”) apply to the processing of children’s personal data online.
- In particular, the Advisory Guidelines provide non-binding guidance on communicating with children in relation to the processing of their personal data, obtaining valid consent for the processing of children’s data, the reasonableness of processing children’s data, the standard of protection required for children’s data, and compliance with data breach notification obligations where the data subjects are children.
- For the purpose of the Advisory Guidelines, a “child” is defined as an individual who is 18 years of age or younger.
Background:
On 28 March 2024, the PDPC issued a set of Advisory Guidelines which clarify how the provisions of the PDPA apply to the processing of children’s personal data in the online environment.
The Advisory Guidelines supplement, and should be read with, the PDPC’s previous guidance on data activities relating to minors in its Advisory Guidelines on the PDPA for Selected Topics.
In keeping with other advisory guidelines issued by the PDPC, the Advisory Guidelines are not legally binding, but the PDPC is likely to interpret the PDPA in a way which is consistent with these Advisory Guidelines. The Advisory Guidelines are not intended to be exhaustive in relation to the application of the PDPA data protection obligations to the processing of children’s data. Further, other laws in Singapore may apply to the activities of minors and children, and such laws will prevail to the extent inconsistent.
Who is impacted?
The Advisory Guidelines apply to any organisation whose products or services are “likely to be accessed by children”. Similar to the UK ICO’s Age-Appropriate Design Code, this includes products and services which are designed for and aimed specifically at children, and products and services that children access in reality. Examples of such products include social media services, technology-aided learning services, online games, and smart toys and devices.
The Advisory Guidelines generally apply to organisations (i.e. data controllers). However, the sections relating to the standard of protection for children’s personal data and data breach notification are also intended to apply to data intermediaries (i.e. data processors).
What do the Advisory Guidelines say?
Key points covered by the Advisory Guidelines include:
- Communication with children. When communicating with children, organisations should consider using age-appropriate language that is plain and simple enough for children to understand the consequences of providing and withdrawing consent to the processing of their data. Data protection-related notices, policies, as well as terms and conditions should be in a language that children can readily understand. Organisations may also consider using infographics and video clips for such communication.
- Obtaining valid consent. Valid consent may be obtained from children aged between 13 and 17, provided that policies on the collection, use and disclosure of their personal data, as well as any withdrawal of consent, are readily understandable by them. The onus remains on organisations to ensure that they have obtained valid consent – an organisation should obtain consent from a child’s parent or guardian if it has reason to believe that a child lacks sufficient understanding of the nature and consequences of giving consent. Organisations may also wish to consider implementing a higher age of consent based on their specific business context (e.g. parental consent may be appropriate for individuals who are aged 13 in education settings). Consent obtained from an individual (or a parent/guardian) remains valid when the individual reaches the age of 18.
- Reasonable Purposes for Processing. Under the PDPA, personal data must be processed only for purposes that a reasonable person would consider to be appropriate in the circumstances. Given the potential risks and harms to children from the processing of their data in the digital environment, some (non-exhaustive) examples of reasonable purposes for processing include:
(a) age assurance purposes for ascertaining an individual’s age to ensure that children only access age-appropriate content;
(b) protecting children from harmful and inappropriate content; and
(c) directing children to relevant safety information, e.g. where children use high-risk search terms relating to self-harm or suicide.
Organisations should also adopt data minimisation policies to limit the collection and sharing of children’s personal data. For example, account information for children must not, by default, be made public and searchable. The ability to find or monitor a child’s precise geolocation may also pose a risk of misuse, and therefore, appropriate safeguards should also be implemented, such as disabling the geolocation function by default, or only collecting users’ approximate location.
- Protection of Children’s Personal Data. Children’s personal data should generally be considered to be sensitive personal data and should hence be accorded a higher standard of protection. Where appropriate, organisations should implement the Basic and Enhanced Practices listed in the PDPC’s Guide to Data Protection Practices for ICT Systems where they process children’s personal data.
- Data Breach Notification. Where a data breach occurs which is likely to result in significant harm, the organisation must inform affected data subjects, even if these are children. However, organisations are encouraged to also inform the child’s parent or guardian to enable them to take steps to mitigate any harm which arises from the breach. While the PDPC states that this section of the Advisory Guidelines is intended to also apply to data intermediaries, no guidance is provided for data intermediaries and we note that the obligation for data intermediaries under the PDPA is to notify the organisation on whose behalf personal data is processed that a data breach has occurred.
- Data Protection Impact Assessments (“DPIAs”). Organisations are advised to conduct DPIAs to help them develop and implement appropriate policies and practices. Organisations are also encouraged to conduct DPIAs before releasing products or services that are likely to be accessed by children. The Advisory Guidelines provide sample DPIA questions that organisations may wish to consider.
This article is produced by our Singapore office, Bird & Bird ATMD LLP. It does not constitute legal advice and is intended to provide general information only. Information in this article is accurate as of 1 April 2024. The authors would like to thank Chloe Wong for her contributions to this article.
For further information, please contact:
Jeremy Tan, Partner, Bird & Bird
jeremy.tan@twobirds.com