One company was in breach of GDPR rules when processing children’s personal data and therefore had to pay several hundred million euros in fines. It is a large international company that operates a mobile application with many children as users worldwide. It was the Irish Data Protection Authority that investigated the processing of personal data concerning children between the ages of 13 and 17. The reason why it was the Irish Data Protection Authority that investigated the company is because the company is headquartered in the EU there.
Children are worthy of extra protection
It is important for companies that process personal data belonging to children to know that the rules are stricter, as children are particularly worthy of protection. This applies according to GDPR and many other laws. The same company that had to pay a fine in this case also had to pay a fine earlier in the Netherlands. This after, among other things, informing the data subjects about the processing in English instead of Dutch. It was not in accordance with the GDPR as the data subjects were children, as English is not the national language of the Netherlands.
The company violated rules of the GDPR when processing children’s personal data
· Public accounts: The default setting was that the children’s user accounts were public, so everyone could see the profile. According to the data protection authority, such settings are not in conformity with the rules on data protection by design and by default in article 25 of the GDPR.
· Unclearly informed: The company did not inform the data subjects of the processing in a sufficiently clear manner when the data subjects were children.
· Family settings: The platform’s so-called family settings entailed some risks for children.
Decisions of the European Data Protection Board vis-à-vis the company
The European Data Protection Board (EDPB) is an independent body that provides, among other things, general advice, such as guidelines and recommendations. In addition, they can take decisions that are binding. The European Data Protection Board issued a decision against the company regarding the design solutions used by the company. It was after that binding decision that the Irish Data Protection Authority gave its decision.
The EDPB assessed that the pop-up windows, which came up when a child was about to register their account, were shaped with a design that led them to choose certain privacy settings. At the request of the European Data Protection Board, the Irish Data Protection Authority ordered the company to discontinue the design solutions that do not comply with the GDPR.
The Court of Justice of the European Union ruled on the liability of a company in the event of personal data breaches
When a personal data breach may lead to a fear on the part of a data subject that future non-material damage may occur, the data subject may be entitled to damages. The Court of Justice of the European Union ruled on that question following a reference for a preliminary ruling from the Bulgarian Supreme Administrative Court. The case involved millions of personal data being leaked after a cyberattack on the Bulgarian tax administration. Those affected therefore sued the tax authority. They said that the personal data that had been leaked could potentially be misused in the future.
The Court of Justice of the European Union held that it is possible for victims to claim damages. On the other hand, a court is called upon to rule on several aspects. For example, if the company, authority or organisation in question has taken sufficient protective measures. Just because there is a personal data breach, does not mean that the company has not done enough to protect the personal data.