ICO对儿童数据的处理制定了标准

论坛 期权论坛 期权     
Fieldfisher斐石   2020-3-28 02:27   1140   0




ICO lays out standards for handling children’s data
ICO对儿童数据的处理制定了标准


On 21 January 2020, the UK’s data protection watchdog, the Information Commissioner's Office, published a set of design standards for Internet services, which are intended to help protect the privacy and safety of children online. The code sets out the standards expected of those responsible for designing, developing or providing online services such as applications, connected toys and devices, programs, social media platforms, messaging services, games, websites and streaming services. It covers services likely to be accessed by children and which process their data. It is however not restricted to services specifically directed at children.


2020年1月21日,英国数据保护监管机构(信息专员办公室)发布了旨在帮助保护儿童的线上隐私和网络安全的互联网服务的设计标准。该准则规定了对负责设计、开发或提供网络服务(例如应用程序、联网的玩具和设备、程序、社交媒体平台、消息传递服务、游戏、网站和流媒体服务)人员的预期标准。该准则涵盖了儿童可能使用并处理儿童数据的服务,但不限于专门针对儿童的服务。


This new code was introduced pursuant to the UK Data Protection Act 2018, and is intended to provide a set of 15 standards that online services should follow to protect children’s privacy. The code will apply to organizations that offer “relevant” information society services that are “likely” to be used by children. The code is not intended to a binding statement of the law, but lays out how to interpret the GDPR's requirements in relation to children. The ICO further stated that since data relating to children is afforded special protection in the GDPR and is a regulatory priority for the ICO, conforming to the standards set out in the code will be deemed a key measure of compliance with data protection laws. Accordingly, even though many of the standards laid out in the code are based on the principles laid out in the GDPR, some go further than the GDPR.


该行为准则是根据2018年《英国数据保护法》制定的,旨在提出为保护儿童隐私,网络服务应遵循的15条标准。该准则将适用于提供“相关”信息社会服务且该服务“很可能”被儿童使用的组织。该准则并非是为了制定一份具有法律约束力的声明,而是指出如何解释GDPR中有关儿童的规定。ICO进一步认为,由于与儿童有关的数据在GDPR中得到了特殊保护,并且属于ICO的优先监管事项,因此,遵守准则中规定的标准是遵守数据保护法律的关键。鉴于此,即使准则中规定的许多标准都是基于GDPR下的原则,但有些标准比GDPR规定的更深远。


The code sets out 15 standards of age appropriate design reflecting a risk-based approach. The focus is on providing default settings that ensures that children have the best possible access to online services whilst minimizing data collection and use, by default.


该准则列出了15条基于与风险相适应的年龄设计的标准。准则的重点在于提供默认设置以确保在默认情况下,最大程度上减少儿童数据收集和使用的同时,儿童可以最大程度地使用网络服务。


The 15 standards laid out by the code are as follows:
该准则列出的15个标准如下:


1.    Best interests of the child儿童利益最大化

According to the code, the best interests of the child should be a primary consideration when designing and developing online services likely to be accessed by a child. The code states that this does not exclude the possibility for an organization to pursue its own commercial or other interests. Instead, it simply means that organizations should account for the best interests of the child as a primary consideration where any conflict arises. This standard could be read to go beyond the requirements of the GDPR, since it appears to include a positive obligation to consider how an organization's use of personal data you can keep children safe from exploitation risks and protect their health and well-being.


根据该准则,在设计和开发可能有儿童使用的网络服务时,应首先考虑儿童的最大利益。准则指出,这并不排除组织追求自己的商业利益或其他利益的可能性,这仅意味着组织应考虑到儿童的最大利益,并将其作为发生任何冲突时的首要考虑。该标准可以理解为高于GDPR的要求,因为它似乎包含了一项积极的义务,即考虑组织如何使用个人数据可以使儿童免于广告推销风险,并保护其健康和幸福。


2.    Data protection impact assessments (DPIA)数据保护影响评估(DPIA

According to the code, firms should undertake a DPIA to “assess and mitigate risks to the rights and freedoms of children” who are likely to access the service, which may arise from the data processing. The DPIA should take into account differing ages, capacities and development needs. As a reminder, DPIAs are a key part of the accountability obligations under the GDPR, facilitate a ‘data protection by design’ approach and are an effective way to assess and document compliance with data protection obligations.


根据该准则,公司应进行DPIA以“评估和减轻儿童(可能使用服务的儿童)权利和自由的风险(可能由于数据处理而产生的风险)”。DPIA应考虑不同的年龄、能力和发展需求。需要注意的是,DPIA是GDPR规定的问责制义务的重要组成部分,其促进了“设计的数据保护”方式,并且是评估和记录对数据保护义务的遵守情况的有效方法。


3.    Age-appropriate application适龄应用

A “risk-based approach to recognizing the age of individual users” should be taken. This should either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from the data processing, or apply the standards in the code to all users instead. Factors to be considered include the types of data collected, the volume of data, the intrusiveness of any profiling, whether decision making or other actions follow from profiling, and whether the data is being shared with third parties. The code further refers to the GDPR and the UK Data Protection Act 2018, which specify that if you rely on consent for any aspects of your online service, you need to get parental authorization for children under 13.


该标准要求应该采用“基于风险路径识别个人用户的年龄”。这或者应该确定年龄标准,以适用于因数据处理而对儿童的权利和自由带来的风险,或应将准则的标准应用于所有用户。需要考虑的因素包括收集的数据类型、数据量、数据画像对隐私的侵犯程度、是否基于画像而做出决策或采取其他行动、以及是否与第三方共享数据。该准则还参考了GDPR和2018年《英国数据保护法》的规定,即如果您的网络服务的各个方面的开展有赖于同意,则需要取得13岁以下儿童的父母授权。


4.    Transparency透明性

Privacy information provided to users, as well as other published terms, policies and community standards, “must be concise, prominent and in clear language suited to the age of the child”. Additional specific ‘bite-sized’ explanations about how personal data is used should be provided at the point that use is activated. As a reminder, transparency is already a key requirement under the GDPR, in particular under Article 5(1) of the GDPR which requires the processing of personal data to be done “lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)”.


提供给用户的隐私信息以及其他已发布的条款、政策和公开的标准“必须简洁、醒目并且使用适合儿童的清晰的语言”。当使用个人数据时,还应提供有关如何使用个人数据的其他具体的“细致的(bite-sized)”解释。需要注意的是,透明性已经是GDPR的一项关键要求,特别是GDPR第5(1)条要求必须“以合法、公正和透明的方式处理数据主体相关的个人数据(“合法、公平和透明原则”)”。


5.    Detrimental use of data数据滥用

Children’s personal data must not be used in ways that have been “shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice”. Accordingly, organizations must ensure that they comply with relevant standards and codes of practice within an industry or sector, and in particular any provisions within them that relate to children.


不得以“已证明不利于儿童的健康、幸福或违反行业行为准则、其他法规规定或政府的建议”的方式使用儿童的个人数据。因此,组织必须确保遵守行业或领域内的相关标准和行为准则,尤其是涉及儿童的规定。


6.    Policies and community standards政策和标准

The code provides that organizations must uphold their own published terms, policies and community standards (including privacy policies, age restriction, behavior rules and content policies). This is another way of saying that you must say what you do in your policies and you must do what you say.


该准则规定组织必须遵守自己发布的条款、政策和标准(包括隐私政策、年龄限制、行为准则和政策)。换言之,您必须通知政策的要求,并且必须遵循自己所公布的政策。


7.    Default settings默认设置

Settings must be set to ‘high privacy’ by default (unless a compelling reason for a different default setting can be shown, taking into account the best interests of the child).


在默认情况下必须设置为“高度隐私”(除非出于儿童的最大利益考虑,有采用其他默认设置的充分理由)。


8.    Data minimization数据最小化

Collect and retain “only the minimum amount of personal data” needed to provide the elements of the service in which a child is actively and knowingly engaged. Children should be given separate choices over which elements they wish to activate.


为提供儿童积极、明确使用的服务所需而收集并保留“最少的个人数据”。应该给儿童提供其所需服务的具体内容的单独选择机会。


9.    Data sharing数据共享

Data relating to children should not be disclosed unless a compelling reason to do so can be shown, taking account of the best interests of the child.


除非有充分的理由说明并考虑到儿童的最大利益,否则不得透露与儿童有关的数据。


10.Geolocation地理位置数据

Geolocation tracking features should be switched off by default (again, unless a compelling reason to switch it on can be shown). In such case, an obvious sign for children should be shown when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.


默认情况下,应该关闭地理位置跟踪功能(但有充分的理由将其打开时除外)。在这种情况下,启用位置跟踪后应为儿童显示明显的标志。在每次跟踪结束时,使其他人都能看到儿童位置的选项必须默认恢复为“关闭”。


11.Parental controls家长控制

Children should be provided age-appropriate information about parental controls available. If an online service allows a parent or a guardian to monitor their child’s online activity or track their location, then the service should provide an “obvious sign to the child when they are being monitored”.


应向儿童提供与其年龄相适应的父母控制信息。如果在线服务允许父母或监护人监视儿童的在线活动或跟踪他们的位置,则该服务应“在监视儿童时给儿童提供明显提示”。


12.Profiling数据画像

Options that use profiling should be turned off by default. The ‘off by default’ setting does not mean that profiling is not possible or banned. Whenever possible, children should be offered control over whether and how their personal data is used. So most profiling should be subject to a privacy setting. In addition, profiling should only be allowed if there are “appropriate measures” in place to protect the child from any harmful effects, such as content that is detrimental to their health or wellbeing.


默认情况下,应禁止使用数据画像。“默认情况下关闭”设置并不意味着无法进行分析或禁止进行分析。只要有可能,应向儿童提供对其个人数据是否以及如何被使用的控制。因此,大多数配置文件应受隐私设置的约束。此外,只有在采取了“适当措施”以保护儿童免受任何不利影响(例如对儿童的健康或幸福有害的内容)的情况下,才应允许进行数据画像。


13.Nudge techniques微调技术

Nudge techniques to “lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections” should not be used.


不应使用“引导或鼓励儿童提供不必要的个人数据,或削弱、关闭其隐私保护的”微调技术。


14.Connected toys and devices联网的玩具和设备

Organizations providing connected toys or devices (e.g. a fitness band that records the child’s level of physical activity and then transmits this back to servers, or a ‘home hub’ interactive speaker device) should include effective tools to enable conformance to the code. This includes being clear about who is processing the personal data and what their responsibilities are, anticipating and providing for use by multiple users of different ages, providing clear information about your use of personal data at point of purchase and on set-up, finding ways to communicate ‘just in time’ information and avoiding passive collection of personal data.


组织提供联网玩具或设备(例如,记录儿童身体活动水平然后将其传输回服务器的手环,或“家庭中心”交互式扬声器设备)应包含有效的工具以确保符合准则要求。这包括清楚地知道谁在处理个人数据以及他们的职责、预期并提供给不同年龄的多个用户使用、提供有关您在购买时和设置时使用个人数据的清晰信息、寻找方法沟通“及时(just in time)”信息并避免被动收集个人数据。


15.Online tools在线工具

Prominent and accessible tools should be provided to help children exercise their data protection rights and report concerns.


组织应提供明显的且可访问的工具,以帮助儿童行使其数据保护权利和报告其关注的问题。


The code, which should be approved by Parliament later this year, is expected to come into force in autumn 2021. Organizations that provide online services will need to assess whether the code applies to them and the steps that they may need to take to comply.


该准则将于今年年末由议会批准,预计将于2021年秋季生效。提供网络服务的组织将需要评估该准则是否适用于他们,以及他们需要采取哪些步骤来遵守该准则。
■ ■■■■



Paul Lanois
Director

Fieldfisher, United States
Paul.Lanois@fieldfisher.com




斐石律师事务所北京斐石律师事务所(“斐石中国”)成立于2008年,目前包括北京、上海和广州三个办公室。作为斐石国际律师事务所的重要组成部分,斐石中国可以为中国企业走出去提供真正的全球一体化一站式法律服务。无论您是大型跨国公司还是初创企业,斐石中国都拥有专业的法律团队、丰富的经验和耐心周到的服务,为您在纷繁复杂的商业环境中保驾护航。


斐石中国是斐石国际律师事务所全球网络的重要组成部分,斐石国际律师事务所成立于1835年,是一家总部位于英国伦敦的大型国际律师事务所。目前已经在英国、德国、法国、意大利、西班牙、比利时、荷兰、美国、爱尔兰及中国的主要城市共开设25个办公室,拥有近三百名合伙人和近两千名专业律师,并仍在迅速扩张中。凭借180年的法律服务经验和丰富的行业知识,斐石国际律师事务所为众多国际知名企业提供了大量优质服务。正因为如此,斐石国际律师事务所的近百位专业律师在钱伯斯(Chambers)和Legal 500中的几十个专业领域榜上有名并名列前茅。2017年斐石英国办公室被评为LegalWeek全英最佳律所、2015-2018荣获北京市优秀律师、2017-2018,2018-2019连续两个年度Fieldfisher斐石律师事务所荣膺《商法》“竞争法与反垄断” 业务领域(国际所)卓越律所大奖、在Corporate Intl 杂志主办的“2018年全球法律大奖(Corporate INTL Global Awards)”中,凭借在反垄断领域的行业影响力、服务创新力及领先性方面的突出表现,荣膺“中国年度最佳反垄断律师事务所(Competition Law Firm of the Year in China)”奖项、2018年4月19日在英国伦敦的Grosvenor House 举办的 the prestigious Legal Business Awards颁奖典礼上,荣获英国年度最佳律所大奖,以及在2019年全英的知识产权管理奖的颁奖典礼上斐石英国办公室被评为 “ Trade Mark Prosecution Firm of the Year - UK 2019 " 。
斐石律师事务所
长按扫码关注我们





斐石口号:专业化 品牌化 国际化




分享到 :
0 人收藏
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

积分:24
帖子:2
精华:0
期权论坛 期权论坛
发布
内容

下载期权论坛手机APP