BCL partner Julian Hayes’s article examining the new Children’s Code that came into effect this month as part of the Government’s wider campaign to protect children from online harms has now been published by Police Professional.
Here’s an extract from the article:
“Neither blessed with a catchy title nor immediately in force, the Age Appropriate Design Code grabbed few headlines when it was issued by the Information Commissioner’s Office (ICO) in 2020. Now re-badged as the Children’s Code and in force from September 2, 2021, it is being feted as an early blow in the UK Government’s wider campaign against online harms, and in particular the risks to the privacy of minors.
Broadly drawn, both in terms of the online service providers affected and geographic reach, the Code provides guidance on safeguards for the online treatment of children’s personal data, with compliance underpinned by the potentially severe enforcement powers of the UK General Data Protection Regulation (GDPR). Sensing the way the wind was blowing, the tech titans had already modified their services, spurring calls for similar measures in other countries. Misgivings over the ambit and practical impact of the Code remain, however, particularly in relation to the thorny issue of age-verification.
Long reach of the Code
Built around 15 high-level standards, the Code specifies the requirements which providers of ‘information society services’ (ISS) must meet if their products are likely – that is, are more likely than not – to be accessed by under 18-year-olds in the UK.
The requisite standards, for the most part relatively uncontroversial, include prioritising the best interests of the child when designing and developing online services, establishing the age of individual users with a level of certainty appropriate to the risk, and upholding published terms, policies and community standards.
ISS providers include the majority of online services used by children, from social media platforms, search engines and online marketplaces, through to content streaming services, messaging apps and online games.
No mere parochial affair, the Code’s geographical sweep takes in not only UK entities but also those elsewhere which offer their services to UK users or monitor their behaviour.
Legal effect and sanctions
Although a product of the Data Protection Act 2018 (DPA), and notwithstanding that courts must have regard to its provisions, the Code does not itself have force of law. Instead, it spells out the measures which ISS providers must meet if they are to fulfill their obligations under key aspects of both the UK GDPR and the less well-known Privacy and Electronic Communications Regulations (PECR), which govern online marketing and brought us cookie banners.
The ICO has issued dire warnings that failure to conform to the Code may invite regulatory audit and will make it more difficult for companies to demonstrate compliance with the UK GDPR and PECR, with the ultimate sanction of heavy – and headline-grabbing – financial penalties for non-compliance. Given the passion which the online safety of children arouses, those suspected of transgressing can expect little indulgence from aggrieved complainants highly motivated to bring their suspicions to the data watchdog’s attention.
In the months before the Code’s implementation, tech commentators discerned a slew of modifications by social media companies aimed at improving the privacy, as well as physical and emotional wellbeing, of young people on their platforms.
Instagram disabled targeted advertisements for under-18s and restricted the ability of adults to message children, YouTube videos uploaded by under-18s automatically defaulted to private and ‘bedtime’ reminders were introduced by the streaming platform, while TikTok decided to end push notifications for children after a 10pm ‘watershed’ and also placed curbs on direct messaging for under 18s.”
This article was published by Police Professional on 30.09.21. You can read the full version on their website here.