On 28 March 2024, Singapore’s Personal Data Protection Commission (Commission) published a set of advisory guidelines on the applicability of the Personal Data Protection Act (PDPA) on children’s personal data in the digital environment (Guidelines)[1].
What is the Ambit of the Guidelines?
The Guidelines are intended to clarify how Singapore’s comprehensive data protection legislation, the PDPA, including its provisions and obligations imposed on relevant organisations, apply to children’s personal data in the digital environment. More specifically, they apply to organisations whose online products or services are “likely to be accessed by children”.
These would span:
- Products and services designed for and aimed specifically at children
- Products and services that children access in reality
The following examples are cited as falling within the scope of the Guidelines:
- Social media services, as defined in section 45T of Singapore’s Broadcasting Act 1994[2]
- Technology aided learning (edtech)
- Online games
- Smart toys and devices
What is the Objective of the Guidelines?
As part of today’s highly connected digital economy and society, Singapore’s youth are at risk of having their personal data exposed or misused when they interact in an online space. The Guidelines are therefore aimed at ensuring there continues to be sufficient accountability by organisations that deliver products and services online to kids, by adopting a data protection by design approach.
Are the Guidelines Legally Binding?
No, the Guidelines are not intended to be binding on any organisation, the Commission or any party, but rather, will provide guidance as to the interpretation and application of the PDPA in Singapore. They are meant to be read in conjunction with Chapter 8 of the Commission’s Advisory Guidelines on the PDPA for Selected Topics (Data Activities Relating to Minors)[3] as it covers the application of the data protection obligations on general activities for minors, who are defined as individuals who are less than 21 years of age. In contrast, the Guidelines themselves defined a “child” as an individual who is below 18 years of age. Use of either “minor” or “child” should therefore be treated with caution bearing in mind the discrepancy in numerical ages which each defined term connotes.
Organisations are reminded to continue to comply with all the relevant data protection obligations under the PDPA, even if not covered in either set of guidelines.
Additionally, the Guidelines are not exhaustive, and not every section may be applicable to each relevant organisation. Finally, as per the PDPA, should there be any inconsistency between the PDPA and another written law (such as Singapore’s Code of Practice for Online Safety issued under the Broadcasting Act 1994[4]), that other law will prevail.
What Methods for Establishing a User’s Age Are Provided in the Guidelines?
“Age assurance” is defined as any methods for ascertaining a person’s age and includes self-declaration, age estimation and age verification.
“Age estimation” is in turn defined as the estimation of an individual’s age, or age range.
“Age verification” refers to the verification of an individual’s age or confirmation that they are above a certain age.
In other words, age estimation and age verification are two ways in which to establish, and therefore subsets of, age assurance.
What Do the Guidelines Clarify?
- Notices must be easy to understand for children.
When providing notification to end-users of the purposes of processing their personal data, organisations should consider the nature of their content, and adopt age-appropriate language and media in their communications especially to children. These might take the form of infographics, video clips etc. Ultimately, children need to understand the consequences of providing and withdrawing their consent.
- Consent from children between 13 and 17 must be context specific.
While children between 13 and 17 may give valid consent, if there is reason to believe that they lack sufficient understanding of the nature and consequences of giving such consent, then consent should be obtained from their parents or guardians instead. There may be instances where a higher age of consent would be more appropriate in its business context, for instance, it is more prudent to ask a parent for their consent in an education setting.
- The purpose for processing children’s data must be reasonable.
Data minimisation should be applied to children’s personal data, including when collecting or using children’s personal data for age assurance and ensuring that only age-appropriate content is accessible. Purposes that warrant processing of such data include protecting a child from harmful or inappropriate content and directing them to safety information where there is a risk of self-harm or suicide. Unless required by law, national identity documents should not be required for age assurance. Any behavioural and telemetric data collected to build profiles and ascertain age will constitute personal data if they can be used, including when combined with other data to identify specific individuals. Geolocation data settings should be disabled by default so precise location data is not automatically collected.
- Age assurance methods (including age verification and estimation) are encouraged to protect children and their data.
An example of this may be prompting kid users of online games to take breaks from extended play.
- Children’s data is more sensitive and requires a higher standard of protection.
The Guidelines make it clear that organisations handling children’s personal data should implement enhanced security measures to address potential risks and harms to children in the digital environment. Specific examples include Infocom security policies, access controls, backup and retention and password protection practices; mitigating third party vendor risks; using one-time password or multi-factor authentication; and conducting network penetration testing on systems that process or store the data.
- Breach notifications should be made to children and/or their parents as appropriate in the children’s best interests.
Even if not mandatorily reportable under the PDPA, organisations that process children’s data should demonstrate a greater level of accountability and consider notifying the parents in cases of breaches affecting their data. This would allow steps to be taken to mitigate harms arising from such incidents.
- A data protection impact assessment should be done prior to product/service release.
Organisations are advised to conduct an assessment, and a sample template is provided in Annex A of the Guidelines. The template identifies key areas of assessment including the nature of the product or service, the context, purpose and scope of any data processing, consent, protection and security, and breach notification processes.
Commentary
While the Guidelines do not prescribe hard and rigid rules over and above the PDPA and other advisory guidelines, codes and standards, it does lay down baseline requirements for the protection of children’s personal data online. The data protection impact assessment is a particularly useful and sensible approach towards tackling the myriad privacy and other online harms that children are increasingly susceptible and vulnerable to. Organisations which products or services are likely to be accessible by children should certainly take heed in terms of demonstrating accountability, and proactively identifying, evaluating and addressing the real risks posed to a safe and secure digital environment that has become such an integral part of ours and our children’s lives.
[2] https://sso.agc.gov.sg/Act/BA1994?ValidDate=20230201&ViewType=Pdf&_=20240328211705