The ICO Age Appropriate Design Code and schools
edTech news / September 4, 2020
We have written to The Information Commissioner to ask for clarification on the application of the Age Appropriate Design Code that came into legal force this week, as regards educational settings.
The questions we would like the ICO to clarify:
- Does the Commissioner intend to apply the Code to Information Society Systems (ISS) such as edTech apps and platforms in educational settings?
- Does the Code *only * apply to ISS processing on the basis of consent (and Article 8)? [If so this is mostly invalid in schools and negates its application.]
- Or is it contextual i.e.the ICO intends for educational websites to fall under the Code when a child uses them without their school requiring them to (i.e.it applies on a consent basis registered as a ‘private citizen’, but not a pupil), so *in school* the Code would not apply to the same app that it would apply to if signed up for at home.
The ICO website states on ISS and consent, “If an ISS is only offered through an intermediary, such as a school, then it is not offered ‘directly’ to a child.” (our bold)
This appears to suggest that the ICO has decided that apps used in school (or at home at the school’s request such as Google Classroom or hundreds of homework apps) are not ISS and that therefore the Code does not apply to them.
However, the ICO website text at the launch of the Code said
“This code applies to information society services likely to be accessed by children in the UK. This includes many apps, programs, connected toys and devices, search engines, social media platforms, streaming services, online games, news or educational websites and websites offering other goods or services to users over the internet. It is not restricted to services specifically directed at children.” (our bold)
These appear to be conflicting or at least unclear positions put together, and when compared with the GDPR and EDPB guidelines appear to be weaker if it intends to exclude them.
EDPB guidelines (para 129) suggests: “The online delivery of a service would fall within the scope of the term information society service in Article 8 GDPR.”
There is no caveat in the EDPB guidance for a service offered through an intermediary, the ‘offered directly to a child’ is really about age, not access. the ICO appears to have made this up itself as we cannot find it anywhere else.
“The inclusion of the wording ‘offered directly to a child’ indicates that Article 8 is intended to apply to some, not all information society services. In this respect, if an information society service provider makes it clear to potential users that it is only offering its service to persons aged 18 or over, and this is not undermined by other evidence (such as the content of the site or marketing plans) then the service will not be considered to be ‘offered directly to a child’ and Article 8 will not apply.” [ EDPB Guidelines 05/2020 on consent under Regulation 2016/679, para 130]
To determine the scope of the term ‘information society service” in the GDPR, reference is made in Article 4(25) GDPR to Directive 2015/1535. ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.” We believe this applies to children using edTech on an individual basis, and there is no caveat made in the DPA 2018 for “an ISS only offered through an intermediary”.
If an ISS [apps/platforms] processes data directly from the data subject (the individual child), we believe that the computer offers the service ‘directly to a child’ and ‘transmits data on individual request’ i.e. based on the child logging in to an individual device that will exchange information only with them (not broadcast, like a TV or radio), giving instructions, entering data, doing a task and the collection of behavioural data—and it is this data transmission that makes an app or platform an ISS, not whether the school has a contract with a company to process data ‘at the request’ of a school.
Services are covered even if the ‘remuneration’ or funding of the service doesn’t come directly from the end user. And the ICO site on launch day said, “For example, an online gaming app or search engine that is provided free to the end user but funded via advertising still comes within the definition of an ISS. This code also covers not-for-profit apps, games and educational sites, as long as those services can be considered as ‘economic activity’ in a more general sense. For example, they are types of services which are typically provided on a commercial basis.”
Therefore, we believe that the statement on ISS is confusing when it says, “If an ISS is only offered through an intermediary, such as a school, then it is not offered ‘directly’ to a child.” (our bold) We believe the applications of the Code should be defined by its legal basis for processing, and the nature of the data processing between the data subject and the ISS. But then we must remember that the AACOP is a UK only invention, and not part of the GDPR so there is no EDPB Guideline on this specifically.
We have asked the Office of the Information Commissioner for clarification. And we can only hope for enforcement to see any beneficial effect.