Advertising targeting children: New proposals from Europe

What happened

• The European Parliament has stated that it is looking to develop new legislation on restricting targeted advertising, particularly in relation to children and sensitive data.
• The new law being proposed specifically states that “personal data of minors collected by online platforms shall not be processed for commercial purposes related to presenting behaviourally targeted advertising to minors”.
• Platforms would also be required not to perform unnecessary age verification checks and that the ban should be applied by default.
• The legislation is still being drafted and will have to go through an approval process involving the Council of the European Union.

Why it matters

• The GDPR already contains specific provisions relating to profiling and the processing of personal data relating to children.
• The GDPR requires the completion of a Data Protection Impact Assessment when large-scale processing of special categories of personal data (such as health, ethnicity and sexual orientation) and/or systematic monitoring on a large scale is envisioned or carried out.
• This can include online profiling where users go on various websites and profiles are generated ‘behind-the-scenes’ based on browsing habits.
• These profiles are then used to present tailored adverts to the user.
• The new law being proposed would ban this type of processing when it involves children.

What happened

• he new draft proposal sets out a detailed set of rules for the processing of electronic health data for health and care use as well as for research purposes.
• The regulation mainly applies to health and care organisations such as hospitals, pharmacies and providers of Electronic Health Care systems (i.e. solutions intended by the manufacturer to process electronic health records).
• Similar to the GDPR, the EHDS Regulation will give individuals the right to access their electronic health data and to rectify it and restrict its processing.
• EU member states will also be required to put in place a common infrastructure for cross border sharing of personal electronic health data and products.

Why it matters

• The EHDS Regulation intends to take advantage of the EU’s newly published Data Governance Act and the creation of common ‘data spaces’.
• The aim of the EHDS Regulation is to promote continuity of care as well as the advancement of medical research through greater data sharing.
• These proposals will not affect the UK due to Brexit. However, the UK already has a long-established information governance framework within its National Health Service (NHS) that involves applying specific data security principles known as the ‘Caldicott Principles’.
• One of these principles involves promoting data sharing for direct care purposes.

What happened

• A recent decision by the EU’s top court ruled that national authorities cannot retain phone data in a general and indiscriminate manner, but could use specific information to tackle very serious crimes.
• This case was brought by the Supreme Court of Ireland.
• The decision by the CJEU follows another last year where it was also found that such data could only be used to combat serious crimes such as threats to national security.

Why it matters

• Indiscriminate access to personal data for law enforcement purposes is a hotly debated topic in data protection and one the central issues in relation to the invalidation of the EU-US Privacy Shield (i.e. the mechanism that was widely used to enable data transfers from the EU to the US).
• The CJEU’s decision confirms the European stance on the matter – that access to this type of data should only be for very serious crimes such as threats to national security.