knowledge 19 February 2025 |

EDPB Statement on Age Assurance – Key Highlights

The EDPB lists ten principles for the compliant processing of personal data when determining the age or age range of an individual. While the Statement is a useful indication of what data protection authorities expect, it is not designed to answer the key question of how, exactly, age assurance should be implemented in a way that reconciles data protection law obligations with child protection obligations under other laws such as the Digital Services Act and the Audiovisual Media Services Directive. It remains to be seen whether the guidelines for protecting minors online being prepared by the European Commission will deliver this.  

Key Highlights of the EDPB Statement

Background and Purpose

The Statement acknowledges that the European regulatory framework calls for the increased protection of children in the digital environment. The Statement refers to the Audiovisual Media Services Directive, which highlights the possibility of implementing age verification measures and the Digital Services Act which references age verification as a risk mitigation measure. It also notes that different national and European initiatives, such as Better Internet for Kids (BIK+), identify age assurance as one solution to improve children’s well-being online through a safe, age-appropriate digital environment in line with the European Digital Rights and Principles.

The Statement notes that age assurance poses specific risks to data protection, with the potential to adversely impact not only natural persons’ right to the protection of their personal data but also other rights and freedoms such as the right to non-discrimination, the right to the integrity of the person, the right to liberty and security, and the right to free expression and information.

The Statement sets out the following proposed principles that should be taken into consideration when personal data is processed in the context of age assurance. The EDPB notes that these stem from the GDPR and seek to reconcile the protection of children and the protection of personal data in the context of age assurance.

Principles to Design GDPR-Compliant Age Assurance

1. Full and effective enjoyment of rights and freedoms: Age assurance must respect all of a natural person’s fundamental rights and freedoms, not just the right to the protection of personal data. In the case of children, the best interests of the child should be a primary consideration for all parties involved in age assurance, noting that there is no hierarchy in considering the best interests of the child, and regard should be had for all rights of children.
2. Risk-based assessment of the proportionality of age assurance: Age assurance should always be implemented in a risk-based and proportionate manner. The necessity and proportionality of using safety measures such as age assurance should be demonstrated, taking into account the associated risks. Service providers must respect their users’ rights and freedoms, balancing these with the need for safety measures which should always be the least intrusive of those available and which should always be effective.
3. Prevention of data protection risks: Age assurance should not lead to any unnecessary data protection risks for natural persons. Service providers and any third party involved in age assurance should implement effective measures and safeguards to prevent the age assurance process from causing unnecessary data protection risks such as those resulting from identifying, locating, profiling, or tracking natural persons.
4. Purpose limitation and data minimisation: Only age-related attributes that are strictly necessary for the specified, explicit and legitimate purpose should be processed. Technical measures such as Privacy Enhancing Technologies should be used to limit the possibility of repurposing personal data. Organisational measures, such as policies and contractual obligations, which limit the reuse of personal data, should also be deployed.
5. Effectiveness of age assurance: Age assurance should demonstrably achieve a level of effectiveness adequate to the purpose for which it is carried out. Age assurance methods should be accessible, reliable, and robust, ensuring they achieve the intended purpose. Notably, the EDPB states the self-declaration of an age-related attribute is unlikely to be robust, since the reliability of such method depends mostly on the goodwill of the user.
6. Lawfulness, fairness and transparency: Service providers and any third party involved in age assurance should ensure that the processing of any personal data for the purposes of age assurance is lawful, fair and transparent to users. Service providers must ensure that they convey transparency information to children, when concerned, in a way that is clear and easy for them to understand.
7. Automated decision-making: Any occurrence of automated decision-making in the context of age assurance should comply with the GDPR. If applicable, service providers and any third party involved should provide suitable measures to safeguard natural persons’ rights and freedoms and legitimate interests. Service providers and any third party involved in age assurance should provide remedies and appropriate redress mechanisms for users whose age-related attributes are not properly established.
8. Data protection by design and by default: Age assurance should be designed, implemented and evaluated taking into account the most privacy-preserving methods and technologies available in order to meet the requirements of the GDPR and effectively protect the rights of data subjects, and should be regularly revised and updated if necessary. Considering the diversity and severity of the risks associated with age assurance systems, especially when identity documents or special categories of personal data such as biometric data are processed, the utmost attention should be paid to avoid any unnecessary access to, processing, sharing and storage of personal data.
9. Security of age assurance: Service providers and any third party involved in age assurance should implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The nature, sensitivity, and volume of personal data that can be involved in age assurance highlight the potential adverse effect that a data breach could entail.
10. Accountability: Governance methods should be implemented by service providers and any third party involved in age assurance that allow them to be accountable for their approach to age assurance and for demonstrating their compliance with data protection regulation and other legal requirements. Age assurance should operate under a governance framework, ensuring that all processes and systems are designed, implemented, revised, documented, assessed, used, maintained, tested or audited in a way that meets data protection regulations and other legal requirements.

Comment

The EDPB Statement offers valuable guidance for businesses that may need to implement age assurance measures on what is expected of them, and what they will need to be able to demonstrate, in order to ensure compliance with the GDPR. It does not, however, offer any views on what, exactly, is ‘necessary’ or ‘proportionate’ in order to ensure compliance with the AVMSD or DSA or any other laws that require some form of age assurance, whether that be age estimation, age verification, self declaration or something else. It remains to be seen whether the European Commission will fill in this piece of the puzzle in its upcoming guidelines.

Contact us

For more information, please get in touch with one of the key contacts below, or your usual contact at McCann FitzGerald.