Do Americans spell privacy differently?

The defining feature of the age verification sector is our focus on privacy and data protection.  When a barman serves alcohol, he only needs to know you are at least 18, not your name, address, and inside leg measurement.  So we are watching the many moving parts in this regulatory space carefully.

The news that Facebook has filed documents with the Irish high court which set out its conclusion that “In the event that [Facebook] was subject to a complete suspension of the transfer of users’ data to the US, it is not clear … how, in those circumstances, it could continue to provide the Facebook and Instagram services in the EU” certainly caught my eye.

This situation has arisen after the European Court of Justice (ECJ) considered a complaint against the Irish data protection commissioner, who regulate Facebook on behalf of all EU member states.  The case considered whether the access major platforms provide to the US National Security Agency invalidated agreements between the EU and USA designed to protect the data of EU citizens if it is transferred stateside.  Both the “Safe Harbour” and its replacement the “Privacy Shield” have been ruled illegal by the ECJ. They breach  Article 47 of the Charter of Fundamental Rights of the European Union which preserves the right to a fair trial.  Companies must now, instead, rely on a legal basis known as “Standard Contractual Clauses” (SCCs) if they want to move data across the Atlantic.

As a result of the decision, published in July, the Irish authorities issued an order preventing Facebook from transferring any data outside the EU, and it is understood they gave the popular social media site until the end of last month (September) to challenge it.

Facebook was quick to point out that it is not threatening to withdraw from Europe.: “the simple reality that Facebook, and many other businesses, organisations, and services, rely on data transfers between the EU and the US in order to operate their services. A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from Covid-19.”

Consumers are already concerned about the use of their data, and particularly by large platforms.  A colleague recently checked and found that Google stores over 100MB of data across 16 cookies on his mobile, Google another 56MB, and Facebook 22MB.  This concern, in part, led to the EU’s GDPR regime, which is still bedding in.

In the UK, we are now into the 12-month grace period before the Age Appropriate Design Code is enforced.  This statutory code expands on the rights GPDR gives children – notably that you cannot process children’s data (under 18) in a way that leads to exposure to content harmful to their mental health, and that children under 13 may not give permission for their data to be processed without parental consent

The Competition and Markets Authority is one of many international competition regulators examining the dominance of major platforms.  This market power was recently highlighted by a US Senate hearing at which the heads of Google, Facebook, Apple and Amazon were cross-examined about their business models.

What does all this mean?  Well, tech companies should no longer assume that they can build business models based on the unfettered use of personal data, and be particularly shy of children’s data – or indeed data from anyone they do not know with certainty is not a child.  Those who do will face increasing restrictions on their freedom to operate and high costs of compliance.  Where you can design your business to minimise data use and retention, you will find life is a lot easier.

AgeChecked’s core architecture is designed to avoid the need to retain any personal data in order to provide highly reliable, independent third-party age verification.  Each day when I read the news, I am ever more grateful for our foresight!