The French data protection authority (DPA) is the Commission nationale de l’informatique et des libertés (CNIL). This translates literally as the “National Commission for Computing and Liberties” and this perhaps provides some insight into their natural instincts towards complex technology and libertarian policies.
Data protection in the EU is devolved to the DPAs, with multinational organisations regulated by the DPA of the Member State in which they are deemed to be “established” – a fairly strict formula around the location and roles of staff determines this. However, the DPAs work together as part of the European Data Protection Board (EDPB) which oversees decisions of separate DPAs and can intervene in their decisions. A recent decision to fine INSTAGRAM by the Irish DPC was amended during the EDPB’s review process, for example.
Within the EDPB there are specialist leads, and until recently the Irish led of children’s data issues, supported by the French. The Irish stepped back from that in 2021, and now CNIL take the lead in this area.
So CNIL’s views on age verification are more influential than other DPAs, but this is not an overriding role. Decisions are still subject to review by EDPB as a whole.
In July CNIL published its recommendations for devising age verification systems. Noting EU General Data Protection Regulation requirements for data minimization and purpose limitation, the CNIL suggests confirming user ages by utilizing a “trusted third-party” system that provides “triple privacy protection” through anonymity practices. The regulator “considers it urgent” to establish an appropriate system in order to ensure “more efficient, reliable and privacy-friendly devices.”
The summary of what they published is not dramatically problematic for the existing age verification sector, as much of what CNIL seeks is already built into existing solutions:
Access to certain sites or services on the Internet is reserved for adults, in particular access to pornographic websites. It is then necessary to set up a system for verifying the age of the Internet user.
These devices, which contribute to the protection of minors, are never perfectly effective and workarounds are possible. They may also pose privacy risks. The CNIL reminds that, if it is not possible to aim for absolute efficiency, relevant and secure systems should be chosen to achieve the best possible result. They must be reserved for sites for which this is necessary, the principle remaining that access to websites must be by default without identity or age checks.
Checking the age of the Internet user, with the aim of protecting young people, is compatible with the General Data Protection Regulation (GDPR), provided that sufficient guarantees are presented to minimize breaches of privacy . and to prevent age verification from being an opportunity for publishers to collect additional data on Internet users visiting their site. In addition, it should be avoided that the data is captured by a third party for malicious uses (violation of biometric data, phishing, usurpation, blackmail, etc.).
In fact, CNIL are vocal supporters of independent, third-party AV
solutions must be operated by third parties with a sufficient level of security and reliability, to avoid data theft and to guarantee that the additional risks generated by their use are taken into account
It is only in the final detail iof their ideal solution that there is some challenge to the current AV industry:
[CNIL] recommends that this trusted third party be able to receive reliable proof of age from an administration or company [e.g. a utility provider] that knows the Internet user and can certify his age. This proof would then be transmitted by the trusted site or by the Internet user himself to the site to which the Internet user requests access.
The system recommended by the CNIL would provide triple privacy protection:
- whoever provides the proof of age knows the identity of the user but does not know which site is consulted;
- whoever transmits the proof of age to the site may know the site or service consulted but does not know the identity of the user;
- the site or service subject to age verification knows that the Internet user is of legal age and that a person is consulting it, but does not know their identity.
In effect, they seek to split the existing role of the AV provider so it does not ever become aware of the identity of the user, even at the point it is verifying their age, whether they retain this information or not. This is perhaps an ideal, pure solution – but is also phrased as a recommendation rather than a requirement. So if the current AV sector can assure CNIL that it has sufficient protections in place to deliver the equivalent privacy-preserving outcome, then it is unlikely it would be ruled non-compliant.
Finally, the context of the debate here is entirely around adult-content where there is heightened sensitivity about privacy. CNIL is not explicitly applying these ambitions to the very broad requirements for age assurance driven by other legislation, e.g. GDPR and the forthcoming Digital Services Act. Here, the risk of tracking users may be more of a concern than their privacy per se, and the existing design of most AV solutions already pre-empts them being abused to profile user behaviour.