Bridging the gap: How Spain's AEPD are navigating age assurance in the digital age
Regulators often struggle to keep pace with innovation and technological change. This is not due to ignorance or incompetence but mostly because their powers are generally derived from statutes which are infrequently, if ever, updated. In the field of online safety, there are not even many laws in place to empower regulators to take any action at all, and most interventions are based on laws designed for the real world, not the virtual one, and so often prove to be ill-suited.
Therefore, Europe’s GDPR is quite a unique example of a law that was created specifically for the digital environment, and it is interesting to track how well it copes with advances in technology. The Spanish data protection authority, the AEPD, recently published a blog, which is a great example of how the law can keep pace with innovation. The article considers the legal status of estimation techniques used to provide age assurance. These new methods, such as utilising facial biometrics or user behaviour to estimate users’ ages have emerged in part as a response to concerns about the amount of personal data users may be asked to share to complete a more traditional age verification. They also enable those without the records or documents needed for age verification to prove their age online - with children often falling into that category.
On the face of it, GDPR presents a problem for estimation, as the law requires that if a company is going to hold personal data, it has a duty to ensure it is accurate and to correct errors. Estimation, while not an exact verification, is designed as a way to accurately determine age groups and allow for age assurance technologies to be implemented proportionate to a platform’s risk. The result is probabilistic, however, as technology has evolved, age estimation methods are now considered to be highly accurate. For example, Verifymy’s exclusive email address age estimation method is certified by the Age Check Certification Scheme to EAL level 3, the highest possible for age estimation.
However, the AEPD acknowledges there are benefits to estimation, particularly in relation to the amount of data a user has to share to prove their age—it may require no more than a selfie or just an email address. So, rather than dismiss estimation altogether, the Spanish regulator argues it can be legal, provided it is offered in combination with alternative methods that would allow a user to rectify inaccuracies.
Verifymy offers users the option to estimate their age, but if the result is a false negative (they are wrongly determined to be too young when they are, in fact, old enough), then users are always given the choice of alternative age verification methods, such as using government ID. For the AEPD, this cumulative approach is “likely to be legal”.
We hope Ofcom takes note of this, as their current proposal for enforcing minimum ages for social media to prevent children under 13 from opening accounts decided against requiring any age assurance. Their rationale was that kids who were 13+ but failed estimation would be unfairly excluded. However, given 83% of the overall population of England and Wales holds a passport, they could easily correct this mistake. Others may have a bank account which can also be used to prove age easily - and for any who are still struggling, there is an option to rely on a professional such as a teacher or doctor to vouch for their age.
As the European Data Protection Board considers other ideas from its Spanish member, such as their Decalogue of Principles for age verification, we trust this latest, insightful contribution will also be adopted at the EU level to give platforms greater confidence to adopt convenient, cost-effective and privacy-preserving estimation techniques.