Privacy rights energised by DPAs and US class action

As a side effect of the pandemic, privacy issues have entered into everyday awareness. I think that there is now greater public insight into and appreciation of the work of privacy lawyers, managers and, indeed policy makers and regulators. In PL&B Reports, we cover issues which would resonate with your social networks, such as privacy rights for children supported by Data Protection Authorities (DPAs) in Europe, and class actions in the US. Other subjects are better suited for your professional networks, such as the just-announced EU adequacy draft declaration for Korea (p.35).

Privacy rights for minors

Privacy issues and children is a nuanced well-balanced issue. On 9 June, France’s DPA, the CNIL, published its 8 Recommendations for Protecting Minors Online. This means that France is joining the United Nations (p.17), Ireland (p.13) and the UK (PL&B UK Report May 2021 pp.7 and 10) by informing companies that when addressing under 18s, minors have distinct privacy rights which must be respected.

There is much common ground between these initiatives and explicit recognition in the DPAs’ guidance that online services directed to and accessible by children have a range of both benefits and risks. Regulators recognise a spectrum of maturity as children move towards the age of 18 and the delicate balance between a child’s right to autonomy and protection, for example, against cyberstalking. This view rejects the US simple threshold of the age of 13 which is the basis of the US Children’s Online Privacy Protection Act.

The guidance from the CNIL expresses the need to seek consent of parents for minors under 15. However, the CNIL recognises that, subject to certain conditions, minors “depending on their level of maturity and in any event from the age of 15, [are] capable of concluding contracts for the processing of their data as part of online services, such as registration for a social network or an online gaming site”.

Winds of change in the US

By contrast with countries with specialised DPAs, in the US much is determined by court precedents. A private right of action can therefore be deployed in a powerful way. In such a case, concerned parents in California achieved a favourable settlement against three well- resourced companies including the Walt Disney Company and Viacom CBS Inc. in a case involving mobile apps for children (p.15). The parents favoured and achieved a substantive shift in company practices rather than a financial settlement.

Companies should expect a more vigorous pro-consumer atmosphere at the US Federal Trade Commission where Lina Khan was sworn in on 15 June as new Chair. The pro-consumer view has been expressed merely as dissenting opinions by the Democrat minority in the last few years under the previous administration. Now, companies will face stricter enforcement in privacy and consumer cases resulting from Khan’s strong academic record; previous experience as counsel to the U.S. House Judiciary Subcommittee on Antitrust, Commercial, and Administrative Law; legal adviser to FTC Commissioner Rohit Chopra; and legal director at the Open Markets Institute.

European Commission recommends Korea for an adequacy declaration

On 16 June the European Commission announced that Korea has fulfilled its conditions for an adequacy declaration (p.35). While we wait for a decision on the UK, due by the end of June, the pace of these recognitions is likely to increase in future, with Mauritius on the horizon (p.32). Professor Graham Greenleaf’s survey of 26 Asian countries (p.26) shows that the EU GDPR is influential but there is a wide spectrum of progress in the region.

For its next steps, the European Commission needs to decide whether its adequacy assessments favour countries, such as Singapore, with strong enforcement over strong principles. What is clear is that for the European Commission “essential equivalence does not mean a photocopy” (p.34).

PL&B’s 34th Annual International Conference - Resetting Privacy: Winning Trust

PL&B’s 2021 conference (5-7 July) will take the form of six online sessions on many of these issues. Speakers will include UK Data Minister, John Whittingdale MP; two speakers from the European Commission; Data Protection Authorities from Belgium, Canada, France, Norway, and the United Kingdom; the European Data Protection Board; and leading companies and law firms who will cover the policy and regulatory trends which will influence your business in the future.

Full details are at We look forward to meeting you there.


Stewart Dresner, Publisher


International Report 171

Lead stories:

The ‘Brussels effect’ of the EU’s ‘AI Act’ on data privacy outside Europe

Graham Greenleaf analyses the proposed EU regulation’s GDPR-like territorial reach, and its impact on business outside Europe in relation to the AI systems that they provide or use.

France: CNIL’s new approach to cookies

Compliance with new guidelines is enforced efficiently by audits and fines. Alexandra Guérin-François and Judicaël Phan of CNAM University, France analyse the changes.

Click for full contents list