An age verification requirement has so far been more of a child protection issue than a data protection issue. While it may seem paradoxical how data protection law could require controllers to carry out more data processing, this article argues that the GDPR obliges information society service controllers to implement effective age verification measures pursuant to Art. 25(1), Art. 5(1)(a) GDPR. In order to make this argument, the article lays out the necessary background and briefly analyses the concept of ‘state of the art’ before showing the implications of the data subject’s age for the lawfulness of a processing and thus for Art. 25(1) GDPR. Thereby, this article takes the EDPB’s Binding Decision 2/2023 on the age verification measures implemented by TikTok as an opportunity to take an in-depth look at the interplay between the data subject’s age, the lawfulness and privacy by design under Art. 25(1) GDPR.

The article first describes the phenomenon of super app adoption within the digital market of China (I.) and then lays out China’s legal framework for protecting children and their personal information from the potential risks posed by online platforms (II.). Finally, WeChat’s strategy for compliance with children protection laws and regulations is outlined as well as its impact on the effectiveness of the legal framework in safeguarding children’s data privacy assessed (III.).

This article continues the previously published two-part series, Cyber-Breaches in Critical Infrastructure: It’s Not Just About Personal Data Breaches Anymore, by expanding its focus to India – specifically, to the India Computer Emergency Response Team and the related Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules.

The article discusses the significant changes to the position and function of the ICO proposed by the Data Protection and Digital Information Bill that is currently being debated in the House of Commons focusing on Section 30 of the Bill which incorporates a statement of strategic priorities of the UK Government into the ICO’s performance of its duties and assessing the effects of Section 28 of the Bill on the “complete” independence in the sense of Union law of the ICO.