Age of digital consent to access online services – what age has your Government chosen?
It aims to update and modernise the 1995 EU Data Protection Directive to improve privacy rights and it provides for, amongst other things, the right to be forgotten.
Specific protection for children with regard to the processing of personal data has also been recognised and what is in effect an ‘age of digital consent’ for children in accessing online services is established under Article 8 of the regulation. It provides that the processing of a child’s personal data will only be lawful if the child is aged 16 and over.
Parental consent will be required for children and young people under the age of 16 to access online services where their personal data will be processed. However, the Regulation also provides Member States with discretion to introduce national legislation setting this limit at any age between 13 and 16.
A number of issues arise for children’s rights advocates with regard to the age of digital consent:
1. What age of digital consent has been or is likely to be set in your country ahead of the May 2018 deadline? Ireland and the UK have set the age at the lower end of the scale at 13, with Spain and Poland likely to follow suit. Austria has decided on 14 and other countries such as Lithuanian and the Netherlands appear not to be adopting the default age of 16. Click here for more information on the ages being set in different countries.
2. Are children and young people being consulted on the age that will be set?
3. Who can give consent to a child accessing a service online? The GDPR refers to the person with ‘parental responsibility’ but this has not been defined any further. Clarity will be needed to determine the reach of the phrase "parental responsibility". Does it include grandparents for example and who will have the capacity to decide for children in alternative families such as children in care.
4. How will the age of digital consent be implemented in practice across the EU? Effective implementation will require industry cooperation. In an area that is largely self-regulated, what impetus is there for industry to take any further measures to verify the age of service users? States must ensure that children, teachers, parents and guardians are provided with educative supports to help them to make informed decisions about the processing of personal data.
5. The GDPR provides that parental consent should not be necessary “in the context of preventative or counselling services offered directly to a child.” Online services to young people, particularly those providing support to LGBTI+ children or children experiencing bullying are critical to those who may not be able to discuss certain issues with their parents or guardians or may require support in order to do so. How will States ensure that children and young people will continue to be able to access online supports and counselling on issues affecting them without parental consent?
The age of digital consent is a complex issue that will impact the rights of children and young people across the EU and given the level of questions it raises; it deserves significantly more consultation, research and impact assessment than it has been given to date.
By Edel Quinn, Senior Legal and Policy Officer with the Children’s Rights Alliance, Ireland.