According to the General Data Protection Regulation (GDPR,) information society services that wish to process any personal information related to a child under the age of 16 years will require parental/guardian consent. The GDPR is the European Commission’s tool that will unify data protection in the EU and there are plans for it to be adopted in 2018. In the most recent GDPR draft released by the European Council, the age limit where parental consent is mandatory has raised from 13 to 16 years. The implications for children digital rights are not well understood and, at the moment, nobody knows if this regulation will protect children or by the contrary make them more vulnerable. Something certain is that, until now, minimal consultation to incorporate the children voice has taken place and consequently, children’s digital rights are not being treated with the respect or seriousness they deserve.
In the US, since the passage of the Children’s Online Privacy Protection Act (COPPA) in 1998 and the Federal Trade Commission’s (FTC) in 2000, there have been specific rules regarding the collection of data from children under 13 including the request of verifiable parental consent. Taking into account that the international standard has been 13, some wonder why younger European teens may be treated differently than American teens.
This controversy expands to any children between 13 and 15 that have been using internet services classified as ‘information society service provider’ (ISSP), which is defined as ‘any service normally provided for remuneration [it may contain adverts], at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service’. Some of these ISSP have been designed to provide a safe space for promoting wellbeing and mental health resilience among under 16. According to the new GDPR, children will be protected from being pressured to share personal information with ISSP without fully realising the consequences but will have to pay a high cost: parental consent.
Asking for parental consent could jeopardise children fundamental rights to access online information and services that may relevant for them. Moreover, it could make children from abusive families more vulnerable by disclosing sensitive information to the perpetrators. However, online services not classified as ISSP will be excluded from this new normative and there will be no need to obtain and verify parental consent from users under 16. Accordingly, services such as the ChildLine provided by the National Society for the Prevention of Cruelty to Children (NSPCC) should remain as it is, a confidential place for children ruled under the Gillick competency guidelines, which considers if the child is mature enough to make decisions. This type of regulations helps to balance the children’s digital rights and wishes with the adults’ responsibility to keep them safe from harm.
We can anticipate huge implications on the use of social media by children. For example, companies may avoid the burden of obtaining parental consent and decide to design services for only those over 16. Whilst an increased digital age of consent might seem like a good way to protect children, online safety experts have expressed their concerns about this increase in age threshold. It has been argued by Janice Richardson, former coordinator of the European Safer Internet Network, that this measure will likely only incentivize children to lie about their age.
Finally, the Parliament has also made two significant additions to the GDPR: First, a requirement that information provided to children and their guardians regarding consent be in plain language; second that the European Data Protection Board, and not the Commission, be entrusted with issuing best practices and guidelines for obtaining and verifying consent. While we welcome the transparency that could be gained with the first addition, we are concern about the practicalities of this measure and still wonder how busy parents will be able provide consent that is technically verifiable EACH TIME their child access an ISSP?
If you are intrigued about the progress of the GDPR, see graph below by Kuan Hon.