If Alice fell down the rabbit hole in 2015, it wouldn’t take an Oxford don to document her adventures. #Wonderland would be trending on Facebook and Twitter and Alice’s Instagram would be full of selfies with the March Hare and the Cheshire Cat.
Children today are as technologically literate as any grown up. My 4-year-old nephews, for example, could navigate YouTube before they learned to read. But the new General Data Protection Regulation (GDPR), the European Commission’s tool to unify data protection in the EU, might prove to be a stumbling block for digital users under 16.
Background
As Martin blogged yesterday, the Commission has this week announced that the final text of the GDPR has been agreed with the European Parliament and Council, but not before a last minute change to the so-called ‘digital age of consent’.
Earlier drafts indicated that the Commission would adopt 13 as the threshold at which parental consent is required for the use of information society services (websites and other online services), but a last minute amendment changed this to 16. The apparent final draft (PDF) published by a German law firm suggests that the threshold has indeed been raised to 16, though individual member states may reduce this to 13 if they choose. Ironically, eliminating national inconsistencies was one of the key aims of the GDPR.
Will anything change in the UK?
When collecting personal data it is important that the data subject properly understands how the data they provide will be used. That can be difficult when collecting data from children.
The Data Protection Act does not specify the age at which children are legally able to give consent to processing of their personal data. Current guidance (PDF) from the Information Commissioner’s Office recommends that consent should be sought from a parent or guardian prior to collecting information from children up to the age of 13, but notes that there may be cases where it is necessary to obtain parental consent from children older than 13:
“Assessing understanding, rather than merely determining age, is the key to ensuring that personal data about children is collected and used fairly. Some form of parental consent would normally be required before collecting personal data from children under 12. You will need to look at the appropriate form for obtaining consent based on any risk posed to the child. You may even decide to obtain parental consent for children aged over 12 where there is greater risk. This has to be determined on a case by case basis.”
This will change when the GDPR comes into effect in 2018. Whether or not the UK government will stick to this limit or increase the threshold to 16 in line with the GDPR remains to be seen.
How will the threshold be enforced?
From a technical perspective, social media platforms and other website operators will need to think about how they obtain parental consent from each child under 16 accessing their digital content. Opponents to the increased threshold also argue that it will simply encourage children to lie about their age.
From a legal point of view, the proposed threshold is at odds with a child’s capacity to enter into contracts on their own behalf. In Scotland, a child under the age of 16 can enter into contracts of a kind commonly entered into by people of his age and circumstances, provided that the terms are not unreasonable.
Historically, this has allowed children to make simple transactions, like buying sweets or bus tickets.
However, now that young people access websites and apps every day and are often as digitally aware as many adults, it is probably the case that they can legally consent to terms and conditions on their own behalf. Clearly, though, there will be a lower cut off age – my nephews can hardly be expected to properly understand YouTube’s terms and conditions – and any terms to which a child will be consenting should be in clear and plain language that a child can easily understand.
Returning to the Alice in Wonderland analogy, if a child will access a website regardless, is it perhaps better to draft terms of use that are capable of binding the child rather than disappear down the rabbit hole of having no binding terms of use at all?
Will it actually protect children?
Whilst an increased digital age of consent might seem like a good way to protect children, online safety experts have expressed their concerns about the sudden change to the threshold in an open letter published last Friday.
The signatories point out that increasing the age limit for consent is artificial, as research shows that young people are adept at controlling the information they share online, more so than many adults. Moreover, they highlight the important role played by digital platforms and social media in self-development and education.
The extra bureaucracy involved in obtaining parental permission could restrict the access children have to valuable online resources. Such resources include not only educational services, but also online support and advice to children suffering from abuse or online bullying. Indeed, it could actually lead to an erosion of the child’s privacy as such advice and information could not be sought in confidence.
What should providers of online services be doing?
There has been no announcement from the UK Government on whether a lower age limit will apply in the UK. Either way, the new hard-wired age will require providers of information society services that might be used by children to think about how they collect data and ensure that appropriate consents are obtained. That might require changes to website terms of use and registration procedures.
If you’d like to discuss the GDPR further, please get in touch with my colleague Martin Sloan or your usual Brodies contact.
Image may be NSFW.
Clik here to view.
The post GDPR to raise digital age of consent for online services appeared first on Brodies LLP Legal Resource Area.