The agreed General Data Protection Regulation (GDPR) heralds a crucial turning point for children's privacy in Europe. For the first time ever, a legal instrument of the European Union (EU) explicitly recognises that minors deserve ‘specific protection' of their personal data. By doing so, it obliges all relevant stakeholders to engage in effectively delivering it to minors. The GDPR announces progress in several directions: the (much commented) consent to some data processing practices to be given by parents, but also, for instance, an obligation for companies processing children's personal data to give them information in child-friendly language, or the duty for data protection authorities to put in place activities promoting public awareness of these issues among children. These are all important paths towards a goal that will, however, require additional efforts.
Specific protection for a specific age group
The European Commission has been consistently arguing in favour of the recognition of minors' need for ‘specific protection' of their personal data since the start of the legislative process leading to the new Regulation. Throughout this period, different lines of argument have typically been used. Children are said to need such ‘specific protection' because they are especially vulnerable to the misuse of their personal data, which can have a particularly dramatic impact on their lives. And children are also typically described (e. g., in the very preamble to the GDPR) as being ‘less aware of risks, consequences, safeguards and their rights' in relation to personal data processing - that is, especially ill-equipped to take the good decisions necessary to control what happens to their personal data.
A further argument could be added: minors are increasingly at the forefront of innovative data processing practices. From the seminal moment their parents Google around first names in search of inspiration, up to they day they will share a selfie with their university diploma; from the moment their milk consumption was measured with an ad-hoc app, up to the day they received their first ‘smart watch' allowing mum and dad to always know where they are, new generations are nowadays constantly under the (data) spotlight. They are drawing the society's future data landscape with their own digital flesh, in ways nobody ever experienced.
Children deserve it, but who will guarantee it
The GDPR does not only recognise that children need ‘specific protection' for their personal data. It actually aims to attain such protection with a series of concrete provisions. One of the most debated is the one obliging companies that offer internet services directly to children to request parental consent in order to process data of children below 16 or 13 years (depending on national laws). This is an important rule, bringing the EU in line with international legal approaches and, most notably, with standard practice in the United States. Beyond its practical implementation, the rule serves as a reminder of the vulnerability of children's position online, in the face of possibly giant and data-hungry companies, and of the crucial role for parents for their protection in this context.
Yet, that provision is not the only one attempting to fine-tune EU data protection law to the ‘specificity' of children's needs. Others further refine the general obligations of those who decide to process personal data (known as the ‘data controllers') in light of the necessities of minors. In this sense, the GDPR puts forward a special ‘transparency' requirement obliging data controllers to always provide relevant information to children about the processing of data concerning them using clear and plain language, language that should be easily understandable not just by average individuals, but specifically by the targeted children.
The GDPR backs up the development by the industry of codes of conduct specifying the application of this special child-friendly ‘transparency' requirement, as well as of the ways in which consent by the holders of parental responsibility might be collected.
Although companies have, generally speaking, the possibility to process personal data in the name of their ‘legitimate interests', the GDPR demands that such ‘legitimate interests' be balanced with particular care whenever they could be overridden by the interests, rights or freedoms of children. Additionally, the GDPR also emphasises that the right of individuals to erase the personal data about them, applicable in some circumstances, can be particularly relevant whenever the data at stake had been processed on the basis of the consent of a child.
Bring in the authorities
The GDPR also takes into account the need to deliver ‘specific protection' to children when describing the tasks of data protection authorities. Data protection authorities are independent bodies traditionally entrusted by EU law with multiple supervisory and consultative tasks. As already stressed repeatedly by the EU Court of Justice, they constitute an integral component of the EU fundamental right to the protection of personal data set out by Article 8 of the EU Charter of Fundamental Rights, legally binding since 2009.
The future Regulation openly endows European data protection authorities with the duty to ‘promote public awareness and understanding of the risks, rules, safeguards and rights in relation to the processing of personal data', and to do so giving specific attention to activities targeting children.
Teaching them (about their) right
All European data protection authorities have been engaging over the years in awareness activities targeting children, even if with various degrees of resources and commitment. In many cases these activities have taken place at schools; often, they have been carried out in cooperation with different actors involved in online safety initiatives.
The GDPR's new mandate to data protection authorities to make a special effort in order to raise the data protection awareness of children is extremely significant, at least for two reasons. First, the Regulation is clear about the fact that children should be aware of the risks related to personal data processing, but also about their rights in this respect. While online safety initiatives naturally tend to underline that being online is potentially dangerous, future data protection awareness campaigns should thus imperatively also educate children about their legal powers and entitlements.
Second, by giving a clear role to data protection authorities in the realisation of children's privacy rights, the GDPR concedes that the issue of children's privacy cannot be placed exclusively in their parents' hands. As a matter of fact, the truth is that nowadays the protection of personal data of children is often not endangered just because parents were not consulted, but actually despite the involvement of parents, or, increasingly often, because of them.
Will privacy be the new toy safety?
Parents are indeed increasingly invited to purchase services to monitor online activities or the movements of their children. They might also be active users of social media where the sharing of information about minors is encouraged and perceived as the norm. Or perhaps they just entered a toy store, bought a colourful laptop or a toy ‘smart watch' that looked like it was specially designed for kids, and only months later realised that the company behind the hi-tech toy had been attacked by a hacker, exposing their children's (and their own) personal data and safety. Recent data breaches have revealed this is not fiction.
Taking into account these realities, parents and parental consent cannot be the (only) solution to deliver to children the ‘specific protection' they deserve. In addition to the other approaches already hinted at in the GDPR, time might have come for more proactively putting a clear distance between unaware children and dangerous data processing practices, or between such practices and well-intentioned but exactly as unaware parents. This might involve, for instance, imagining new links between toy safety and certification schemes and seals as supported precisely by the very GDPR.
We might have just started to scratch the surface of the level of specificity required to guarantee children's fundamental rights in relation to their personal data.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of the Better Internet for Kids Portal, European Schoolnet, the European Commission or any related organisations or parties.
About the author of this article:
Prof. Dr. Gloria González Fuster is a Research Professor at the Law, Science, Technology and Society (LSTS) Research Group of the Vrije Universiteit Brussel (VUB), where she teaches European fundamental rights. She currently contributes to the ARCADES project, co-funded by the European Commission to promote education on privacy and personal data protection in schools across the EU, as well as to the research project Promoting Integrity as an Integral Dimension of Excellence in Research (PRINTEGER).
She is the Programme Coordinator of VUB's European Data Protection Law Summer School, organised by the Brussels Privacy Hub, and lectures for the Master on Technology and Privacy of the University of Girona and Eticas Research & Consulting.
In addition to Law, her academic background includes Communication Sciences and Modern Languages and Literatures, and she has worked for the Citizenship Unit of the Education and Culture Directorate-General (DG EAC) of the European Commission and for the Education, Audiovisual and Culture Executive Agency (EACEA).