Sonia Livingstone on the GDPR: No more social networking for teens?

In this article, we hear from Professor Sonia Livingstone OBE on how the provisions of the new General Data Protection Regulation will affect children and young people.

Date 2016-03-31 Author Sonia Livingstone OBE
On 15 December 2015, the European Parliament, the Council and the Commission agreed on the new harmonised data protection rules which, many hope, will benefit both European business and European citizens. It is not so obvious, however, that the General Data Protection Regulation (GDPR) will benefit European teenagers. For although little noticed until the decision was reached, one effect will be to prevent those under 16 from using social media and other online platforms unless they gain explicit parental consent. Since this decision appears to have relied neither on evidence regarding children's online participation and protection or to have consulted children themselves (or, even, the child rights and welfare bodies who represent their interests), it's no wonder that many have protested.
On the one hand, we should acknowledge that the purpose of the new data protection rules is not only to save red tape for businesses in the interests of a digital single market but also to introduce new and arguably long-overdue privacy and data security standards that consumers – including children – can trust, bringing to a conclusion a four-year-long regulatory wrangle about data protection. Now that social networking and other online companies that collect large amounts of personal data will have to appoint a data protection officer; they won't be able to transfer personal data to third parties without explicit consent from the user when the data is being used for other purposes; and so on. And since currently the data practices targeting adults are the same as the ones used for teens – cross platform, mobile location tracking, productive analytics – these are unfair in the sense that they exceed reasonable expectations of young teenagers' digital literacy. No wonder that the US's Center for Digital Democracy, among others, supports the new regulation, arguing that teenagers especially deserve greater opt-in, transparency and individual control. After all, child welfare experts have long been calling for data protection safeguards for teenagers to address the commercial online marketing practices of Facebook and others.
But on the other hand, these enhanced protections will also have the major (though presumably unintended consequence) of significantly limiting children's rights to communicate with their peers, engage online with educational, health and other valuable resources, or participate in the online civic and public sphere, as argued forcefully by Larry Magid and danah boyd, among others. Or as The Guardian put it, "Is Europe really going to ban teenagers from Facebook and the internet." Moreover, the GDPR's reliance on responsible parents is insufficient, as there is now plenty of evidence also that, in practice, many children won't ask for or obtain parental permission, for a host of reasons, some of them likely to exacerbate social and digital inequalities (parents who don't understand, have no time, don't care…). As a result, new sites will proliferate and many children will lie about their age even more than they do now, to gain access to services, pushing their internet use further under the parental radar and so making it harder for well-meaning parents to guide them.
At the last minute, the EC included a proviso that while 16 years old becomes the new European norm below which parental permission is required before offering information services of any kind to a minor, member states can choose to pass legislation to lower that age. The problem is that children's rights to protection and participation don't exactly vary country by country but, rather, by child and by circumstance. Nor can parents be the sole arbiter of children's rights (as famously established in the UK by the Gillick ruling). As stated in Article 24 of the EU Charter of Fundamental Rights, "Children shall have the right to such protection and care as is necessary for their well-being. They may express their views freely. Such views shall be taken into consideration on matters which concern them in accordance with their age and maturity."
Here, then, is a classic instance of the problem I recently raised with John Carr and Jasmina Byrne, namely that internet governance bodies have not yet grasped that they must implement specific strategies to ensure children's rights to protection at the same time as ensuring their rights to participation. In other words, it is not enough to address rights individually, but one must also pay attention to the consequences – intended or otherwise – on other relevant rights. Thus it is inadequate to introduce regulation focused on mitigating risk without attending to the possible restrictions on opportunities. EU Kids Online has provided the EC with plenty of evidence that children's experience of online risks go hand in hand with the opportunities, and so policy must now be developed in full recognition of this. Moreover, as those of us interested in children's rights in the digital age are acutely aware, it's time to wake up to the prospect that, increasingly, the internet will pose public and policy dilemmas regarding the clash of rights – most often, child protection versus participation.
Whatever the history of good intentions and muddled policy making, we now face some key questions. They will, it seems, be answered on a country-by-country basis, so I hope in each member state that robust evidence will be sought and proper public consultation with all relevant parties including children will be undertaken, as mandated by the UN Convention on the Rights of the Child (UNCRC) to facilitate a better, and a more legitimate, outcome.
  • Why is parental permission seen as the key mechanism to protect children from online abuses? We have ample evidence that it doesn't work. In principle, children have rights independent of their parents' preferences or inclination. Can't industry instead be required proactively to identify and treat children in ways appropriate to their age without passing the burden to parents and the risk of exclusion to children?
  • Is there no way to separate data collection from data exploitation? In other words, couldn't we enable information service providers (whether public, private or third sector) to collect data from children so as to enhance the service offered, without parental permission for those aged 13 or over, but mandate that no commercial use is made of the data? (Yes, this would require a big change for Facebook and the others, but they'll then surely be more likely to get keep teenagers as their consumers when adult.)
  • Will the outcome of the new regulations in practice make companies treat under 16s better or will they just cease to provide for them at all, given increased regulatory complexity and loss of revenue? What impact assessment has already been conducted to demonstrate the benefits to children of this new regulation? And who will evaluate the subsequent effects of these changes for children and young people in particular? Without these, how can we be confident that the new regulation is, as Joseph Savirimuthu asks and as the UN Convention on the Rights of the Child demands, in children's best interests?
  • What will governments decide about whether to reduce the age from 16 back to 13, and with what evidence and process of consultation and monitoring? Who will decide and how can those of us with something to contribute - including teenagers themselves - get involved?
I think these questions are both important and urgent. Europe's teenagers await the answers for this really matters to them. I hope at least some of them get answered in the coming two years!
Acknowledgement: an earlier version of this text was published on the LSE Department of Media and Communications' Media Policy Project blog at
The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of the Better Internet for Kids Portal, European Schoolnet, the European Commission or any related organisations or parties.
About the author of this article:
Sonia LivingstoneProfessor Sonia Livingstone OBE is a full professor in the Department of Media and Communications at LSE. She teaches master's courses in media and communications theory, methods, and supervises doctoral students researching questions of audiences, publics and youth in the changing digital media landscape. She is author or editor of nineteen books and many academic articles and chapters, and has been a visiting professor at many universities worldwide. Her new book, The Class: Living and Learning in the Digital Age, will be published in April 2016.
She leads the project, Preparing for a Digital Future, which follows the recently-completed project, The Class, both part of the MacArthur Foundation-funded Connected Learning Research Network. She directed the 33-country network, EU Kids Online, funded by the EC's Better Internet for Kids programme, with impacts in the UK and Europe. She participated in the European COST action, Transforming Audiences, Transforming Societies, and leads ECREA's Children, Youth and Media group. She is currently researching parents' responses to the online commercial environment for their children. She gave a recent TEDX talk on ‘How children engage with the internet'.
Sonia also serves on the Executive Board of the UK's Council for Child Internet Safety (UKCCIS), for which she is the Evidence Champion.

Related news