The European Union is planning to adopt a new Regulation on data protection, replacing a Directive which was adopted in 1995. The new legislation was very controversial, taking over five years from the publication of the first Communication from the European Commission (EC) to the expected end of the legislative process. While it remains to be seen how the new legislation will be implemented, it does have some positive new elements – in particular it is hoped that the General Data Protection Regulation (GDPR) will help to create a more harmonised approach across the EU, reinforced by a stronger and more coordinated role for data protection authorities and the creation of a European Data Protection Board (EDPB). The legislation also offers more meaningful, effective and dissuasive penalties for breaches.
The new legislation also brings more specifics for protection of children's data. This is not before time - as the use of the internet and connected devices becomes ever-more popular and invasive in our lives, so the challenges of privacy and data protection continue to grow. Privacy and data protection are a particular challenge for children and young people, a point that is explicitly recognised in the legislation, which explains that children deserve specific protection and warns of the particular dangers surrounding personality or user profiles.
The internet offers new opportunities for children to communicate, to learn, to play and to grow. Effective privacy and data protection rules create an enabling environment for such activities. If we consider privacy not as a legal framework but as a series of freedoms – the freedom to be left alone, to speak freely, not to be manipulated, to make mistakes and so on, we can conceptualise the challenges and the importance for children much more readily.
These challenges are increased by the fact that children develop at different speeds, have different aptitudes and need to be given the space to explore, develop and, as challenging as this is for caregivers, to get it wrong. One of the most controversial elements of the new legislation was the definition of a ‘child', which affects for example the issue of consent: multiple ages would be unacceptably complex, a low age limit aimed at the interests of young people in their mid-teens might be too lax for younger children, while a high age limit might be overly restrictive for older children. In the end, a rather weak compromise was adopted at the last minute, leaving the age at 16, but with a younger age limit possible if member states so wish.
Of course, as data protection and privacy are fundamental rights, they are fundamental for all and, therefore, there is limited need to have specific protections for children. While the rights are more or less the same, implementation with specific reference to children's needs should add an important focus for any data controller or processor and, indeed, for data protection authorities. Key issues that will need to be given real-world meaning in the implementation of the Regulation include:
Information: The provision of meaningful information to adults by service providers is sometimes very unclear and unpredictable. In this context, how can information for services aimed at children (or, worse, used by, but not aimed at children) be communicated in clear language that will enable a child to make a meaningful and informed decision?
Withdrawing consent: Notwithstanding various legitimate reasons that would make a withdrawal of consent appropriate, how can the child, or how can an adult wishing to put youthful indiscretions behind himself or herself, exercise their right to remove personal data? This problem is infinitely more acute in the digital environment.
Profiling: This is probably the issue that is possibly the weakest point of the whole Regulation. Instead of directly and clearly regulating the issue of generating new personal data based on profiling, the new legislation is more than a little unclear. There are, undoubtedly, useful protections, not least the right to object to such processing of data. However, profiling which would aim to manipulate tastes or commercial demands for child-related products that does not directly profile the child as actually being a child appears to slip through the cracks somewhat.
In the two years between now and the entry into force of the Regulation, a huge amount of preparatory work needs to be done. National regulators, working in the EDPB, will seek to give meaning to the new rules and the new sanctions. New approaches are needed to understand fundamental notions such as consent as now described in the legislation, steps that could be taken to clarify the minimum data necessary in order to facilitate free and fair consent and rules around profiling, including the right to object. Simultaneously, individual Member States need to work out what they want to do with the multitude of ‘flexibilities' that the Regulation foresees (not least the definition of a ‘child'). After five years of legislative preparation, it appears that we might not be quite finished just yet.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of the Better Internet for Kids Portal, European Schoolnet, the European Commission or any related organisations or parties.
About the author of this article:
Joe McNamee is Executive Director of European Digital Rights (EDRi), an association of digital civil rights organisations from across Europe. He has been working on internet policy issues almost continuously since 1995 and has been with EDRi since 2009.
He holds Masters degrees in International Law and in European Politics.