Age of consent in the GDPR: mapping recent national guidance and proposals
- Eva Lievens and Ingrida Milkaité, Ghent University
In preparation for the implementation of the General Data Protection Regulation (GDPR), in a number of EU Member States national (draft) implementation acts, national consultations or guidance by Data Protection Authorities (DPAs) have been published.
One of the many aspects of the new regulation is particularly relevant for the upcoming Roundtable on the GDPR and children's rights, taking place in Brussels, Belgium on Friday, 23 June 2017. Article 8 of the GDPR contains specific requirements regarding consent for the processing of personal data of children. The general rule provides for a parental consent requirement for all youth under 16 years old when information society services are offered directly to them, and consent is the legitimation ground that is relied upon. Notably, the Member States may choose to deviate and decide to lower the age threshold to 15, 14, or 13 years.
For the moment, preliminary research into a selection of these national approaches, based on official and public documents, shows that a fragmented landscape is emerging.
Figure 1: Current provisional indications of age
chosen for parental consent across the EU
On 12 May 2017, Sweden's data protection authority published an extensive evaluation document on the recommended implementation of the new data protection standards introduced by the GDPR. It concerns national derogations that are permitted according to the GDPR, as well as the impact of the GDPR on national legislation and the changes that will have to be introduced. In terms of consent and children, the document indicates that minors who have reached the age of 13 should be allowed to consent to the processing of their personal data. For children younger than 13, parental consent would be required.
On 28 March 2017, the Ministry of Digital Affairs presented a preliminary draft of certain provisions of a new Personal Data Protection Act. It is proposed that the consent of parents or legal guardians of a child to process that child's personal data will be required for children under the age of 13.
On 2 March 2017, the Information Commissioner's Office published a public consultation on its draft GDPR consent guidance. The guidance does not specify the age for parental consent that the UK may choose, although it mentions that the UK may choose to lower the age to 13. According to the guidance, if companies choose to rely on children's consent, they will need to implement age-verification measures, and make "reasonable efforts" to verify parental responsibility for those under the relevant age.
The Spanish data protection authority (AGPD) has published several guidance documents on the implementation of the GDPR. In its publication "The GDPR in 12 questions", the AGPD explains that in Spain, the age to obtain valid consent from children is 14 and will continue to be the same when the GDPR comes into force.
The proposal for a Dutch GDPR Implementation Act that seeks to implement the GDPR was published online on 9 December 2016 for the purpose of a public consultation. This document states that there is no reason to deviate from 16 as the age for consent, this being the age that was also used in the previous Data Protection Act.
On the 28 April 2017, the Italian Privacy Authority published its first guide on GDPR application. According to the guide, the consent of minors is valid from the age of 16. Under that age, parental consent shall be obtained.
In October 2016, the Hungarian Data Protection Authority published a 12-step guide on how to get ready for the GDPR. In relation to the offer of information society services directly to a child, the guide states that where the child is under the age of 16, processing of children's data shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. However, the possibility for Member States to lower the age to 13 is mentioned in the guide.
During the forthcoming Roundtable in Brussels on 23 June 2017, a variety of stakeholders will discuss the GDPR and its impact on children's rights. One session will be dedicated to the implementation of Article 8 of the GDPR. Examples of questions that will be discussed relate to the age that will be chosen in the different Member States, the practical challenges which will arise if different ages are maintained throughout the EU, and the potential consequences for children's rights to freedom of expression and association if service providers would decide not to offer their services anymore to children under the age for parental consent.
This preliminary mapping has been drafted in the context of the project "A children's rights perspective on privacy and data protection in the digital age: a critical and forward-looking analysis of the General Data Protection Regulation and its implementation with respect to children and youth" (Ghent University, Special Research Fund). This project will monitor the implementation of the GDPR in relation to children(‘s rights) from 2017 until 2021.
- eSafety Label
On 22 September 2015, the Flemish Ministry of Education organised a conference about the eSafety Label project. Around 100 participants – ICT coordinators, teachers and experts – from across the Flemish Community came together in Brussels to learn more about the implementation of eSafety standards in school.
- BIK Coordination Team
The third edition of the Better Internet for Kids (BIK) bulletin has now been published. This quarterly bulletin aims to keep you informed of safer and better internet issues and opportunities across Europe and beyond.
- Austrian Safer Internet Centre
At present, all educators, trainers or other people who work with children and digital technologies face the same situation. Digital media's ever-evolving challenges – such as users' fast changing online behaviour as well as a constant flow of new tools, new internet technologies and new ways of online communication – raise new questions and demand new solutions. Therefore, it is essential for people engaged in Safer Internet trainings to stay up to date and constantly gain expertise in new topics. Online radicalisation and online jihadism are among the most challenging topics from recent months.