GDPR: updated state of play of the age of consent across the EU, June 2018

  • Awareness
  • 28/06/2018
  • Ingrida Milkaite and Eva Lievens, Ghent University

The General Data Protection Regulation (GDPR) came into force across the European Union on 25 May 2018. This update of the mapping of the implementation of article 8 GDPR reflects the most recent decisions that have been made in relation to the age of consent in the 28 EU Member States. In quite a number of countries, these decisions might still be subject to further changes in the coming weeks and months.

Article 8 of the General Data Protection Regulation (GDPR) contains specific requirements regarding consent for the processing of personal data of children. The general rule provides for a parental consent requirement for all youth under 16 years old in situations where information society services are offered directly to them, and consent is the legitimation ground that is relied upon.1 However, Member States may choose to deviate and decide to lower the age threshold to 15, 14, or 13 years. In preparation for the implementation of the GDPR, national (draft) implementation acts, national consultations or guidance by Data Protection Authorities (DPAs) have been published across the EU. Although still in quite some countries no final decisions have been taken, our research into national approaches, based on official and public documents, shows that the implementation of article 8 is fragmented across the EU.  

Since the last update of the mapping in May 2018, several developments occurred in Belgium, Bulgaria, France and Portugal. The final national GDPR implementation laws were adopted in Denmark, Sweden, the Netherlands and the United Kingdom. Notably, Ireland and Italy have changed their initial decisions. Norway and Switzerland, members of the European Economic Area and the European Free Trade Association respectively, have also proposed new data protection laws. 

[Please note that the most recent developments are indicated in grey]

Austria | Belgium | Bulgaria | Croatia | Cyprus | Czech Rep. | Denmark | Estonia | Finland | France | Germany | Greece | Hungary | Ireland | Italy | Latvia | Lithuania | Luxembourg | Malta | Netherlands | NorwayPoland | Portugal | Romania | Slovakia | Slovenia | Spain | Sweden | SwitzerlandUK 

Belgium

In February 2018, the Belgian Secretary of State for Privacy has proposed to set the age of consent at 13 years. Referring to the GDPR and the possibility for Member States to derogate from the set age of 16 in article 8 GDPR, the Secretary of State for Privacy stated that "digital is the new normal" and that the age of 13 for children's consent in relation to information society services corresponds to the reality of internet use by children. The Belgian Privacy Commission, the national data protection authority, has expressed its support for the decision to set 13 as the age of consent for children. According to the Privacy Commission, joining social media and other services is part of children's social development, but additional efforts to teach children from a young age about the risks of sharing information should be undertaken. As children are more vulnerable, the processing of their data should remain a point of special attention for companies that offer digital services to children. Currently, the work on the Belgian draft law on the GDPR implementation continues and still needs to be introduced in Parliament.

On 11 June 2018, the Belgian Law on the protection of individuals with regard to the processing of personal data was introduced in the Parliament. The Draft Law recommends setting the age of consent for children at 13 years and provides opinions submitted by various stakeholders (article 7). The preamble proposes the use of the (kids) e-ID card as a possible means to carry out age verification. 

Bulgaria

On 30 April 2018, a public consultation on the Draft Law on the Amendment of the Personal Data Protection Act was launched and will be closed on 14 May 2018. Article 25(c) of the Draft Law currently sets the age of digital consent for children at 14 years (see Проект на Закон за изменение и допълнение на Закона за защита на личните данни). 

Denmark

The Danish Ministry of Justice has published its Proposal for a Law on Supplementary Provisions for a Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Information. Under section 6 of the proposal the age of consent for children is set to 13 years. In July-August 2017 a public consultation concerning the proposal was conducted.

On 25 October 2017, the Minister of Justice proposed an updated Law on Supplementary Provisions to the Regulation on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Information (Data Protection Act). Section 6 of the updated proposal also deals with information society services being offered to children and their age of digital consent. Processing of children's personal data on the basis of consent in such situations is lawful if the child is at least 13 years old.

The new Danish Data Protection Act was officially adopted by the Parliament on 17 May 2018. The age of consent for children using digital services was set at 13 years (section 6). The reasoning for this decision included educational and social benefits of online services for children, their participation and inclusion in the digital world.

France

On 13 December 2017, the French Minister of Justice presented the Draft Bill on the Protection of Personal Data (Projet de loi relatif à la protection des données personnelles). The Draft Law does not provide for specific provisions dealing with the issue of parental consent, thus leaving the threshold at 16 years. The Explanatory Statement (Exposé des Motifs), accompanying the Draft Law, states that the Government has chosen not to use its margin of manoeuvre. 

On 13 December, the CNIL, the French Data Protection Authority, published its opinion on the draft law on the protection of personal data. It provided an insight into the parental consent provision and the government's decision not to derogate. In its opinion on the Draft Data Protection Bill, the CNIL stated, first of all, that it was aware of the discrepancy between this provision and the reality of the digital practices of minors. It then articulated the necessary empowerment of young people and the special protection of their personal data that is required at this time of their life, adolescence, where disclosure of their data and potential attacks on their privacy may result in negative effects in their future. In this respect and in light of all the rights of the child as recognised by the French national legislation, the CNIL stated that it had not identified any decisive factors justifying the derogation from the default threshold of 16 years as the 16-year threshold corresponded to a common threshold in many legal contexts, particularly in contractual and banking matters. The CNIL added that such a parental consent threshold may, in fact, be considered as a means of creating an opportunity for dialogue between parents and their children on how they intend to protect their personal data on the internet and the precautions that shall be taken. In terms of practical implementation of the parental consent provisions, the CNIL promoted the adoption of specific obligations, in the form of codes of conduct or certification mechanisms, and in particular, strengthened protection in terms of profiling for advertising purposes.

In its Annex to the Report (Annexe au Rapport) of 25 January 2018 the French National Assembly proposed the addition of a new article 14a, concerning the implementation of article 8 GDPR. According to this provision, a minor may consent to the processing of personal data alone with regard to the offer of information society services from the age of 15. Discussions on the age of consent for children continued in April and May 2018.  

On 21 June 2018, the French Law No 2018-493 on the protection of personal data was adopted and published in the official gazette. Article 20 provides for a revision of the article 7 of the Law n° 78-17 of 6 January 1978 and states that a minor may consent to the processing of personal data alone in respect of the direct offering of information society services from the age of 15 years.

Notably, the second part of the article introduces a joint consent stating that when the minor is under the age of fifteen, the treatment is lawful only if the consent is given jointly by the minor concerned and his or her parent(s). This is a very specific provision which is not found in other national implementation laws and it remains to be seen how exactly it will be implemented in practice.

Interestingly, the Law provides for specific age threshold for consent in the context of health-related research, studies or evaluations. Under article 59 of the revised Law, a minor, aged 15 years or older, may object to the holder of parental responsibility having access to the data concerning him or her gathered during a (medical) study, research or evaluation. In this case, the minor can receive the information and exercise his or her rights on his or her own behalf. 

Ireland

On 5 July 2017, Geoffrey Shannon, Special Rapporteur on Child Protection, addressed the Joint Oireachtas Committee on Justice and Equality during a hearing in relation to the General Scheme of Data Protection Bill 2017. He proposed that the age of consent for children should be set at 13 years. On 30 January 2018, the Irish Parliament, Houses of the Oireachtas, presented the Data Protection Bill 2018 (An Bille um Chosaint Sonraí, 2018). The Bill's part 29 on the consent of child in relation to information society services provides that the age of a child specified for the purposes of Article 8 is 13 years of age.

Preceding this decision, in November 2017, the Joint Committee on Justice and Equality of the Houses of the Oireachtas released a Report on pre-legislative scrutiny of the General Scheme of the Data Protection Bill 2017. This report includes arguments presented to the Committee by various stakeholders (Geoffrey Shannon, Special Rapporteur on Child Protection, among others) and specifies many important aspects that need to be taken into account when implementing the GDPR provisions with regard to the protection of children. The Committee acknowledged the fact that the evidence submitted before it by children's rights organisations and their advocates indicated they all agreed that the age of consent of children should be set at 13 years. In this sense, the Committee reiterated that it ‘would help to ensure that children can practically enforce their rights such as, the right to participate in matters concerning him or her, right to be heard, right to express themselves freely and the right to access information need to be exercised effectively by children'. Finally, in addition to recommending setting the age of consent at 13 years, the Committee also recommended that the age of consent is ‘reviewed at appropriate intervals to ensure it remains suitable as technology evolves'. Moreover, the Committee also decided to recommend that ‘a detailed consultation take place with children of all ages to ascertain their views on the proposed measures for data protection' and to include the definition of a child in the proposed legislation adopting the one set in article 1 of the UNCRC stating that a child is every human being below 18 years. Crucially, in the context of the relationship between data protection and digital safety, the Committee also recommended ‘that a policy framework and an associated educational programme be implemented to assist children in exercising their digital rights before they reach the digital age of consent'.

However, in the end of April 2018, news emerged suggesting that the main opposition parties in Ireland are trying to raise the age of digital consent for children to 16 years in an attempt to strengthen children's online safety. Politicians stated that they are planning to prepare "an amendment to the Data Protection Bill at committee stage in order to amend the age of digital consent from 13 to 16 years". Their reasoning is related to stronger protection of children's data, especially in the context of profiling and commercial targeting and decisions taken by other European countries, such as the Netherlands and Germany.

On 24 May 2018, the Irish Data Protection Act was signed into law by the President and was enacted. Section 31 of the Law sets the age of consent of children in relation to information society services at 16 years. Part 3 of the provision also requires that the Minister shall review the operation of the section no later than 3 years after the coming into force of the Act. Notably, section 32 of the Law requires the drawing up of codes of conduct with regard to the protection of children, the information to be provided by a controller to children, the manner in which the consent of the holders of parental responsibility over a child is to be obtained for the purposes of Article 8, integrating the necessary safeguards into processing in order to protect the rights of children in an age-appropriate manner for the purpose of Article 25 and the processing of the personal data of children for the purposes of direct marketing and creating personality and user profiles. The final decision of the Irish Parliament might have significant effects since many globally operating platforms, (currently) allowing children to join their services from 13 years onwards, have their main EU establishment in Ireland.

Also, section 30 of the Irish Data Protection Act introduces a specific rule on micro-targeting and profiling of children – "it shall be an offence under this Act for any company or corporate body to process the personal data of a child […] for the purposes of direct marketing, profiling or micro-targeting. Such an offence shall be punishable by an administrative fine […]."

Italy

On 6 November 2017, the Law No 163 on the Delegation to the Government for the Implementation of European Law was published in the Official Journal No 259. The Law contains the delegation to the Government to prepare, within 12 months, legislative decrees on the implementation of, among other legislation, the GDPR.

On 21 March 2018, the Council of Ministers approved a preliminary legislative decree which adapted the national legislation to the GDPR. Article 6 of the decree set the age of digital consent for children at 14 years. Notably, article 2 of the updated and final version of the decree provides that the processing of children's personal data shall be lawful where the child is at least 16 years old

Portugal

In the end of March 2018, the draft law implementing the GDPR in Portugal was approved by the Council of Ministers. A press release from the Presidency of the Council of Ministers included the decision to set the age of digital consent for children at 13 years. 

The draft law implementing the GDPR in Portugal (Proposta de Lei n.o 120/XIII) was officially published in April 2018. Article 16 of the draft law provides for 13 years as the age of consent for children. The second part of article 16 specifies that in cases when a child is younger than 13 years, parental consent must be obtained. The draft law also specifies two possible methods of parental authentication – the law states that parents should preferably use secure means of authentication, such as the Citizen's Card or the Digital Mobile Key.

The draft law also explains as to why the age of 13 was chosen as the child age of consent for digital services. The age of 13 is considered appropriate and in line with the choices made in other Member States of the EU and also corresponds with the age required by the terms and conditions of many translational digital services and platforms (Statement of reasons, Exposição de Motivos, page 5). The draft law has not yet been adopted by the Portuguese legislator. 

Sweden

On 12 May 2017 Sweden's data protection authority published an extensive evaluation document on the recommended implementation of the new data protection standards introduced by the GDPR. It concerns national derogations that are permitted according to the GDPR, as well as the impact of the GDPR on national legislation and the changes that will have to be introduced. In terms of consent and children, the document indicates that minors who have reached the age of 13 should be allowed to consent to the processing of their personal data. For children younger than 13, parental consent would be required.

On 18 April 2018, the Swedish Parliament (Riksdag) adopted the new Swedish Data Protection Act, setting the age of consent for children at 13 years

The Netherlands

The proposal for a Dutch GDPR Implementation Act that sought to implement the GDPR was published online on 9 December 2016 for the purpose of a public consultation. This document stated that there is no reason to deviate from 16 as the age for consent, this being the age that was also used in the previous Data Protection Act. The Dutch Data Protection Authority has confirmed afterwards that in all probability there would be no derogation from the age of 16 in the Netherlands.

new proposal for a law laying down the rules implementing the GDPR was published on 13 December 2017. Article 5 of this proposal clarified that if article 8 GDPR was not applicable, the age of consent for children would be 16 years. The Explanatory Memorandum accompanying the proposal stated that the age of 16 was already introduced in the Dutch Personal Data Protection Act and there was no reason to make a different assessment. For this reason, no lower age limit was included in the Implementation Act. 

The final GDPR implementation act was published in the Official Journal of the Kingdom of the Netherlands on 22 May 2018. Article 5 of the implementation act sets the child age of consent for the use of digital services at 16 years.

United Kingdom

On 7 August 2017 the Department for Digital, Culture Media & Sport published its statement of intent on a new Data Protection Bill. The document addresses the issue of the age of consent specifically, stating that the planned legislation will allow a child aged 13 years or older to consent to their personal data being processed. In September 2017, the UK Data Protection Bill was published and officially set the age of consent for children at 13 years (article 8). Since then, the UK Information Commissioner's Office published draft Guidance on Children and the GDPR. The Bill was also discussed by the House of Lords. They have proposed to impose an obligation on the ICO to prepare a code of practice which contains such guidance as the Commissioner considers appropriate on standards of age-appropriate design of relevant information society services which are likely to be accessed by children. During subsequent discussions in the House of Commons, this amendment was supported as well.

The final UK Data Protection Act 2018 was adopted (received royal assent) on 23 May 2018. Section 9 of the UK Data Protection Act sets the age of child consent with regard to information society services at 13 years. According to the Explanatory Notes on the Act, this decision is "in line with the minimum age set as a matter of contract by some of the most popular information society services which currently offer services to children (e.g. Facebook, WhatsApp, Instagram)." Moreover, the explanatory note also provides that "as long as a child is capable of understanding the processing to which they are consenting and is capable of making a free and informed decision, then it is considered that the child is capable of consenting to any processing of personal data."

Section 123 imposes on the Information Commissioner's Office to prepare a code of practice which contains such guidance as the Commissioner considers appropriate on standards of age-appropriate design (i.e. design of services so that they are appropriate for use by, and meet the development needs of, children) of relevant information society services which are likely to be accessed by children. Views of children, parents, persons who appear to the Commissioner to represent the interests of children, child development experts, and trade associations must be taken into account while preparing this code. Interestingly, the section explicitly mentions that regard must be had to the fact that children have different needs at different ages, and to the United Kingdom's obligations under the United Nations Convention on the Rights of the Child.

Additionally, section 208 of the UK Data Protection Act 2018 provides information on the treatment of children in Scotland. The first parts of the section entail some explanation as to the legal capacity of a child and state that a child who is under 16 may exercise rights conferred to him or her by data protection regulation and give consent to data processing. According to part 3 of this section, "a person aged 12 or over is to be presumed to be of sufficient age and maturity to have such understanding, unless the contrary is shown." According to part 2 of section 208, "the person is to be taken to have that capacity where the person has a general understanding of what it means to exercise the right or give such consent".

Figure 1: Current provisional indications of age of consent across the EU

Austria

On 5 July 2017, the Austrian Parliament officially adopted the DatenschutzAnpassungsgesetz 2018 implementing the GDPR into the national legislation. The age of consent for children has been set at 14 years.

Croatia

The Proposal for the Law on the Implementation of the General Data Protection Regulation has been published for consultation. The proposed law does not refer to Article 8 GDPR and does not mention children in the context of digital consent suggesting that Croatia is either in the process of choosing the age of 16 or will add this provision at a later legislative stage.

During the public consultation, two comments which specifically address children's consent with regard to information society services being offered directly to children, were made. First, AmCham Croatia, the American Chamber of Commerce in Croatia, representing the business interests of American, international and Croatian companies, proposed to include the age of 15 as the age threshold for consent for children in Croatia. Second, Google considered the Draft Proposal for the Implementation of the GDPR inadequate with regard to the undefined age of consent for children using information society services and proposed to set the age threshold at 13 years. Google stated that such a decision is supported by industry as well as numerous experts, non-governmental organisations and international organisations (including UNICEF) advocating for the safety and welfare of children in the online world. According to Google, setting the age limit to 13 years would be in line with numerous international and national acts, including the 1998 US Children's Online Privacy Protection Act (COPPA). Google also made a reference to Article 17 of the UN Convention on the Rights of the Child which states that "children are entitled to information that is important to their health and well-being". Furthermore, Google claimed that setting the age limit for consent at 16 instead of 13 would have a negative impact on the development of teenagers, as young people would thus be denied essential social and educational opportunities. Moreover, for children of less digitally literate families, an additional parental consent requirement could hinder their access to online services altogether. In addition, some teenagers require their own right to privacy without parental or guardian involvement, and, as Google states, it is unquestionable that everyone wants a degree of privacy from their parents. Finally, Google reminded the Croatian policy makers that the original version of article 8 GDPR, initially proposed by the European Commission, stipulated that the age of consent for the use of information society services would be 13 years. Google added that many EU Member States also highlight the problems mentioned above and have the age of consent for the implementation of article 8 GDPR at 13 years.

Cyprus

In the beginning of April 2018, in the framework of a public consultation, the Draft Act on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data was published. Article 6 of the consultation document (see Νομοσχέδιο Κανονισμός τελικό διαβούλευση.doc) sets the age of consent when information society services are offered directly to children at 14 years. The consultation closed on 27 April 2018.

Czech Republic

One of the previous updates described how on 18 August 2017, a Draft law on the processing of personal data replacing the Act No. 101/2000 on the protection of personal data was published by the Ministry of Interior of the Czech Republic. According to article 6 of this proposal, the consent to the processing of personal data in connection with the provision of information society services directly to a child under the age of 13 is valid only if it is expressed or approved by his or her legal representative. The explanatory note on the draft law (Důvodová zpráva) provided some insight as to the reasons behind this proposal. First, a reference is made to the initial Commission proposal for the GDPR and the US Children's Online Privacy Protection Act, both setting the age of consent at 13 years. The explanatory note also refers to risks to youth in the context of information technologies and states that the processing of personal data in the context of information society services is not the same type of risk activity compared to other activities requiring parental consent under Czech law. The Czech law regarding driving licences is provided as an example which concerns teenagers of 15, 16 or 17 years. It is stated that driving a motor vehicle is an activity that the driver typically carries out independently and personally, which cannot be interfered with, and which is more difficult and risky in nature. Crucially, the document also explains that the reality of minors commonly using mobile phones and sending text messages should not be ignored. Therefore, limiting, for example, email services, social networks, or similar methods of communication, may be inappropriate. According to the document, a better way of addressing the risks associated with the use of information and communication technologies by children may be education and regular interest of educated parents.

However, on 21 March 2018, the Czech Government adopted a revised Draft Law on the Processing of Personal Data (Zákon o zpracování osobních údajů; see Materiál in the section Přílohy). Compared to the original proposal, the age of consent threshold for children increased from 13 years to 15 years. Article 7 of the revised Draft Law states that a child acquires the ability to grant consent to the processing of personal data in connection with the provision of information society services offered directly to him or her at the age of 15. The revised Draft Law has not yet been approved by the Parliament and the Senate. No explanatory documents seem to have been published together with the revised Draft Law.

Estonia

On 4 December 2017, the Director General of the Data Protection Inspectorate of Estonia stated that although the Ministry of Justice provided for the age limit of 14 years in the draft implementing law, the age limit needed to be reduced to 13 years as the same age is used by all major service providers, such as Google, Facebook, etc., which have so far been governed by US law and there is no reason to believe that young Europeans should differ from American youth in terms of access to different services. On 12 April 2018, the Draft Bill on the Protection of Personal Data was discussed by the Government of the Republic of Estonia which approved it. The draft was submitted to the Parliament (Riigikogu), the documents and procedure concerning the draft are available on the Riigikogu's website and the Estonian Data Protection Authority website. On 16 April 2018, the Draft Law on Personal Data Protection was published. Article 8 of the draft law (Eelnõu docx) regulates the processing of children's personal data for the provision of information society services and provides for 13 years as the digital age of consent for children.

The explanatory note of the draft law (Seletuskiri docx) refers to recital 38 GDPR stressing the need for specific protection for children, recital 58 stating that all information should be provided in a clear and simple language that is easily understood by a child and, finally, explains that the 13 year limit for children's digital consent was supported by various parties.

Finland

On 21 June 2017 the national GDPR implementation working group appointed by the Ministry of Justice published its report on GDPR implementation. No final decision was made in relation to the age of consent, but the report proposed lowering the age threshold to either 13 or 15 years. The draft implementation act has opted for the age of 13. This choice was based on the opinions received during the preparation of the proposal which highlighted the importance of the internet for young people and which advocated for a lower age limit. The act still needs to be adopted.

Germany

On 27 April 2017, the German Parliament adopted the draft law on the Federal Data Protection Act amendment which would implement the GDPR. The draft law has been approved by the German Federal Council and will become applicable on 25 May 2018. The initial draft law can be found here and its adopted amendments are available here. The choice not to derogate means that the threshold of 16 years will be applicable. In August 2017, the German Ministry of Interior published the English translation of the new Federal Data Protection Act.

Greece

The public consultation on the adoption of legislative measures for the application of the GDPR was opened on 20 February 2018 and was successfully concluded on 5 March 2018. The Greek Ministry of Justice has subsequently published the Draft Law on the Protection of Personal Data (Νόμοσ για την Προςταςύα Δεδομϋνων Προςωπικού Φαρακτόρα). Article 6 of the Draft Law sets the age of consent for children at 15 years. According to the article, in relation to information society services being directly offered to a child, the processing of personal data of a child, when based on consent, shall be lawful where the child who provides consent has reached the age of 15 years. Where the child is below the age of 15 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Hungary

In October 2016, the Hungarian Data Protection Authority published a 12-step guide on how to get ready for the GDPR. In relation to the offer of information society services directly to a child, the guide states that where the child is under the age of 16, processing of children's data shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. However, the possibility for Member States to lower the age to 13 is mentioned in the guide.

In the end of August 2017, the draft law on the amendment of the Hungarian Data Protection Act (Act CXII of 2011 on the right to information self-determination and freedom of information) and other relevant laws related to the GDPR were proposed and opened for public consultation. As there is no reference to the digital age of consent for children in the context of information society services being offered directly to them in the proposal, the age of consent would be set at 16 years.

Latvia

At the end of September 2017, the Latvian Ministry of Justice published the Latvian Draft Law on Personal Data Processing (Likumprojekts. Personas datu apstrādes likums). Article 43 of the Draft Law sets the conditions for the consent of the child in relation to information society services. According to this provision, pursuant to article 8 GDPR, when information society services are offered directly to the child, the consent of the child constitutes the legal basis for his or her data processing if the child is at least 13 years old. If the child is younger than 13 years, parental consent shall be obtained.

Lithuania

On 15 June 2017, the official draft Law on Legal Protection of Personal Data prepared by the Ministry of Justice and the State Data Protection Inspectorate was published. The draft law mostly focuses on the procedural issues and legal powers of the data protection authority and does not mention the issue of the age of consent, thus, unless other legislative action is taken, setting it at 16 years.

Luxembourg

On 12 September 2017 the draft law establishing the National Commission for Data Protection and implementing the GDPR was published in Luxembourg. The draft law does not address the issue of parental consent, therefore, setting it at 16 years old.

Malta

On 27 April 2018, the Maltese Data Protection Act 2018 (Bill No. 40) was published in the Supplement to the Government Gazette. According to article 1(2) of the Act, different parts of the law may come into force on different dates, depending on when the Minister responsible for data protection prescribes specific regulation on different aspects of the Act. Article 33 explains that the Minister may prescribe regulations concerning, among other matters, "the establishment of a lower age than sixteen years where the processing of the personal data of a child shall be deemed to be lawful in the absence of consent by the holder of parental responsibility over the child". Until the Minister decides to lower the age of digital consent for children, it appears that the general GDPR threshold of 16 years will apply. 

Poland

On 28 March 2017 the Ministry of Digital Affairs presented a preliminary draft of certain provisions of a new Personal Data Protection Act. It was proposed that the consent of parents or legal guardians of a child to process that child's personal data will be required for children under the age of 13. On 14 September 2017, an updated Draft Personal Data Protection Act was published which kept the age of consent at 13 years.

An introduction to the draft law on the protection of personal data which is published together with the draft law, explains that the age of 13 was chosen due to similar age threshold provided by the Polish Civil Code (article 15) which states that a person who has reached the age of 13 has limited legal capacity and can therefore conclude ‘minor contracts of daily life'. In this context, the document explains that it is also justified to accept the age of 13 for the effective expression of consent by the child for the processing of personal data relating to him or her as there is no reason to assume that a person who can manage his or her earnings and conclude minor contracts is not entitled to consent to the processing of his or her personal data in accordance with the provisions of the GDPR also bearing in mind that consent may be withdrawn at any time.

Romania

On 5 September 2017, the Romanian Ministry for Internal Affairs published a Draft Law for Amending and Completing the Law no. 102/2005 Regarding the Establishment, Organization and the Functioning of the National Supervisory Authority for Personal Data Processing, as well as for the repeal of Law no. 677/2001 for the Protection of People with Regard to the Processing of Personal Data and the Free Movement of Such Data. On 14 March 2018, the proposal was submitted to the Senate. The Draft Law mainly regulates the organisation and functioning of the national data protection authority and does not mention any derogations in terms of article 8 GDPR. Due to the current apparent lack of a specific legislative provision, the digital age of consent in Romania seems to be maintained at 16 years.

Slovakia

The proposed Law on the Protection of Personal Data and on Amendments to Certain Acts (Zákon o ochrane osobných údajov a o zmene a doplnení niektorých zákonov) has been published in Slovakia. Currently, this Draft Law is being negotiated by the National Council of the Slovak Republic. Article 15 of the Draft Law provides that personal data may be processed by operators in the context of the provision of information society services in cases where the data subject has reached the age of 16 years. The Explanatory Statement accompanying the Draft Law (Dôvodová Správa) explains that children deserve special protection of their personal data as they are less aware of the risks and consequences associated with the processing of their personal data, especially when their data is obtained through a publicly accessible internet network. 

On 30 January 2018, the new Slovakian Data Protection Law (no. 18/2018 Coll.) was published. The age of digital consent for children was left at 16 years and the law will become applicable on the 25 May 2018.

Slovenia

In January 2018, a draft of the new Personal Data Protection Act was published for a second round of public consultation which was closed on 2 February 2018. Article 11 of the Draft Law regulates the conditions applicable to the consent of the child in relation to the use of information society services and specifies that the age of digital consent for children is set at 15 years. The explanatory part of the Draft Law makes a reference (on page 90) to the US COPPA and specifies that the age of 15 was chosen with regard to the systematic guidance of the Slovenian Family Code, according to which a 15-year-old child can take legal action on his or her own, unless the law provides otherwise. 

Spain

Previously, in its publication "The GDPR in 12 questions" the Spanish Data Protection Agency explained that the age to obtain valid consent from children in Spain was 14 years and would continue to be the same when the GDPR would come into force.

However, in June 2017, the Draft Law for the Protection of Personal Data was published by the Spanish Ministry of Justice and was passed by the Council of Ministers in November 2017. Article 7 of the Draft Law refers to the consent of minors and sets the age of digital consent for children at 13 years. The document evaluating the impact of the proposed draft law (pages 47-49) explains, in section G, that the Draft Law has a positive impact on childhood since it provides for greater possibilities for development and participation in society for young people. Moreover, it is stated that restrictions on the access to the Internet and its services could lower children's possibilities of development and obtaining capacities and skills needed to face the challenges of digital life. References to the child's right to be heard, the promotion of children's maturity and autonomy, practical difficulties concerning age verification, especially bearing in mind the need for location tracking of children in those instances, are also made in the document.

Norway (Member of the European Economic Area)

In July 2017, the consultation paper for the new Draft Personal Data Act implementing the GDPR in Norway was published. Section 8 of the consultation paper set the age of consent for children at 13 years (section 32 Behandling av barns pers onopplysninger). The paper also rather thoroughly explained the main principles applicable to the treatment of children's personal data, such as children having the same rights as adults and the importance of the principle of the best interest of the child (pages 112-116). The paper also stressed that the GDPR does not define a child and thus referred to the UN Convention on the Rights of the Child, according to which all persons under the age of 18 are considered children. The consultation paper also included a lengthy discussion on the age of maturity of children and detailed the opinions of different actors involved.

In May 2018, the Storting (Norwegian Parliament) approved the new Personal Data Act which implements the GDPR in Norway. The Law, the draft of which was initially proposed by the Norwegian Ministry of Justice and Public security, states that the age of consent for digital services should be 13 years (article 5). The Norwegian policymakers have provided extensive attention to the regulation of the age of consent of children (pages 95-100). In particular, the policymakers mention the fact that children and adults have the same rights, the best interest of the child shall be respected and that children merit specific protection with regard to their data processing. Section 13.4.2 provides the insights by different consultation bodies, some of them arguing that setting the age of consent at 13 would not protect children enough, while other bodies stressed the need for respect for the child's right to self-determination, child's right to information and freedom of expression.

Switzerland (Member of the European Free Trade Association)

In September 2017, the Preliminary Draft of the Federal Act on Data Protection and the amendment of further decrees on data protection was published by the Federal Council. The press release of the Federal Council stressed the need for improved data protection and strengthening business opportunities. The draft law does not mention children or their age of consent to digital services, thus, setting it at the age of 16 years

***

 

This preliminary mapping has been drafted in the context of the project "A children's rights perspective on privacy and data protection in the digital age: a critical and forward-looking analysis of the General Data Protection Regulation and its implementation with respect to children and youth" (Ghent University, Special Research Fund). This project will monitor the implementation of the GDPR in relation to children(‘s rights) from 2017 until 2021.

If you have any information about the implementation of Article 8 in your Member State, please send it to gdpr-roundtable@eun.org or
e.lievens@ugent.be
The authors wish to express their sincere thanks to everyone who has provided them with information so far.

This is the updated version of the article first published on 19 June 2017 which was further updated on 10 July 2017, 16 August 2017, 12 October 2017, 8 February 2018, 16 April 2018 and 25 May 2018. 

1 Please note that other legitimation grounds can also be used by data controllers (article 6 GDPR). For more information, see the Report on the Roundtable on the GDPR and children's rights.


Related news

Cyber Chronix, a new game from the JRC to better understand the GDPR

Friday, 25 May 2018 marked a turning point in Europe in terms of data protection thanks to the GDPR (General Data Protection Regulation) which came into force precisely one week ago. The GDPR, however, is a very complex set of regulations leaving many a company and professional confused. When it comes to children and youth in particular, it is even more important that they know their rights under the new legislation, in order to be in control of their personal data.

GDPR is coming, but what does it mean to my school?

  • Awareness
  • 24/05/2018
  • UK Safer Internet Centre

With the imminent introduction of the General Data Protection Regulation, which comes into force across Europe on Friday, 25 May 2018, many are struggling to understand what this means in practice. Here, Will Earp, Digital Experience Manager at the South West Grid for Learning (one of the partner organisations in the UK Safer Internet Centre (SIC)), takes a look at particular considerations for schools.

Privacy policy updated by world+dog, GDPR?

  • Awareness
  • 24/05/2018
  • UK Safer Internet Centre

With the imminent introduction of the General Data Protection Regulation, which comes into force across Europe on Friday, 25 May 2018, many are struggling to understand what this means in practice. Here, Will Earp, Digital Experience Manager at the South West Grid for Learning (one of the partner organisations in the UK Safer Internet Centre (SIC)), takes a look at the rush for many online service providers to update their privacy policies.

Children and the GDPR

There has been a great deal of discussion recently about the EU General Data Protection Regulation (GDPR) and particularly around the impact on children and young people. The Information Commissioner's Office in the UK has recently launched a consultation document which provides more detailed guidance for (UK) organisations who are processing personal data under the GDPR.

Insafe network meets to discuss effective campaigning and the GDPR

Today, the Insafe network of Safer Internet Centres (SICs) begins a two-day training meeting in Berlin, Germany. The meeting aims to facilitate experience and good-practice sharing across the network on a range of topical eSafety issues, while continuing to enhance the collaborative learning community that has developed within Insafe. Open Space Technology will be used during the meeting as a method of encouraging interaction and debate.

Latest BIK bulletin - Positive online content, GDPR and post-summer roundup

In each edition of the BIK bulletin, we look at a topical issue - our main focus this month is on positive online content as we introduce our new campaign and reflect on the importance of being aware of what constitutes positive content for a wide range of stakeholders.

Roundtable on the GDPR and children's rights

From May 2018, the General Data Protection Regulation (GDPR) will take effect in EU Member States. The GDPR aims to strengthen, simplify and harmonise data protection regimes across Europe, giving individuals control over how their data are processed. It explicitly acknowledges that children merit specific protection.