Age of consent in the GDPR: mapping recent national guidance and proposals

  • Awareness
  • 19/06/2017
  • Eva Lievens and Ingrida Milkaité, Ghent University

In preparation for the implementation of the General Data Protection Regulation (GDPR), in a number of EU Member States national (draft) implementation acts, national consultations or guidance by Data Protection Authorities (DPAs) have been published.

Please note - an updated version of this article is available here. This previous version is preserved to allow readers to track developments should they so wish.

One of the many aspects of the new regulation is particularly relevant for the upcoming Roundtable on the GDPR and children's rights, taking place in Brussels, Belgium on Friday, 23 June 2017. Article 8 of the GDPR contains specific requirements regarding consent for the processing of personal data of children. The general rule provides for a parental consent requirement for all youth under 16 years old when information society services are offered directly to them, and consent is the legitimation ground that is relied upon. Notably, the Member States may choose to deviate and decide to lower the age threshold to 15, 14, or 13 years.

For the moment, preliminary research into a selection of these national approaches, based on official and public documents, shows that a fragmented landscape is emerging.

Figure 1: Current provisional indications of age
chosen for parental consent across the EU

Sweden
On 12 May 2017, Sweden's data protection authority published an extensive evaluation document on the recommended implementation of the new data protection standards introduced by the GDPR. It concerns national derogations that are permitted according to the GDPR, as well as the impact of the GDPR on national legislation and the changes that will have to be introduced. In terms of consent and children, the document indicates that minors who have reached the age of 13 should be allowed to consent to the processing of their personal data. For children younger than 13, parental consent would be required.

Poland
On 28 March 2017, the Ministry of Digital Affairs presented a preliminary draft of certain provisions of a new Personal Data Protection Act. It is proposed that the consent of parents or legal guardians of a child to process that child's personal data will be required for children under the age of 13.

United Kingdom
On 2 March 2017, the Information Commissioner's Office published a public consultation on its draft GDPR consent guidance. The guidance does not specify the age for parental consent that the UK may choose, although it mentions that the UK may choose to lower the age to 13. According to the guidance, if companies choose to rely on children's consent, they will need to implement age-verification measures, and make "reasonable efforts" to verify parental responsibility for those under the relevant age.

Spain
The Spanish data protection authority (AGPD) has published several guidance documents on the implementation of the GDPR. In its publication "The GDPR in 12 questions", the AGPD explains that in Spain, the age to obtain valid consent from children is 14 and will continue to be the same when the GDPR comes into force.

The Netherlands
The proposal for a Dutch GDPR Implementation Act that seeks to implement the GDPR was published online on 9 December 2016 for the purpose of a public consultation. This document states that there is no reason to deviate from 16 as the age for consent, this being the age that was also used in the previous Data Protection Act.

Italy
On the 28 April 2017, the Italian Privacy Authority published its first guide on GDPR application. According to the guide, the consent of minors is valid from the age of 16. Under that age, parental consent shall be obtained.

Hungary
In October 2016, the Hungarian Data Protection Authority published a 12-step guide on how to get ready for the GDPR. In relation to the offer of information society services directly to a child, the guide states that where the child is under the age of 16, processing of children's data shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. However, the possibility for Member States to lower the age to 13 is mentioned in the guide.

During the forthcoming Roundtable in Brussels on 23 June 2017, a variety of stakeholders will discuss the GDPR and its impact on children's rights. One session will be dedicated to the implementation of Article 8 of the GDPR. Examples of questions that will be discussed relate to the age that will be chosen in the different Member States, the practical challenges which will arise if different ages are maintained throughout the EU, and the potential consequences for children's rights to freedom of expression and association if service providers would decide not to offer their services anymore to children under the age for parental consent.

This preliminary mapping has been drafted in the context of the project "A children's rights perspective on privacy and data protection in the digital age: a critical and forward-looking analysis of the General Data Protection Regulation and its implementation with respect to children and youth" (Ghent University, Special Research Fund). This project will monitor the implementation of the GDPR in relation to children(‘s rights) from 2017 until 2021.

If you have any information about the implementation of Article 8 in your Member State, please do not hesitate to send information to gdpr-roundtable@eun.org or e.lievens@ugent.be.

***

Please note - an updated version of this article is available here. This previous version is preserved to allow readers to track developments should they so wish.


Related news

Age of consent in the GDPR: updated mapping of recent national guidance and proposals

  • Awareness
  • 16/08/2017
  • Eva Lievens and Ingrida Milkaité, Ghent University

Article 8 of the General Data Protection Regulation (GDPR) contains specific requirements regarding consent for the processing of personal data of children.

Report from the Roundtable on the General Data Protection Regulation and children's rights

The General Data Protection Regulation (GDPR) Roundtable on children's rights, organised by European Schoolnet, KU Leuven and the University of Ghent, took place on 23 June 2017. On the occasion, legislators, data protection authorities (DPAs), industry and education representatives, stakeholders and civil society gathered in Brussels to discuss the challenges of the GDPR, which will come into effect in the EU in May 2018.

Roundtable meets to discuss the GDPR

On Friday, 23 June 2017, legislators, Data Protection Authorities (DPAs), industry, education stakeholders and civil society representatives from across Europe met in Brussels, Belgium, to discuss the General Data Protection Regulation (GDPR) with a particular focus on its implications for children's rights.

Roundtable on the GDPR and children's rights

From May 2018, the General Data Protection Regulation (GDPR) will take effect in EU Member States. The GDPR aims to strengthen, simplify and harmonise data protection regimes across Europe, giving individuals control over how their data are processed. It explicitly acknowledges that children merit specific protection.