Age of consent in the GDPR: updated mapping
- Eva Lievens and Ingrida Milkaité, Ghent University
Article 8 of the General Data Protection Regulation (GDPR) contains specific requirements regarding consent for the processing of personal data of children.
The general rule provides for a parental consent requirement for all youth under 16 years old in situations where information society services are offered directly to them, and consent is the legitimation ground that is relied upon1. However, Member States may choose to deviate and decide to lower the age threshold to 15, 14, or 13 years. In preparation for the implementation of the GDPR, national (draft) implementation acts, national consultations or guidance by Data Protection Authorities (DPAs) have been published across the EU. Although in many countries no final decisions have been taken, preliminary research into a selection of national approaches, based on official and public documents, shows that a fragmented landscape is gradually emerging.
Since the publication of an initial article in June 2017, its update in July and the Roundtable on the GDPR and children's rights, new developments have occurred. In particular, recent amendments of the regulatory mapping now concern not only Austria, Ireland and Spain but also Finland, Germany, Lithuania and the United Kingdom.
On 5 July 2017, the Austrian Parliament adopted the Datenschutz-Anpassungsgesetz 2018. The age of consent for children has been set at 14 years.
On 21 June 2017 the national GDPR implementation working group appointed by the Ministry of Justice published its report on GDPR implementation. No final decision has been made in relation to the age of consent, but the report proposes lowering the age threshold to either 13 or 15 years. The final decision is expected to depend on the policy choice made in other Member States (especially the Nordic countries).
On 27 April 2017 the German Parliament adopted the draft law on the Federal Data Protection Act amendment which would implement the GDPR. Since then, the draft law has been approved by the German Federal Council. The initial draft law can be found here and its amendments are available here. By opting not to derogate, the threshold of 16 years will be applicable.
On 5 July 2017, Geoffrey Shannon, Special Rapporteur on Child Protection, addressed the Joint Oireachtas Committee on Justice and Equality during a hearing in relation to the "General Scheme of Data Protection Bill 2017". He proposed that the age of consent for children should be set at 13 years. It has been reported that on 26 July 2017 the Cabinet officially decided to set the threshold for consent at 13 years.
On 15 June 2017 the official draft Law on Legal Protection of Personal Data prepared by the Ministry of Justice and the State Data Protection Inspectorate was published. The draft law mostly focuses on the procedural issues and legal powers of the data protection authority and does not mention the issue of the age of consent, thus, unless other legislative action is taken, setting it at 16 years.
On 7 August 2017 the Department for Digital, Culture Media & Sport published its statement of intent on a new Data Protection Bill. The document addresses the issue of the age of consent specifically, stating that the planned legislation will allow a child aged 13 years or older to consent to their personal data being processed.
Figure 1: Current provisional indications of age of consent across the EU
In October 2016, the Hungarian Data Protection Authority published a 12-step guide on how to get ready for the GDPR. In relation to the offer of information society services directly to a child, the guide states that where the child is under the age of 16, processing of children's data shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. However, the possibility for Member States to lower the age to 13 is mentioned in the guide.
The proposal for a Dutch GDPR Implementation Act that seeks to implement the GDPR was published online on 9 December 2016 for the purpose of a public consultation. This document states that there is no reason to deviate from 16 as the age for consent, this being the age that was also used in the previous Data Protection Act. The Dutch Data Protection Authority has since then confirmed that in all probability there will be no derogation from the age of 16 in the Netherlands.
On 28 March 2017, the Ministry of Digital Affairs presented a preliminary draft of certain provisions of a new Personal Data Protection Act. It is proposed that the consent of parents or legal guardians of a child to process that child's personal data will be required for children under the age of 13.
Previously, in its publication "The GDPR in 12 questions" the Spanish Data Protection Agency explained that the age to obtain valid consent from children in Spain was 14 years and would continue to be the same when the GDPR would come into force. However, since then, a preliminary draft Law on Data Protection was presented to the Council of Ministers at the end of June 2017. This draft law lowers the age of consent to 13 years.
On 12 May 2017, Sweden's data protection authority published an extensive evaluation document on the recommended implementation of the new data protection standards introduced by the GDPR. It concerns national derogations that are permitted according to the GDPR, as well as the impact of the GDPR on national legislation and the changes that will have to be introduced. In terms of consent and children, the document indicates that minors who have reached the age of 13 should be allowed to consent to the processing of their personal data. For children younger than 13, parental consent would be required.
This preliminary mapping has been drafted in the context of the project "A children's rights perspective on privacy and data protection in the digital age: a critical and forward-looking analysis of the General Data Protection Regulation and its implementation with respect to children and youth" (Ghent University, Special Research Fund). This project will monitor the implementation of the GDPR in relation to children(‘s rights) from 2017 until 2021.
This is the updated version of the article published on 19 June 2017 and has been further updated on 10 July 2017 and 16 August 2017. The latest updates include Austria, Finland, Germany, Ireland, Lithuania and the United Kingdom.
1 Please note that other legitimation grounds can also be used by data controllers (article 6 GDPR). For more information, see the Report on the Roundtable on the GDPR and children's rights.
- CAHENF (Council of Europe Committee for the Rights of the Child)
In accordance with its terms of reference, and in line with the Council of Europe Strategy for the Rights of the Child (2016-2021), the Ad Hoc Committee for the Rights of the Child (CAHENF) is elaborating guidelines for member States to promote, protect and fulfil children's rights in the digital environment, with the support of its drafting group (CAHENF-IT). The elaboration of the draft legal instrument started in 2016 and is expected to be completed by November 2017.
- Eva Lievens and Ingrida Milkaité, Ghent University
In preparation for the implementation of the General Data Protection Regulation (GDPR), in a number of EU Member States national (draft) implementation acts, national consultations or guidance by Data Protection Authorities (DPAs) have been published.