Age of consent in the GDPR: updated mapping
- Eva Lievens and Ingrida Milkaité, Ghent University
Article 8 of the General Data Protection Regulation (GDPR) contains specific requirements regarding consent for the processing of personal data of children.
The general rule provides for a parental consent requirement for all youth under 16 years old in situations where information society services are offered directly to them, and consent is the legitimation ground that is relied upon1. However, Member States may choose to deviate and decide to lower the age threshold to 15, 14, or 13 years. In preparation for the implementation of the GDPR, national (draft) implementation acts, national consultations or guidance by Data Protection Authorities (DPAs) have been published across the EU. Although in many countries no final decisions have been taken, preliminary research into a selection of national approaches, based on official and public documents, shows that a fragmented landscape is gradually emerging.
Figure 1: Current provisional indications of age of consent across the EU
On 5 July 2017, the Austrian Parliament adopted the Datenschutz-Anpassungsgesetz 2018. The age of consent for children has been set at 14 years.
On 21 June 2017, the national GDPR implementation working group appointed by the Ministry of Justice published its report on GDPR implementation. No final decision has been made in relation to the age of consent, but the report proposes lowering the age threshold to either 13 or 15 years. The final decision is expected to depend on the policy choice made in other Member States (especially the Nordic countries).
On 27 April 2017, the German Parliament adopted the draft law on the Federal Data Protection Act amendment which would implement the GDPR. Since then, the draft law has been approved by the German Federal Council. The initial draft law can be found here and its amendments are available here. The choice not to derogate means that the threshold of 16 years will be applicable. In August 2017, the German Ministry of Interior published the English translation of the new Federal Data Protection Act.
On 5 July 2017, Geoffrey Shannon, Special Rapporteur on Child Protection, addressed the Joint Oireachtas Committee on Justice and Equality during a hearing in relation to the "General Scheme of Data Protection Bill 2017". He proposed that the age of consent for children should be set at 13 years. It has been reported that on 26 July 2017 the Cabinet officially decided to set the threshold for consent at 13 years.
On 15 June 2017, the official draft Law on Legal Protection of Personal Data prepared by the Ministry of Justice and the State Data Protection Inspectorate was published. The draft law mostly focuses on the procedural issues and legal powers of the data protection authority and does not mention the issue of the age of consent, thus, unless other legislative action is taken, setting it at 16 years.
On 28 March 2017, the Ministry of Digital Affairs presented a preliminary draft of certain provisions of a new Personal Data Protection Act. It was proposed that the consent of parents or legal guardians of a child to process that child's personal data will be required for children under the age of 13. On 14 September 2017, an updated Draft Personal Data Protection Act was published which kept the age of consent at 13 years.
Previously, in its publication "The GDPR in 12 questions" the Spanish Data Protection Agency explained that the age to obtain valid consent from children in Spain was 14 years and would continue to be the same when the GDPR would come into force. However, since then, a preliminary draft Law on Data Protection was presented to the Council of Ministers at the end of June 2017. This draft law lowers the age of consent to 13 years.
On 12 May 2017, Sweden's data protection authority published an extensive evaluation document on the recommended implementation of the new data protection standards introduced by the GDPR. It concerns national derogations that are permitted according to the GDPR, as well as the impact of the GDPR on national legislation and the changes that will have to be introduced. In terms of consent and children, the document indicates that minors who have reached the age of 13 should be allowed to consent to the processing of their personal data. For children younger than 13, parental consent would be required.
The proposal for a Dutch GDPR Implementation Act that seeks to implement the GDPR was published online on 9 December 2016 for the purpose of a public consultation. This document states that there is no reason to deviate from 16 as the age for consent, this being the age that was also used in the previous Data Protection Act. The Dutch Data Protection Authority has since then confirmed that in all probability there will be no derogation from the age of 16 in the Netherlands.
On 7 August 2017, the Department for Digital, Culture Media & Sport published its statement of intent on a new Data Protection Bill. The document addresses the issue of the age of consent specifically, stating that the planned legislation will allow a child aged 13 years or older to consent to their personal data being processed. In September 2017, the UK Data Protection Bill was published and officially set the age of consent for children at 13 years (article 8).
1 Please note that other legitimation grounds can also be used by data controllers (article 6 GDPR). For more information, see the Report on the Roundtable on the GDPR and children's rights.
- Insafe network
Today, the Insafe network of Safer Internet Centres (SICs) begins a two-day training meeting in Berlin, Germany. The meeting aims to facilitate experience and good-practice sharing across the network on a range of topical eSafety issues, while continuing to enhance the collaborative learning community that has developed within Insafe. Open Space Technology will be used during the meeting as a method of encouraging interaction and debate.
With the EU's data protection reform measures coming into force imminently, INHOPE - the International Association of Internet Hotlines - discusses the differences between the new General Data Protection Regulation (GDPR) and Data Protection Directive with special reference to hotlines within the wider Safer Internet Centre (SIC) context. Read on to find out more.
- CAHENF (Council of Europe Committee for the Rights of the Child)
In accordance with its terms of reference, and in line with the Council of Europe Strategy for the Rights of the Child (2016-2021), the Ad Hoc Committee for the Rights of the Child (CAHENF) is elaborating guidelines for member States to promote, protect and fulfil children's rights in the digital environment, with the support of its drafting group (CAHENF-IT). The elaboration of the draft legal instrument started in 2016 and is expected to be completed by November 2017.
- Eva Lievens and Ingrida Milkaité, Ghent University
In preparation for the implementation of the General Data Protection Regulation (GDPR), in a number of EU Member States national (draft) implementation acts, national consultations or guidance by Data Protection Authorities (DPAs) have been published.