Age of consent in the GDPR: updated mapping

  • Awareness
  • 12/10/2017
  • Eva Lievens and Ingrida Milkaité, Ghent University

Article 8 of the General Data Protection Regulation (GDPR) contains specific requirements regarding consent for the processing of personal data of children.

The general rule provides for a parental consent requirement for all youth under 16 years old in situations where information society services are offered directly to them, and consent is the legitimation ground that is relied upon1. However, Member States may choose to deviate and decide to lower the age threshold to 15, 14, or 13 years. In preparation for the implementation of the GDPR, national (draft) implementation acts, national consultations or guidance by Data Protection Authorities (DPAs) have been published across the EU. Although in many countries no final decisions have been taken, preliminary research into a selection of national approaches, based on official and public documents, shows that a fragmented landscape is gradually emerging.

Emerging developments in the European state of play inspire this update of the article mapping the decisions of the Member States regarding the age of consent for children. Since the Roundtable on the GDPR and children's rights and the last version of this article published in August 2017, the Czech Republic, Denmark and Luxembourg have also published draft implementation acts.
 
Czech Republic 
On 18 August 2017, a Draft law on the processing of personal data replacing the Act No. 101/2000 on the protection of personal data was published by the Ministry of Interior. According to article 6 of this proposal, the consent to the processing of personal data in connection with the provision of information society services directly to a child under the age of 13 is valid only if it is expressed or approved by his or her legal representative. The draft law has yet to be approved by the Czech Government and the Parliament. 
 
Notably, the explanatory note on the draft law (Důvodová zpráva) provides some insight as to the reasons behind this proposal. First, a reference is made to the initial Commission proposal for the GDPR and the US Children's Online Privacy Protection Act, both setting the age of consent at 13 years. The explanatory note also refers to risks to youth in the context of information technologies and states that the processing of personal data in the context of information society services is not the same type of risk activity compared to other activities requiring parental consent under Czech law. The Czech law regarding driving licences is provided as an example which concerns teenagers of 15, 16 or 17 years. It is stated that driving a motor vehicle is an activity that the driver typically carries out independently and personally, which cannot be interfered with, and which is more difficult and risky in nature. Crucially, the document also explains that the reality of minors commonly using mobile phones and sending text messages should not be ignored. Therefore, limiting, for example, email services, social networks, or similar ways of communication, may be inappropriate. According to the document, a better way of addressing the risks associated with the use of information and communication technologies by children may be education and regular interest of educated parents. 
 
Denmark
The Danish Ministry of Justice has published its Proposal for a Law on Supplementary Provisions for a Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Information. Under section 6 of the proposal the age of consent for children is set to 13 years. In July-August 2017, a public consultation concerning the proposal was conducted. The results of this consultation have not yet been published. 
 
Luxembourg
On 12 September 2017, the draft law establishing the National Commission for Data Protection and implementing the GDPR was published in Luxembourg. The draft law does not address the issue of parental consent, therefore, setting it at 16 years old.
 

Figure 1: Current provisional indications of age of consent across the EU

GDPR age of consent mapping October 2017
 

Austria
On 5 July 2017, the Austrian Parliament adopted the Datenschutz-Anpassungsgesetz 2018. The age of consent for children has been set at 14 years.

Finland
On 21 June 2017, the national GDPR implementation working group appointed by the Ministry of Justice published its report on GDPR implementation. No final decision has been made in relation to the age of consent, but the report proposes lowering the age threshold to either 13 or 15 years. The final decision is expected to depend on the policy choice made in other Member States (especially the Nordic countries).

Germany
On 27 April 2017, the German Parliament adopted the draft law on the Federal Data Protection Act amendment which would implement the GDPR. Since then, the draft law has been approved by the German Federal Council. The initial draft law can be found here and its amendments are available here. The choice not to derogate means that the threshold of 16 years will be applicable. In August 2017, the German Ministry of Interior published the English translation of the new Federal Data Protection Act.

Hungary
In October 2016, the Hungarian Data Protection Authority published a 12-step guide on how to get ready for the GDPR. In relation to the offer of information society services directly to a child, the guide states that where the child is under the age of 16, processing of children's data shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. However, the possibility for Member States to lower the age to 13 is mentioned in the guide.
 

Ireland
On 5 July 2017, Geoffrey Shannon, Special Rapporteur on Child Protection, addressed the Joint Oireachtas Committee on Justice and Equality during a hearing in relation to the "General Scheme of Data Protection Bill 2017". He proposed that the age of consent for children should be set at 13 years. It has been reported that on 26 July 2017 the Cabinet officially decided to set the threshold for consent at 13 years.

Lithuania
On 15 June 2017, the official draft Law on Legal Protection of Personal Data prepared by the Ministry of Justice and the State Data Protection Inspectorate was published. The draft law mostly focuses on the procedural issues and legal powers of the data protection authority and does not mention the issue of the age of consent, thus, unless other legislative action is taken, setting it at 16 years.

Poland
On 28 March 2017, the Ministry of Digital Affairs presented a preliminary draft of certain provisions of a new Personal Data Protection Act. It was proposed that the consent of parents or legal guardians of a child to process that child's personal data will be required for children under the age of 13. On 14 September 2017, an updated Draft Personal Data Protection Act was published which kept the age of consent at 13 years

An introduction to the draft law on the protection of personal data which is published together with the draft law, explains that the age of 13 was chosen due to similar age threshold provided by the Polish Civil Code (article 15) which states that a person who has reached the age of 13 has limited legal capacity and can therefore conclude ‘minor contracts of daily life'. In this context, the document explains that it is also justified to accept the age of 13 for the effective expression of consent by the child for the processing of personal data relating to him or her as there is no reason to assume that a person who can manage his or her earnings and conclude minor contracts is not entitled to consent to the processing of his or her personal data in accordance with the provisions of the GDPR also bearing in mind that consent may be withdrawn at any time.
 

Spain
Previously, in its publication "The GDPR in 12 questions" the Spanish Data Protection Agency explained that the age to obtain valid consent from children in Spain was 14 years and would continue to be the same when the GDPR would come into force. However, since then, a preliminary draft Law on Data Protection was presented to the Council of Ministers at the end of June 2017. This draft law lowers the age of consent to 13 years.

Sweden
On 12 May 2017, Sweden's data protection authority published an extensive evaluation document on the recommended implementation of the new data protection standards introduced by the GDPR. It concerns national derogations that are permitted according to the GDPR, as well as the impact of the GDPR on national legislation and the changes that will have to be introduced. In terms of consent and children, the document indicates that minors who have reached the age of 13 should be allowed to consent to the processing of their personal data. For children younger than 13, parental consent would be required.

The Netherlands
The proposal for a Dutch GDPR Implementation Act that seeks to implement the GDPR was published online on 9 December 2016 for the purpose of a public consultation. This document states that there is no reason to deviate from 16 as the age for consent, this being the age that was also used in the previous Data Protection Act. The Dutch Data Protection Authority has since then confirmed that in all probability there will be no derogation from the age of 16 in the Netherlands.

United Kingdom
On 7 August 2017, the Department for Digital, Culture Media & Sport published its statement of intent on a new Data Protection Bill. The document addresses the issue of the age of consent specifically, stating that the planned legislation will allow a child aged 13 years or older to consent to their personal data being processed. In September 2017, the UK Data Protection Bill was published and officially set the age of consent for children at 13 years (article 8).

***

This preliminary mapping has been drafted in the context of the project "A children's rights perspective on privacy and data protection in the digital age: a critical and forward-looking analysis of the General Data Protection Regulation and its implementation with respect to children and youth" (Ghent University, Special Research Fund). This project will monitor the implementation of the GDPR in relation to children(‘s rights) from 2017 until 2021.
 
If you have any information about the implementation of Article 8 in your Member State, please send it to gdpr-roundtable@eun.org or e.lievens@ugent.be.
 
This is the updated version of the article published on 19 June 2017 which was further updated on 10 July 2017 and 16 August 2017.
 

Please note that other legitimation grounds can also be used by data controllers (article 6 GDPR). For more information, see the Report on the Roundtable on the GDPR and children's rights


Related news

Insafe network meets to discuss effective campaigning and the GDPR

Today, the Insafe network of Safer Internet Centres (SICs) begins a two-day training meeting in Berlin, Germany. The meeting aims to facilitate experience and good-practice sharing across the network on a range of topical eSafety issues, while continuing to enhance the collaborative learning community that has developed within Insafe. Open Space Technology will be used during the meeting as a method of encouraging interaction and debate.

Data Protection Directive or General Data Protection Regulation: which one is for you?

With the EU's data protection reform measures coming into force imminently, INHOPE - the International Association of Internet Hotlines - discusses the differences between the new General Data Protection Regulation (GDPR) and Data Protection Directive with special reference to hotlines within the wider Safer Internet Centre (SIC) context. Read on to find out more.

Call for consultation: guidelines for member States on children's rights in the digital environment

  • Awareness
  • 03/08/2017
  • CAHENF (Council of Europe Committee for the Rights of the Child)

In accordance with its terms of reference, and in line with the Council of Europe Strategy for the Rights of the Child (2016-2021), the Ad Hoc Committee for the Rights of the Child (CAHENF) is elaborating guidelines for member States to promote, protect and fulfil children's rights in the digital environment, with the support of its drafting group (CAHENF-IT). The elaboration of the draft legal instrument started in 2016 and is expected to be completed by November 2017.

Age of consent in the GDPR: mapping recent national guidance and proposals

  • Awareness
  • 19/06/2017
  • Eva Lievens and Ingrida Milkaité, Ghent University

In preparation for the implementation of the General Data Protection Regulation (GDPR), in a number of EU Member States national (draft) implementation acts, national consultations or guidance by Data Protection Authorities (DPAs) have been published.

Please note - an updated version of this article is available here. This previous version is preserved to allow readers to track developments should they so wish.