Age of consent in the GDPR: updated mapping of recent national guidance and proposals
- Eva Lievens and Ingrida Milkaité, Ghent University
Article 8 of the General Data Protection Regulation (GDPR) contains specific requirements regarding consent for the processing of personal data of children.
The general rule provides for a parental consent requirement for all youth under 16 years old when information society services are offered directly to them, and consent is the legitimation ground that is relied upon. However, the Member States may choose to deviate and decide to lower the age threshold to 15, 14, or 13 years. In preparation for the implementation GDPR, in a number of EU Member States national (draft) implementation acts, national consultations or guidance by Data Protection Authorities (DPAs) have been published. Although in most countries no final decisions have been taken, preliminary research into a selection of the national approaches, based on official and public documents, shows that a fragmented landscape is gradually emerging.
Since the publication of an initial article in June 2017, in the run-up to the Roundtable on the GDPR and children's rights, new developments have occurred. In particular, recent amendments of the regulatory mapping concern Spain, Austria and Ireland.
The first notable change in the mapping scheme concerns Spain. Previously, in its publication "The GDPR in 12 questions" the Spanish Data Protection Agency explained that the age to obtain valid consent from children in Spain was 14 years and would continue to be the same when the GDPR would come into force. However, since then, a preliminary draft Law on Data Protection was presented to the Council of Ministers at the end of June 2017. This draft law lowers the age of consent to 13 years.
On 29 June 2017, the Austrian Parliament adopted the amendment of the Austrian Data Protection Act. The age of consent for children is set to 14 years (instead of 16 years which was the threshold in the first draft of the new Austrian law).
On 5 July 2017, Geoffrey Shannon, Special Rapporteur on Child Protection, addressed the Joint Oireachtas Committee on Justice and Equality during a hearing in relation to the "General Scheme of Data Protection Bill 2017". He proposed that the age of consent for children should be set at 13 years.
Figure 1: Current provisional indications of age chosen for parental consent across the EU
On 28 March 2017, the Ministry of Digital Affairs presented a preliminary draft of certain provisions of a new Personal Data Protection Act. It is proposed that the consent of parents or legal guardians of a child to process that child's personal data will be required for children under the age of 13.
On 12 May 2017, Sweden's data protection authority published an extensive evaluation document on the recommended implementation of the new data protection standards introduced by the GDPR. It concerns national derogations that are permitted according to the GDPR, as well as the impact of the GDPR on national legislation and the changes that will have to be introduced. In terms of consent and children, the document indicates that minors who have reached the age of 13 should be allowed to consent to the processing of their personal data. For children younger than 13, parental consent would be required.
On 2 March 2017, the Information Commissioner's Office published a public consultation on its draft GDPR consent guidance. The guidance does not specify the age for parental consent that the UK may choose, although it indicates that the UK may choose to lower the age to 13. This was again mentioned in a guidance document aimed at companies "Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now".
The proposal for a Dutch GDPR Implementation Act that seeks to implement the GDPR was published online on 9 December 2016 for the purpose of a public consultation. This document states that there is no reason to deviate from 16 as the age for consent, this being the age that was also used in the previous Data Protection Act.
In October 2016, the Hungarian Data Protection Authority published a 12-step guide on how to get ready for the GDPR. In relation to the offer of information society services directly to a child, the guide states that where the child is under the age of 16, processing of children's data shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. However, the possibility for Member States to lower the age to 13 is mentioned in the guide.
This preliminary mapping has been drafted in the context of the project "A children's rights perspective on privacy and data protection in the digital age: a critical and forward-looking analysis of the General Data Protection Regulation and its implementation with respect to children and youth" (Ghent University, Special Research Fund). This project will monitor the implementation of the GDPR in relation to children(‘s rights) from 2017 until 2021.
This is the updated version of the article published on 19 June 2017.
- Eva Lievens and Ingrida Milkaité, Ghent University
In preparation for the implementation of the General Data Protection Regulation (GDPR), in a number of EU Member States national (draft) implementation acts, national consultations or guidance by Data Protection Authorities (DPAs) have been published.