Updated mapping of the age of consent in the GDPR (2018)
- Ingrida Milkaite and Eva Lievens, Ghent University
With less than four months left until the application of the GDPR (General Data Protection Regulation), a small number of Member States of the European Union have adopted their final implementation acts while other Member States are currently still in the process of implementation. This updated mapping of the implementation of article 8 GDPR reflects the most recent developments in relation to the age of consent that is chosen across EU Member States.
Article 8 of the GDPR contains specific requirements regarding consent for the processing of personal data of children. The general rule provides for a parental consent requirement for all youth under 16 years old in situations where information society services are offered directly to them, and consent is the legitimation ground that is relied upon1. However, Member States may choose to deviate and decide to lower the age threshold to 15, 14, or 13 years. In preparation for the implementation of the GDPR, national (draft) implementation acts, national consultations or guidance by Data Protection Authorities (DPAs) have been published across the EU. Although in many countries no final decisions have been taken, preliminary research into a selection of national approaches, based on official and public documents, shows that a fragmented landscape is gradually emerging.
Emerging developments in the European state of play inspire this update of the article mapping the decisions of the Member States regarding the age of consent for children. Since the Roundtable on the GDPR and children's rights and the last version of this article published in October 2017, France, Ireland, Latvia, Slovakia and the Netherlands have also published draft implementation acts. Developments in Cyprus and Greece will be included in the next edition of the mapping when official documents are being published.
On 13 December 2017, the French Minister of Justice presented the Draft Bill on the Protection of Personal Data (Projet de loi relatif à la protection des données personnelles). The Draft Law does not provide for specific provisions dealing with the issue of parental consent, thus leaving the threshold at 16 years. The Explanatory Statement (Exposé des Motifs), accompanying the Draft Law, states that the Government has chosen not to use its margin of manoeuvre.
Interestingly, though, the Draft Law provides for specific age threshold for consent in the context of health-related research, studies or evaluations. Under article 59 of the Draft Law, a minor, aged 15 years or older, may object to the holder of parental responsibility having access to the data concerning him or her gathered during such a study, research or evaluation. In this case, the minor can receive the information and exercise his or her rights on his or her own behalf.
On 13 December, the CNIL, the French Data Protection Authority, published its opinion on the draft law on the protection of personal data (which was adopted on 30 November 2017). It provides an insight into the parental consent provision and the government's decision not to derogate. In its opinion on the Draft Data Protection Bill, the CNIL states, first of all, that it was aware of the discrepancy between this provision and the reality of the digital practices of minors. It then articulates the necessary empowerment of young people and the special protection of their personal data that is required at this time of their life, adolescence, where disclosure of their data and potential attacks on their privacy may result in negative effects in their future. In this respect, and in light of all the rights of the child as recognised by the French national legislation, the CNIL states that it had not identified any decisive factors justifying the derogation from the default threshold of 16 years as the 16-year threshold corresponds to a common threshold in many legal contexts, particularly in contractual and banking matters. The CNIL adds that such a parental consent threshold may, in fact, be considered as a means of creating an opportunity for dialogue between parents and their children on how they intend to protect their personal data on the internet and the precautions that shall be taken. In terms of practical implementation of the parental consent provisions, the CNIL promotes the adoption of specific obligations, in the form of codes of conduct or certification mechanisms, and in particular, strengthened protection in terms of profiling for advertising purposes.
The most recent development concerning the French legislative process is the Annex to the Report (Annexe au Rapport), adopted by the French National Assembly on the 25 January 2018. Crucially, the National Assembly has proposed the addition of a new article 14a, concerning the implementation of article 8 GDPR. According to this provision, a minor may consent to the processing of personal data alone with regard to the offer of information society services from the age of 15. It remains to be seen whether this provision will be adopted in the final version of the new French Data Protection Law.
On 5 July 2017, Geoffrey Shannon, Special Rapporteur on Child Protection, addressed the Joint Oireachtas Committee on Justice and Equality during a hearing in relation to the General Scheme of Data Protection Bill 2017. He proposed that the age of consent for children should be set at 13 years. On 30 January 2018, the Irish Parliament, Houses of the Oireachtas, presented the Data Protection Bill 2018 (An Bille um Chosaint Sonraí, 2018). The Bill's part 29 on the consent of child in relation to information society services provides that the age of a child specified for the purposes of article 8 is 13 years of age.
Preceding this decision, in November 2017, the Joint Committee on Justice and Equality of the Houses of the Oireachtas released a Report on pre-legislative scrutiny of the General Scheme of the Data Protection Bill 2017. This report includes arguments presented to the Committee by various stakeholders (Geoffrey Shannon, Special Rapporteur on Child Protection, among others) and specifies many important aspects that need to be taken into account when implementing the GDPR provisions with regard to the protection of children. The Committee acknowledged the fact that the evidence submitted before it by children's rights organisations and their advocates indicated they all agreed that the age of consent of children should be set at 13 years. In this sense, the Committee reiterated that it "would help to ensure that children can practically enforce their rights such as, the right to participate in matters concerning him or her, right to be heard, right to express themselves freely and the right to access information need to be exercised effectively by children". Finally, in addition to recommending setting the age of consent at 13 years, the Committee also recommended that the age of consent is "reviewed at appropriate intervals to ensure it remains suitable as technology evolves". Moreover, the Committee also decided to recommend that "a detailed consultation take place with children of all ages to ascertain their views on the proposed measures for data protection" and to include the definition of a child in the proposed legislation adopting the one set in article 1 of the UNCRC stating that a child is every human being below 18 years. Crucially, in the context of the relationship between data protection and digital safety, the Committee also recommended "that a policy framework and an associated educational programme be implemented to assist children in exercising their digital rights before they reach the digital age of consent".
At the end of September 2017, the Latvian Ministry of Justice published the Latvian Draft Law on Personal Data Processing (Likumprojekts. Personas datu apstrādes likums). Article 43 of the Draft Law sets the conditions for the consent of the child in relation to information society services. According to this provision, pursuant to article 8 GDPR, when information society services are offered directly to the child, the consent of the child constitutes the legal basis for his or her data processing if the child is at least 13 years old. If the child is younger than 13 years, parental consent shall be obtained.
The proposed Law on the Protection of Personal Data and on Amendments to Certain Acts (Zákon o ochrane osobných údajov a o zmene a doplnení niektorých zákonov) has been published in Slovakia. Currently, the Draft Law is being negotiated by the National Council of the Slovak Republic. Article 15 of the Draft Law provides that personal data may be processed by operators in the context of the provision of information society services in cases where the data subject has reached the age of 16 years. In this sense, the Explanatory Statement accompanying the Draft Law (Dôvodová Správa) explains that children deserve special protection of their personal data as they are less aware of the risks and consequences associated with the processing of their personal data, especially when their data is obtained through a publicly accessible internet network.
The proposal for a Dutch GDPR Implementation Act that seeks to implement the GDPR was published online on 9 December 2016 for the purpose of a public consultation. This document stated that there is no reason to deviate from 16 as the age for consent, this being the age that was also used in the previous Data Protection Act. The Dutch Data Protection Authority has confirmed afterwards that in all probability there would be no derogation from the age of 16 in the Netherlands.
A new proposal for a law laying down the rules implementing the GDPR was published on 13 December 2017. Article 5 of this proposal clarifies that if article 8 GDPR is not applicable, the age of consent for children is 16 years. The Explanatory Memorandum accompanying the proposal again states that the age of 16 was already introduced in the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens, or Wpb) and there is no reason to make a different assessment. For this reason, no lower age limit is included in the Implementation Act, and, moreover, article 5 now clarifies that the age threshold of 16 also applies in circumstances where article 8 is not applicable.
Figure 1: Current provisional indications of age of consent across the EU
On 5 July 2017, the Austrian Parliament officially adopted the DatenschutzAnpassungsgesetz 2018 implementing the GDPR into the national legislation. The age of consent for children has been set at 14 years.
On 18 August 2017, a Draft law on the processing of personal data replacing the Act No. 101/2000 on the protection of personal data was published by the Ministry of Interior. According to article 6 of this proposal, the consent to the processing of personal data in connection with the provision of information society services directly to a child under the age of 13 is valid only if it is expressed or approved by his or her legal representative. The draft law has yet to be approved by the Czech Government and the Parliament.
Notably, the explanatory note on the draft law (Důvodová zpráva) provides some insight as to the reasons behind this proposal. First, a reference is made to the initial Commission proposal for the GDPR and the US Children's Online Privacy Protection Act, both setting the age of consent at 13 years. The explanatory note also refers to risks to youth in the context of information technologies and states that the processing of personal data in the context of information society services is not the same type of risk activity compared to other activities requiring parental consent under Czech law. The Czech law regarding driving licences is provided as an example which concerns teenagers of 15, 16 or 17 years. It is stated that driving a motor vehicle is an activity that the driver typically carries out independently and personally, which cannot be interfered with, and which is more difficult and risky in nature. Crucially, the document also explains that the reality of minors commonly using mobile phones and sending text messages should not be ignored. Therefore, limiting, for example, email services, social networks, or similar ways of communication, may be inappropriate. According to the document, a better way of addressing the risks associated with the use of information and communication technologies by children may be education and regular interest of educated parents.
The Danish Ministry of Justice has published its Proposal for a Law on Supplementary Provisions for a Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Information. Under section 6 of the proposal the age of consent for children is set to 13 years. In July-August 2017, a public consultation concerning the proposal was conducted. The results of this consultation have not yet been published.
On 21 June 2017, the national GDPR implementation working group appointed by the Ministry of Justice published its report on GDPR implementation. No final decision has been made in relation to the age of consent, but the report proposes lowering the age threshold to either 13 or 15 years. The final decision is expected to depend on the policy choice made in other Member States (especially the Nordic countries).
On 27 April 2017, the German Parliament adopted the draft law on the Federal Data Protection Act amendment which would implement the GDPR. The draft law has been approved by the German Federal Council and will become applicable on 25 May 2018. The initial draft law can be found here and its adopted amendments are available here. The choice not to derogate means that the threshold of 16 years will be applicable. In August 2017, the German Ministry of Interior published the English translation of the new Federal Data Protection Act.
In October 2016, the Hungarian Data Protection Authority published a 12-step guide on how to get ready for the GDPR. In relation to the offer of information society services directly to a child, the guide states that where the child is under the age of 16, processing of children's data shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. However, the possibility for Member States to lower the age to 13 is mentioned in the guide.
On 15 June 2017, the official draft Law on Legal Protection of Personal Data prepared by the Ministry of Justice and the State Data Protection Inspectorate was published. The draft law mostly focuses on the procedural issues and legal powers of the data protection authority and does not mention the issue of the age of consent, thus, unless other legislative action is taken, setting it at 16 years.
On 12 September 2017, the draft law establishing the National Commission for Data Protection and implementing the GDPR was published in Luxembourg. The draft law does not address the issue of parental consent, therefore, setting it at 16 years old.
On 28 March 2017, the Ministry of Digital Affairs presented a preliminary draft of certain provisions of a new Personal Data Protection Act. It was proposed that the consent of parents or legal guardians of a child to process that child's personal data will be required for children under the age of 13. On 14 September 2017, an updated Draft Personal Data Protection Act was published which kept the age of consent at 13 years.
An introduction to the draft law on the protection of personal data which is published together with the draft law, explains that the age of 13 was chosen due to similar age threshold provided by the Polish Civil Code (article 15) which states that a person who has reached the age of 13 has limited legal capacity and can therefore conclude "minor contracts of daily life". In this context, the document explains that it is also justified to accept the age of 13 for the effective expression of consent by the child for the processing of personal data relating to him or her as there is no reason to assume that a person who can manage his or her earnings and conclude minor contracts is not entitled to consent to the processing of his or her personal data in accordance with the provisions of the GDPR also bearing in mind that consent may be withdrawn at any time.
Previously, in its publication "The GDPR in 12 questions", the Spanish Data Protection Agency explained that the age to obtain valid consent from children in Spain was 14 years and would continue to be the same when the GDPR would come into force. However, since then, a preliminary draft Law on Data Protection was presented to the Council of Ministers at the end of June 2017. This draft law lowers the age of consent to 13 years.
On 12 May 2017, Sweden's data protection authority published an extensive evaluation document on the recommended implementation of the new data protection standards introduced by the GDPR. It concerns national derogations that are permitted according to the GDPR, as well as the impact of the GDPR on national legislation and the changes that will have to be introduced. In terms of consent and children, the document indicates that minors who have reached the age of 13 should be allowed to consent to the processing of their personal data. For children younger than 13, parental consent would be required.
On 7 August 2017, the Department for Digital, Culture, Media & Sport published its statement of intent on a new Data Protection Bill. The document addresses the issue of the age of consent specifically, stating that the planned legislation will allow a child aged 13 years or older to consent to their personal data being processed. In September 2017, the UK Data Protection Bill was published and officially set the age of consent for children at 13 years (article 8). Since then, the UK Information Commissioner's Office published draft Guidance on Children and the GDPR. The Consultation closes on 28 February 2018. The Bill was also discussed by the House of Lords. They have proposed to impose an obligation on the ICO to prepare a code of practice which contains such guidance as the Commissioner considers appropriate on standards of age-appropriate design of relevant information society services which are likely to be accessed by children.
This preliminary mapping has been drafted in the context of the project "A children's rights perspective on privacy and data protection in the digital age: a critical and forward-looking analysis of the General Data Protection Regulation and its implementation with respect to children and youth" (Ghent University, Special Research Fund). This project will monitor the implementation of the GDPR in relation to children(‘s rights) from 2017 until 2021.
This is the updated version of the article first published on 19 June 2017 which was further updated on 10 July 2017, 16 August 2017 and 12 October 2017.
1 Please note that other legitimation grounds can also be used by data controllers (article 6 GDPR). For more information, see the Report on the Roundtable on the GDPR and children's rights.
- Greek Safer internet Centre
Following Safer Internet Day 2018, we've heard from a number of SID Committees on how they marked the day. In Greece, Prof. Fereniki Panagopoulou made an announcement at the main event of Greek Safer Internet Centre for Safer Internet Day 2018 concerning the upcoming GDPR legislation.
- BIK Team
On Friday, 23 June 2017, legislators, Data Protection Authorities (DPAs), industry, education stakeholders and civil society representatives from across Europe met in Brussels, Belgium, to discuss the General Data Protection Regulation (GDPR) with a particular focus on its implications for children's rights.
- Janice Richardson and Vitor Tomé
Here on the Better Internet for Kids portal, we have touched upon the GDPR (General Data Protection Regulation) many times in the past, for example outlining some of the challenges in the March 2016 edition of the BIK bulletin. Here, guest contributors Janice Richardson and Vitor Tomé share their views on some of the reasons why children over the age of 13 should not require compulsory parental consent for internet service access.