Mapping the GDPR age of consent across the EU: April 2018 update
- Ingrida Milkaite and Eva Lievens, Ghent University
With less than two months left until the application of the GDPR, quite a number of Member States are currently still in the throes of the legislative implementation process. This update of the mapping of the implementation of article 8 GDPR reflects the most recent developments in relation to the age of consent that has been chosen in 19 of the 28 EU Member States.
Article 8 of the General Data Protection Regulation (GDPR) contains specific requirements regarding consent for the processing of personal data of children. The general rule provides for a parental consent requirement for all youth under 16 years old in situations where information society services are offered directly to them, and consent is the legitimation ground that is relied upon.1 However, Member States may choose to deviate and decide to lower the age threshold to 15, 14, or 13 years. In preparation for the implementation of the GDPR, national (draft) implementation acts, national consultations or guidance by Data Protection Authorities (DPAs) have been published across the EU. Although still in many countries no final decisions have been taken, our research into a selection of national approaches, based on official and public documents, shows that a fragmented landscape continues to emerge.
Since the last update of the mapping in February 2018, various developments have been observed. In Belgium, Finland and Greece proposals on the age of consent for children have been put forward. Moreover, the Czech Republic has changed its previous decision and increased the chosen age to 15. In France, discussions between the National Assembly and the Senate are ongoing. Developments in Cyprus are expected to be included in the next edition of the mapping when official documents are published.
In February 2018, the Belgian Secretary of State for Privacy has proposed to set the age of consent at 13 years. Referring to the GDPR and the possibility for Member States to derogate from the set age of 16 in article 8 GDPR, the Secretary of State for Privacy stated that "digital is the new normal" and that the age of 13 for children's consent in relation to information society services corresponds to the reality of internet use by children. The Belgian Privacy Commission, the national data protection authority, has expressed its support for the decision to set 13 as the age of consent for children. According to the Privacy Commission, joining social media and other services is part of children's social development, but additional efforts to teach children from a young age about the risks of sharing information should be undertaken. As children are more vulnerable, the processing of their data should remain a point of special attention for companies that offer digital services to children. Currently, the work on the Belgian draft law on the GDPR implementation continues and still needs to be introduced in Parliament.
One of the previous updates described how on 18 August 2017, a Draft law on the processing of personal data replacing the Act No. 101/2000 on the protection of personal data was published by the Ministry of Interior of the Czech Republic. According to article 6 of this proposal, the consent to the processing of personal data in connection with the provision of information society services directly to a child under the age of 13 is valid only if it is expressed or approved by his or her legal representative. The explanatory note on the draft law (Důvodová zpráva) provided some insight as to the reasons behind this proposal. First, a reference is made to the initial Commission proposal for the GDPR and the US Children's Online Privacy Protection Act, both setting the age of consent at 13 years. The explanatory note also refers to risks to youth in the context of information technologies and states that the processing of personal data in the context of information society services is not the same type of risk activity compared to other activities requiring parental consent under Czech law. The Czech law regarding driving licences is provided as an example which concerns teenagers of 15, 16 or 17 years. It is stated that driving a motor vehicle is an activity that the driver typically carries out independently and personally, which cannot be interfered with, and which is more difficult and risky in nature. Crucially, the document also explains that the reality of minors commonly using mobile phones and sending text messages should not be ignored. Therefore, limiting, for example, email services, social networks, or similar ways of communication, may be inappropriate. According to the document, a better way of addressing the risks associated with the use of information and communication technologies by children may be education and regular interest of educated parents.
However, on 21 March 2018, the Czech Government adopted a revised Draft Law on the Processing of Personal Data (Zákon o zpracování osobních údajů; see Materiál in the section Přílohy). Compared to the original proposal, the age of consent threshold for children increased from 13 years to 15 years. Article 7 of the revised Draft Law states that a child acquires the ability to grant consent to the processing of personal data in connection with the provision of information society services offered directly to him or her at the age of 15. The revised Draft Law has not yet been approved by the Parliament and the Senate. No explanatory documents seem to have been published together with the revised Draft Law.
On 21 June 2017 the national GDPR implementation working group appointed by the Ministry of Justice published its report on GDPR implementation. No final decision was made in relation to the age of consent, but the report proposed lowering the age threshold to either 13 or 15 years. The draft implementation act has opted for the age of 13. This choice was based on the opinions received during the preparation of the proposal which highlighted the importance of the internet for young people and which advocated for a lower age limit. The act still needs to be adopted.
On 13 December 2017, the French Minister of Justice presented the Draft Bill on the Protection of Personal Data (Projet de loi relatif à la protection des données personnelles). The Draft Law does not provide for specific provisions dealing with the issue of parental consent, thus leaving the threshold at 16 years. The Explanatory Statement (Exposé des Motifs), accompanying the Draft Law, states that the Government has chosen not to use its margin of manoeuvre.
Interestingly, though, the Draft Law provides for specific age threshold for consent in the context of health-related research, studies or evaluations. Under article 59 of the Draft Law, a minor, aged 15 years or older, may object to the holder of parental responsibility having access to the data concerning him or her gathered during such a study, research or evaluation. In this case, the minor can receive the information and exercise his or her rights on his or her own behalf.
On 13 December 2017, the CNIL, the French Data Protection Authority, published its opinion on the draft law on the protection of personal data (which was adopted on 30 November 2017). It provides an insight into the parental consent provision and the government's decision not to derogate. In its opinion on the Draft Data Protection Bill, the CNIL states, first of all, that it was aware of the discrepancy between this provision and the reality of the digital practices of minors. It then articulates the necessary empowerment of young people and the special protection of their personal data that is required at this time of their life, adolescence, where disclosure of their data and potential attacks on their privacy may result in negative effects in their future. In this respect and in light of all the rights of the child as recognised by the French national legislation, the CNIL states that it had not identified any decisive factors justifying the derogation from the default threshold of 16 years as the 16-year threshold corresponds to a common threshold in many legal contexts, particularly in contractual and banking matters. The CNIL adds that such a parental consent threshold may, in fact, be considered as a means of creating an opportunity for dialogue between parents and their children on how they intend to protect their personal data on the internet and the precautions that shall be taken. In terms of practical implementation of the parental consent provisions, the CNIL promotes the adoption of specific obligations, in the form of codes of conduct or certification mechanisms, and in particular, strengthened protection in terms of profiling for advertising purposes.
One of the most recent developments concerning the French legislative process is the Annex to the Report (Annexe au Rapport), adopted by the French National Assembly on 25 January 2018. Crucially, the National Assembly has proposed the addition of a new article 14a, concerning the implementation of article 8 GDPR. According to this provision, a minor may consent to the processing of personal data alone with regard to the offer of information society services from the age of 15. However, this provision could not be found in the version of the draft law as amended by the Senate in March, which again puts the age at 16. Discussions continued in April, so no final decision has been taken yet.
The public consultation on the adoption of legislative measures for the application of the GDPR was opened on 20 February 2018 and was successfully concluded on 5 March 2018. The Greek Ministry of Justice has subsequently published the Draft Law on the Protection of Personal Data (Νόμοσ για την Προςταςύα Δεδομϋνων Προςωπικού Φαρακτόρα). Article 6 of the Draft Law sets the age of consent for children at 15 years. According to the article, in relation to information society services being directly offered to a child, the processing of personal data of a child, when based on consent, shall be lawful where the child who provides consent has reached the age of 15 years. Where the child is below the age of 15 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Figure 1: Current provisional indications of age of consent across the EU
On 5 July 2017, the Austrian Parliament officially adopted the DatenschutzAnpassungsgesetz 2018 implementing the GDPR into the national legislation. The age of consent for children has been set at 14 years.
The Danish Ministry of Justice has published its Proposal for a Law on Supplementary Provisions for a Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Information. Under section 6 of the proposal the age of consent for children is set to 13 years. In July-August 2017 a public consultation concerning the proposal was conducted. The results of this consultation have not yet been published.
On 27 April 2017, the German Parliament adopted the draft law on the Federal Data Protection Act amendment which would implement the GDPR. The draft law has been approved by the German Federal Council and will become applicable on 25 May 2018. The initial draft law can be found here and its adopted amendments are available here. The choice not to derogate means that the threshold of 16 years will be applicable. In August 2017, the German Ministry of Interior published the English translation of the new Federal Data Protection Act.
In October 2016, the Hungarian Data Protection Authority published a 12-step guide on how to get ready for the GDPR. In relation to the offer of information society services directly to a child, the guide states that where the child is under the age of 16, processing of children's data shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. However, the possibility for Member States to lower the age to 13 is mentioned in the guide.
On 5 July 2017, Geoffrey Shannon, Special Rapporteur on Child Protection, addressed the Joint Oireachtas Committee on Justice and Equality during a hearing in relation to the General Scheme of Data Protection Bill 2017. He proposed that the age of consent for children should be set at 13 years. On 30 January 2018, the Irish Parliament, Houses of the Oireachtas, presented the Data Protection Bill 2018 (An Bille um Chosaint Sonraí, 2018). The Bill's part 29 on the consent of child in relation to information society services provides that the age of a child specified for the purposes of Article 8 is 13 years of age.
Preceding this decision, in November 2017, the Joint Committee on Justice and Equality of the Houses of the Oireachtas released a Report on pre-legislative scrutiny of the General Scheme of the Data Protection Bill 2017. This report includes arguments presented to the Committee by various stakeholders (Geoffrey Shannon, Special Rapporteur on Child Protection, among others) and specifies many important aspects that need to be taken into account when implementing the GDPR provisions with regard to the protection of children. The Committee acknowledged the fact that the evidence submitted before it by children's rights organisations and their advocates indicated they all agreed that the age of consent of children should be set at 13 years. In this sense, the Committee reiterated that it "would help to ensure that children can practically enforce their rights such as, the right to participate in matters concerning him or her, right to be heard, right to express themselves freely and the right to access information need to be exercised effectively by children". Finally, in addition to recommending setting the age of consent at 13 years, the Committee also recommended that the age of consent is "reviewed at appropriate intervals to ensure it remains suitable as technology evolves". Moreover, the Committee also decided to recommend that "a detailed consultation take place with children of all ages to ascertain their views on the proposed measures for data protection" and to include the definition of a child in the proposed legislation adopting the one set in article 1 of the UNCRC stating that a child is every human being below 18 years. Crucially, in the context of the relationship between data protection and digital safety, the Committee also recommended "that a policy framework and an associated educational programme be implemented to assist children in exercising their digital rights before they reach the digital age of consent".
At the end of September 2017, the Latvian Ministry of Justice published the Latvian Draft Law on Personal Data Processing (Likumprojekts. Personas datu apstrādes likums). Article 43 of the Draft Law sets the conditions for the consent of the child in relation to information society services. According to this provision, pursuant to article 8 GDPR, when information society services are offered directly to the child, the consent of the child constitutes the legal basis for his or her data processing if the child is at least 13 years old. If the child is younger than 13 years, parental consent shall be obtained.
On 15 June 2017, the official draft Law on Legal Protection of Personal Data prepared by the Ministry of Justice and the State Data Protection Inspectorate was published. The draft law mostly focuses on the procedural issues and legal powers of the data protection authority and does not mention the issue of the age of consent, thus, unless other legislative action is taken, setting it at 16 years.
On 12 September 2017 the draft law establishing the National Commission for Data Protection and implementing the GDPR was published in Luxembourg. The draft law does not address the issue of parental consent, therefore, setting it at 16 years old.
On 28 March 2017 the Ministry of Digital Affairs presented a preliminary draft of certain provisions of a new Personal Data Protection Act. It was proposed that the consent of parents or legal guardians of a child to process that child's personal data will be required for children under the age of 13. On 14 September 2017, an updated Draft Personal Data Protection Act was published which kept the age of consent at 13 years.
An introduction to the draft law on the protection of personal data which is published together with the draft law, explains that the age of 13 was chosen due to similar age threshold provided by the Polish Civil Code (article 15) which states that a person who has reached the age of 13 has limited legal capacity and can therefore conclude "minor contracts of daily life". In this context, the document explains that it is also justified to accept the age of 13 for the effective expression of consent by the child for the processing of personal data relating to him or her as there is no reason to assume that a person who can manage his or her earnings and conclude minor contracts is not entitled to consent to the processing of his or her personal data in accordance with the provisions of the GDPR also bearing in mind that consent may be withdrawn at any time.
The proposed Law on the Protection of Personal Data and on Amendments to Certain Acts (Zákon o ochrane osobných údajov a o zmene a doplnení niektorých zákonov) has been published in Slovakia. Currently, the Draft Law is being negotiated by the National Council of the Slovak Republic. Article 15 of the Draft Law provides that personal data may be processed by operators in the context of the provision of information society services in cases where the data subject has reached the age of 16 years. In this sense, the Explanatory Statement accompanying the Draft Law (Dôvodová Správa) explains that children deserve special protection of their personal data as they are less aware of the risks and consequences associated with the processing of their personal data, especially when their data is obtained through a publicly accessible internet network.
Previously, in its publication "The GDPR in 12 questions" the Spanish Data Protection Agency explained that the age to obtain valid consent from children in Spain was 14 years and would continue to be the same when the GDPR would come into force. However, since then, a preliminary draft Law on Data Protection was presented to the Council of Ministers at the end of June 2017. This draft law lowers the age of consent to 13 years.
On 12 May 2017 Sweden's data protection authority published an extensive evaluation document on the recommended implementation of the new data protection standards introduced by the GDPR. It concerns national derogations that are permitted according to the GDPR, as well as the impact of the GDPR on national legislation and the changes that will have to be introduced. In terms of consent and children, the document indicates that minors who have reached the age of 13 should be allowed to consent to the processing of their personal data. For children younger than 13, parental consent would be required.
The proposal for a Dutch GDPR Implementation Act that seeks to implement the GDPR was published online on 9 December 2016 for the purpose of a public consultation. This document stated that there is no reason to deviate from 16 as the age for consent, this being the age that was also used in the previous Data Protection Act. The Dutch Data Protection Authority has confirmed afterwards that in all probability there would be no derogation from the age of 16 in the Netherlands.
A new proposal for a law laying down the rules implementing the GDPR was published on 13 December 2017. Article 5 of this proposal clarifies that if article 8 GDPR is not applicable, the age of consent for children is 16 years. The Explanatory Memorandum accompanying the proposal again states that the age of 16 was already introduced in the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens, or Wpb) and there is no reason to make a different assessment. For this reason, no lower age limit is included in the Implementation Act, and, moreover, article 5 now clarifies that the age threshold of 16 also applies in circumstances where article 8 is not applicable.
On 7 August 2017 the Department for Digital, Culture Media & Sport published its statement of intent on a new Data Protection Bill. The document addresses the issue of the age of consent specifically, stating that the planned legislation will allow a child aged 13 years or older to consent to their personal data being processed. In September 2017, the UK Data Protection Bill was published and officially set the age of consent for children at 13 years (article 8). Since then, the UK Information Commissioner's Office published draft Guidance on Children and the GDPR. The Bill was also discussed by the House of Lords. They have proposed to impose an obligation on the ICO to prepare a code of practice which contains such guidance as the Commissioner considers appropriate on standards of age-appropriate design of relevant information society services which are likely to be accessed by children. During subsequent discussions in the House of Commons, this amendment was supported as well.
This preliminary mapping has been drafted in the context of the project "A children's rights perspective on privacy and data protection in the digital age: a critical and forward-looking analysis of the General Data Protection Regulation and its implementation with respect to children and youth" (Ghent University, Special Research Fund). This project will monitor the implementation of the GDPR in relation to children(‘s rights) from 2017 until 2021.
If you have any information about the implementation of Article 8 in your Member State, please send it to firstname.lastname@example.org or email@example.com. The authors wish to express their sincere thanks to everyone who has provided them with information so far.
This is the updated version of the article first published on 19 June 2017 which was further updated on 10 July 2017, 16 August 2017, 12 October 2017 and 8 February 2018.
1 Please note that other legitimation grounds can also be used by data controllers (article 6 GDPR). For more information, see the Report on the Roundtable on the GDPR and children's rights.
- BIK Team
There has been a great deal of discussion recently about the EU General Data Protection Regulation (GDPR) and particularly around the impact on children and young people. The Information Commissioner's Office in the UK has recently launched a consultation document which provides more detailed guidance for (UK) organisations who are processing personal data under the GDPR.
- Insafe network
Today, the Insafe network of Safer Internet Centres (SICs) begins a two-day training meeting in Berlin, Germany. The meeting aims to facilitate experience and good-practice sharing across the network on a range of topical eSafety issues, while continuing to enhance the collaborative learning community that has developed within Insafe. Open Space Technology will be used during the meeting as a method of encouraging interaction and debate.
- BIK Team
In each edition of the BIK bulletin, we look at a topical issue - our main focus this month is on positive online content as we introduce our new campaign and reflect on the importance of being aware of what constitutes positive content for a wide range of stakeholders.
- BIK Team
From May 2018, the General Data Protection Regulation (GDPR) will take effect in EU Member States. The GDPR aims to strengthen, simplify and harmonise data protection regimes across Europe, giving individuals control over how their data are processed. It explicitly acknowledges that children merit specific protection.