The GDPR child's age of consent for data processing across the EU – one year later (July 2019)
- Ingrida Milkaite and Eva Lievens, Ghent University
The General Data Protection Regulation (GDPR) entered into force more than a year ago, on 25 May 2018, yet our monitoring exercise concerning the implementation of article 8 GDPR is still ongoing with 2 Member States of the EU left to (formally) adopt their national implementation laws.
This new update focuses on the most recent developments in Bulgaria, the Czech Republic, Estonia and Portugal. National implementation laws are currently still pending in Greece and Slovenia. In practice, the fact that these countries have not yet passed their GDPR implementation laws means that the article 8 GDPR age currently is 16 years instead of the age which is proposed in their draft legislation until it is officially adopted.
The most recent Report of the European Commission Multi-stakeholder Expert Group on the GDPR application published on 11 June 2019 confirms the issues associated with the practical implementation of article 8 GDPR. First of all, stakeholders note that the information on who – the child or the parent – actually needs to give consent is often unclear. It is suggested that "this may have the consequence of denying services to children and keeping children away from the Internet until they have attained a certain age, which is not the purpose pursued by GDPR". In addition, the Expert Group also asks for clarifications in terms of age verification for the processing of children data, and more generally, the lawful grounds that can be used to process personal data of children.
Article 8 of the General Data Protection Regulation (GDPR) contains specific requirements regarding consent for the processing of personal data of children. The general rule provides for a parental consent requirement for all youth under 16 years old in situations where information society services are offered directly to them, and consent is the lawful ground on the basis of which the data is processed.1 However, Member States may choose to deviate and decide to lower this age threshold to 15, 14, or 13 years. Over the course of the past few years, national (draft) implementation acts, national consultations or guidance by Data Protection Authorities (DPAs) have been published across the EU. Our research into different national approaches, based on official and public documents, shows that the implementation of article 8 GDPR is not only fragmented across the EU, but also that certain governments changed their minds along the way.
The picture below gives an overview of the current state-of-play with regard to the implementation of article 8. For the three countries that have not yet adopted their implementation law, the age is set to 16 but a coloured outline indicates the age that has been included in their draft implementation acts.
Austria | Belgium | Bulgaria | Croatia | Cyprus | Czech Rep. | Denmark | Estonia | Finland | France | Germany | Greece | Hungary | Ireland | Italy | Latvia | Lithuania | Luxembourg | Malta | Netherlands | Norway | Poland | Portugal | Romania | Slovakia | Slovenia | Spain | Sweden | Switzerland | UK
On the 31st of July 2017 the Federal Act on the Protection of Individuals with regard to the Processing of Personal Data was adopted and officially published, making Austria the second Member State, after Germany, which adopted the national GDPR implementation law. The new law repealed the previous data protection act and became applicable on 25 May 2018. When information society services are offered directly to children, children can themselves provide consent for their data processing when they are 14 years old or older (1 § 4 (4)).
In February 2018, the Belgian Secretary of State for Privacy has proposed to set the age of consent at 13 years. Referring to the GDPR and the possibility for Member States to derogate from the set age of 16 in article 8 GDPR, the Secretary of State for Privacy stated that "digital is the new normal" and that the age of 13 for children's consent in relation to information society services corresponds to the reality of internet use by children. The Belgian Privacy Commission, the national data protection authority, has expressed its support for the decision to set 13 as the age of consent for children. According to the Privacy Commission, joining social media and other services is part of children's social development, but additional efforts to teach children from a young age about the risks of sharing information should be undertaken. As children are more vulnerable, the processing of their data should remain a point of special attention for companies that offer digital services to children.
On 11 June 2018, the Belgian Law on the protection of individuals with regard to the processing of personal data was introduced in the Parliament. The Draft Law recommends setting the age of consent for children at 13 years and provides opinions submitted by various stakeholders (article 7). The preamble proposes the use of the (kids) e-ID card as a possible means to carry out age verification.
On 5 September 2018 the final GDPR implementation law was published in the Official Gazette. The Law on the Protection of Natural Persons with regards to the Processing of Personal Data set the child age of consent for data processing at 13 years (article 7).
On 30 April 2018, a public consultation on the Draft Law on the Amendment of the Personal Data Protection Act was launched and will be closed on 14 May 2018. Article 25(c) of the Draft Law currently sets the age of digital consent for children at 14 years (see Проект на Закон за изменение и допълнение на Закона за защита на личните данни).
The responses to the public consultation were published. In its response, the Bulgarian eCommerce association proposed to set the age of consent for children using digital services at 13 years. The association provided that such an age is permitted by article 8 GDPR and that such a decision would be supported by businesses, non-governmental and international organisations (including UNICEF). The eCommerce association also made a reference to the decision to set article 8 GDPR age at 13 made by many Member States, including Ireland, Estonia, Finland, Spain, Sweden, Portugal and United Kingdom. In addition, the association made a reference to the Bulgarian national law providing that citizens receive their identity cards and thus certain legal capacity allowing to enter into certain transactions at 14 years.
The final GDPR implementation law in Bulgarian – the Law on the Protection of Personal Data – was published in the Bulgarian State Gazette on 26 February 2019 and entered into force on 2 March 2019. Article 25 c. indeed sets the age for child consent for data processing at 14 years.
The Proposal for the Law on the Implementation of the General Data Protection Regulation has been published for consultation. The proposed law does not refer to Article 8 GDPR and does not mention children in the context of digital consent suggesting that Croatia is either in the process of choosing the age of 16 or will add this provision at a later legislative stage.
During the public consultation, two comments which specifically address children's consent with regard to information society services being offered directly to children, were made. First, AmCham Croatia, the American Chamber of Commerce in Croatia, representing the business interests of American, international and Croatian companies, proposed to include the age of 15 as the age threshold for consent for children in Croatia. Second, Google considered the Draft Proposal for the Implementation of the GDPR inadequate with regard to the undefined age of consent for children using information society services and proposed to set the age threshold at 13 years. Google stated that such a decision is supported by industry as well as numerous experts, non-governmental organisations and international organisations (including UNICEF) advocating for the safety and welfare of children in the online world. According to Google, setting the age limit to 13 years would be in line with numerous international and national acts, including the 1998 US Children's Online Privacy Protection Act (COPPA). Google also made a reference to Article 17 of the UN Convention on the Rights of the Child which states that "children are entitled to information that is important to their health and well-being". Furthermore, Google claimed that setting the age limit for consent at 16 instead of 13 would have a negative impact on the development of teenagers, as young people would thus be denied essential social and educational opportunities. Moreover, for children of less digitally literate families, an additional parental consent requirement could hinder their access to online services altogether. In addition, some teenagers require their own right to privacy without parental or guardian involvement, and, as Google states, it is unquestionable that everyone wants a degree of privacy from their parents. Finally, Google reminded the Croatian policy makers that the original version of article 8 GDPR, initially proposed by the European Commission, stipulated that the age of consent for the use of information society services would be 13 years. Google added that many EU Member States also highlight the problems mentioned above and have the age of consent for the implementation of article 8 GDPR at 13 years.
In the beginning of May 2018 the Croatian Data Protection Authority announced that the Law on the Implementation of the GDPR had been passed by the Croatian Parliament in its session of 27 April 2018. The new law (No. NN 42/2018) was published in the Official Gazette and came into force on 15 May 2018. Article 19 of the new law includes the rules concerning children's consent in relation to information society services. According to the provision, a child can consent to his or her data processing when the child is 16 years old or older. The second part of the article also specifies that this provision is applicable to every child resident in the Republic of Croatia (dijete čije je prebivalište u Republici Hrvatskoj.).
In the beginning of April 2018, in the framework of a public consultation, the Draft Act on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data was published. Article 6 of the consultation document (see Νομοσχέδιο Κανονισμός τελικό διαβούλευση.doc) sets the age of consent when information society services are offered directly to children at 14 years. The consultation closed on 27 April 2018.
On 31 July 2018 Cyprus adopted the Law Protecting Natural Persons Regarding the Processing of their Personal Data and the Free Movement of such Data (No. 125(1) of 2018). The law sets the age of consent for children at 14 years (article 8).
One of the previous updates described how on 18 August 2017, a Draft law on the processing of personal data replacing the Act No. 101/2000 on the protection of personal data was published by the Ministry of Interior of the Czech Republic. According to article 6 of this proposal, the consent to the processing of personal data in connection with the provision of information society services directly to a child under the age of 13 is valid only if it is expressed or approved by his or her legal representative. The explanatory note on the draft law (Důvodová zpráva) provided some insight as to the reasons behind this proposal. First, a reference is made to the initial Commission proposal for the GDPR and the US Children's Online Privacy Protection Act, both setting the age of consent at 13 years. The explanatory note also refers to risks to youth in the context of information technologies and states that the processing of personal data in the context of information society services is not the same type of risk activity compared to other activities requiring parental consent under Czech law. The Czech law regarding driving licences is provided as an example which concerns teenagers of 15, 16 or 17 years. It is stated that driving a motor vehicle is an activity that the driver typically carries out independently and personally, which cannot be interfered with, and which is more difficult and risky in nature. Crucially, the document also explains that the reality of minors commonly using mobile phones and sending text messages should not be ignored. Therefore, limiting, for example, email services, social networks, or similar methods of communication, may be inappropriate. According to the document, a better way of addressing the risks associated with the use of information and communication technologies by children may be education and regular interest of educated parents.
However, on 21 March 2018, the Czech Government adopted a revised Draft Law on the Processing of Personal Data (Zákon o zpracování osobních údajů; see Materiál in the section Přílohy). Compared to the original proposal, the age of consent threshold for children increased from 13 years to 15 years. Article 7 of the revised Draft Law states that a child acquires the ability to grant consent to the processing of personal data in connection with the provision of information society services offered directly to him or her at the age of 15. The revised Draft Law has not yet been approved by the Parliament and the Senate. No explanatory documents seem to have been published together with the revised Draft Law.
The draft law was approved by the lower house of the Parliament on 5 December 2018. It was sent to the Senate on 8 January 2019. The final version of the law set the age of consent for children at 15 years (article 7).
The Czech Data Protection Act was published in the Official Journal on 24 April 2019 taking effect on the day of its publication. Article 7 of the Act provides that children acquire the capacity to consent to the processing of personal data in connection with the provision of information society services directly to them at the age of 15. No explanatory documents seem to have been published together with the final law.
The Danish Ministry of Justice has published its Proposal for a Law on Supplementary Provisions for a Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Information. Under section 6 of the proposal the age of consent for children is set to 13 years. In July-August 2017 a public consultation concerning the proposal was conducted.
On 25 October 2017, the Minister of Justice proposed an updated Law on Supplementary Provisions to the Regulation on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Information (Data Protection Act). Section 6 of the updated proposal also deals with information society services being offered to children and their age of digital consent. Processing of children's personal data on the basis of consent in such situations is lawful if the child is at least 13 years old.
The new Danish Data Protection Act was officially adopted by the Parliament on 17 May 2018. The age of consent for children using digital services was set at 13 years (section 6). The reasoning for this decision included educational and social benefits of online services for children, their participation and inclusion in the digital world.
On 4 December 2017, the Director General of the Data Protection Inspectorate of Estonia stated that although the Ministry of Justice provided for the age limit of 14 years in the draft implementing law, the age limit needed to be reduced to 13 years as the same age is used by all major service providers, such as Google, Facebook, etc., which have so far been governed by US law and there is no reason to believe that young Europeans should differ from American youth in terms of access to different services. On 12 April 2018, the Draft Bill on the Protection of Personal Data was discussed by the Government of the Republic of Estonia which approved it. The draft was submitted to the Parliament (Riigikogu), the documents and procedure concerning the draft are available on the Riigikogu's website and the Estonian Data Protection Authority website. On 16 April 2018, the Draft Law on Personal Data Protection was published. Article 8 of the draft law (Eelnõu docx) regulates the processing of children's personal data for the provision of information society services and provides for 13 years as the age of consent for digital services for children..
The explanatory note of the draft law (Seletuskiri docx) refers to recital 38 GDPR stressing the need for specific protection for children, recital 58 stating that all information should be provided in a clear and simple language that is easily understood by a child and, finally, explains that the 13 year limit for children's digital consent was supported by various parties.
On 13 June 2018 the draft law was withdrawn due to the discussion surrounding the provisions which could possibly restrict the freedom of the press. The draft was returned to the Parliament, consequently, setting the age of consent for digital services for children at 16 years in practice until the law is adopted.
The final ‘Personal Data Protection Act' implementing the GDPR was published on 4 January 2019 and came into force on 15 January 2019. The English language version of the Act has also been published and can be consulted here. Article 8 of this Act states that "[i]f Article 6(1)(a) of [the GDPR] applies in connection with provision of information society services directly to a child, processing of the child's personal data is permitted only in the case the child is at least 13 years old."
On 21 June 2017 the national GDPR implementation working group appointed by the Ministry of Justice published its report on GDPR implementation. No final decision was made in relation to the age of consent, but the report proposed lowering the age threshold to either 13 or 15 years. The draft implementation act has opted for the age of 13. This choice was based on the opinions received during the preparation of the proposal which highlighted the importance of the internet for young people and which advocated for a lower age limit. The act still needs to be adopted.
On 13 December 2017, the French Minister of Justice presented the Draft Bill on the Protection of Personal Data (Projet de loi relatif à la protection des données personnelles). The Draft Law does not provide for specific provisions dealing with the issue of parental consent, thus leaving the threshold at 16 years. The Explanatory Statement (Exposé des Motifs), accompanying the Draft Law, states that the Government has chosen not to use its margin of manoeuvre.
The CNIL, the French Data Protection Authority, published its opinion on the draft law on the protection of personal data. It provided an insight into the parental consent provision and the government's decision not to derogate. In its opinion on the Draft Data Protection Bill, the CNIL stated, first of all, that it was aware of the discrepancy between this provision and the reality of the digital practices of minors. It then articulated the necessary empowerment of young people and the special protection of their personal data that is required at this time of their life, adolescence, where disclosure of their data and potential attacks on their privacy may result in negative effects in their future. In this respect and in light of all the rights of the child as recognised by the French national legislation, the CNIL stated that it had not identified any decisive factors justifying the derogation from the default threshold of 16 years as the 16-year threshold corresponded to a common threshold in many legal contexts, particularly in contractual and banking matters. The CNIL added that such a parental consent threshold may, in fact, be considered as a means of creating an opportunity for dialogue between parents and their children on how they intend to protect their personal data on the internet and the precautions that shall be taken. In terms of practical implementation of the parental consent provisions, the CNIL promoted the adoption of specific obligations, in the form of codes of conduct or certification mechanisms, and in particular, strengthened protection in terms of profiling for advertising purposes.
In its Annex to the Report (Annexe au Rapport) of 25 January 2018 the French National Assembly proposed the addition of a new article 14a, concerning the implementation of article 8 GDPR. According to this provision, a minor may consent to the processing of personal data alone with regard to the offer of information society services from the age of 15. Discussions on the age of consent for children continued in April and May 2018.
On 21 June 2018, the French Law No 2018-493 on the protection of personal data was adopted and published in the official gazette. Article 20 provides for a revision of the article 7 of the Law n° 78-17 of 6 January 1978 and states that a minor may consent to the processing of personal data alone in respect of the direct offering of information society services from the age of 15 years.
Notably, the second part of the article introduces a joint consent stating that when the minor is under the age of fifteen, the treatment is lawful only if the consent is given jointly by the minor concerned and his or her parent(s). This is a very specific provision which is not found in other national implementation laws and it remains to be seen how exactly it will be implemented in practice.
Interestingly, the Law provides for specific age threshold for consent in the context of health-related research, studies or evaluations. Under article 59 of the revised Law, a minor, aged 15 years or older, may object to the holder of parental responsibility having access to the data concerning him or her gathered during a (medical) study, research or evaluation. In this case, the minor can receive the information and exercise his or her rights on his or her own behalf.
On 27 April 2017, the German Parliament adopted the draft law on the Federal Data Protection Act amendment which would implement the GDPR. The draft law has been approved by the German Federal Council and will become applicable on 25 May 2018. The initial draft law can be found here and its adopted amendments are available here. In August 2017, the German Ministry of Interior published an English translation of the new Federal Data Protection Act.The choice not to derogate meant that the age of consent for children is 16 years.
The public consultation on the adoption of legislative measures for the application of the GDPR was opened on 20 February 2018 and was successfully concluded on 5 March 2018. The Greek Ministry of Justice has subsequently published the Draft Law on the Protection of Personal Data (Νόμοσ για την Προςταςύα Δεδομϋνων Προςωπικού Φαρακτόρα). Article 6 of the Draft Law sets the age of consent for children at 15 years. According to the article, in relation to information society services being directly offered to a child, the processing of personal data of a child, when based on consent, shall be lawful where the child who provides consent has reached the age of 15 years. Where the child is below the age of 15 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
As the draft law has not been adopted yet, the current GDPR article 8 age is 16 years.
In October 2016, the Hungarian Data Protection Authority published a 12-step guide on how to get ready for the GDPR. In relation to the offer of information society services directly to a child, the guide states that where the child is under the age of 16, processing of children's data shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. However, the possibility for Member States to lower the age to 13 is mentioned in the guide.
In the end of August 2017, the draft law on the amendment of the Hungarian Data Protection Act (Act CXII of 2011 on the right to information self-determination and freedom of information) and other relevant laws related to the GDPR were proposed and opened for public consultation.
In July 2018 the Hungarian parliament passed the Information Self-Determination and Freedom of Information Act which serves as the basic law implementing the GDPR. The Act does not mention children, thus setting the age for children's data processing consent at 16 years. In the beginning of October 2018 a draft bill amending sectorial data protection laws was also published.
On 5 July 2017, Geoffrey Shannon, Special Rapporteur on Child Protection, addressed the Joint Oireachtas Committee on Justice and Equality during a hearing in relation to the General Scheme of Data Protection Bill 2017. He proposed that the age of consent for children should be set at 13 years. On 30 January 2018, the Irish Parliament, Houses of the Oireachtas, presented the Data Protection Bill 2018 (An Bille um Chosaint Sonraí, 2018). The Bill's part 29 on the consent of child in relation to information society services provides that the age of a child specified for the purposes of Article 8 is 13 years of age.
Preceding this decision, in November 2017, the Joint Committee on Justice and Equality of the Houses of the Oireachtas released a Report on pre-legislative scrutiny of the General Scheme of the Data Protection Bill 2017. This report includes arguments presented to the Committee by various stakeholders (Geoffrey Shannon, Special Rapporteur on Child Protection, among others) and specifies many important aspects that need to be taken into account when implementing the GDPR provisions with regard to the protection of children. The Committee acknowledged the fact that the evidence submitted before it by children's rights organisations and their advocates indicated they all agreed that the age of consent of children should be set at 13 years. In this sense, the Committee reiterated that it ‘would help to ensure that children can practically enforce their rights such as, the right to participate in matters concerning him or her, right to be heard, right to express themselves freely and the right to access information need to be exercised effectively by children'. Finally, in addition to recommending setting the age of consent at 13 years, the Committee also recommended that the age of consent is ‘reviewed at appropriate intervals to ensure it remains suitable as technology evolves'. Moreover, the Committee also decided to recommend that ‘a detailed consultation take place with children of all ages to ascertain their views on the proposed measures for data protection' and to include the definition of a child in the proposed legislation adopting the one set in article 1 of the UNCRC stating that a child is every human being below 18 years. Crucially, in the context of the relationship between data protection and digital safety, the Committee also recommended ‘that a policy framework and an associated educational programme be implemented to assist children in exercising their digital rights before they reach the digital age of consent'.
However, in the end of April 2018, news emerged suggesting that the main opposition parties in Ireland are trying to raise the age of digital consent for children to 16 years in an attempt to strengthen children's online safety. Politicians stated that they are planning to prepare "an amendment to the Data Protection Bill at committee stage in order to amend the age of digital consent from 13 to 16 years". Their reasoning is related to stronger protection of children's data, especially in the context of profiling and commercial targeting and decisions taken by other European countries, such as the Netherlands and Germany.
On 24 May 2018, the Irish Data Protection Act was signed into law by the President and was enacted. Section 31 of the Law sets the age of consent of children in relation to information society services at 16 years. Part 3 of the provision also requires that the Minister shall review the operation of the section no later than 3 years after the coming into force of the Act. Notably, section 32 of the Law requires the drawing up of codes of conduct with regard to the protection of children, the information to be provided by a controller to children, the manner in which the consent of the holders of parental responsibility over a child is to be obtained for the purposes of Article 8, integrating the necessary safeguards into processing in order to protect the rights of children in an age-appropriate manner for the purpose of Article 25 and the processing of the personal data of children for the purposes of direct marketing and creating personality and user profiles. The final decision of the Irish Parliament might have significant effects since many globally operating platforms, (currently) allowing children to join their services from 13 years onwards, have their main EU establishment in Ireland.
Also, section 30 of the Irish Data Protection Act introduces a specific rule on micro-targeting and profiling of children – "it shall be an offence under this Act for any company or corporate body to process the personal data of a child […] for the purposes of direct marketing, profiling or micro-targeting. Such an offence shall be punishable by an administrative fine […]."
An amendment to the Data Protection Act, the "Act to amend section 30 of the Data Protection Act 2018 in order to protect a child's personal data from being processed for marketing purposes and to provide for related matters" was submitted on 29 November 2018 to the Dáil Éireann, the lower house of the Irish Parliament and is currently pending. According to the proposed new version,
"[a] child's personal data shall not be processed for marketing purposes where such processing is based solely on automated processing, including profiling. […] It shall be presumed to be unlawful for a child's personal data to be processed for marketing purposes where such processing is based partially on automated processing, including profiling in which case the controller shall be responsible for and shall be able to demonstrate the lawfulness of the processing in each individual case."
On the 19th of December 2018, the Irish Data Protection Commission opened a "Public Consultation on the Processing of Children's Personal Data and the Rights of Children as Data Subjects under the GDPR". The consultation closes on 1 March 2019.
On 6 November 2017, the Law No 163 on the Delegation to the Government for the Implementation of European Law was published in the Official Journal No 259. The Law contains the delegation to the Government to prepare, within 12 months, legislative decrees on the implementation of, among other legislation, the GDPR.
On 21 March 2018, the Council of Ministers approved a preliminary legislative decree which adapted the national legislation to the GDPR. Article 6 of the decree set the age of digital consent for children at 14 years. Notably, article 2 of the updated and final version of the decree provides that the processing of children's personal data shall be lawful where the child is at least 16 years old.
The legislation was adopted on 10 August 2018 and changed the child age of consent for digital services, following the opinion of the Italian Data Protection Authority. The new provisions came into force on 19 September 2018. According to article 2-quinquies of the updated act, the age of consent for children is now 14 years.
At the end of September 2017, the Latvian Ministry of Justice published the Latvian Draft Law on Personal Data Processing (Likumprojekts. Personas datu apstrādes likums). Article 43 of the Draft Law sets the conditions for the consent of the child in relation to information society services. According to this provision, pursuant to article 8 GDPR, when information society services are offered directly to the child, the consent of the child constitutes the legal basis for his or her data processing if the child is at least 13 years old. If the child is younger than 13 years, parental consent shall be obtained.
On 21 June 2018 the new Personal Data Processing Law was published and entered into force on 5 July 2018. Article 33 includes the conditions for the consent of the child to information society services and officially sets the age for such consent at 13 years.
On 15 June 2017, the official draft Law on Legal Protection of Personal Data prepared by the Ministry of Justice and the State Data Protection Inspectorate was published. The draft law mostly focuses on the procedural issues and legal powers of the data protection authority and does not mention the issue of the age of consent, thus, unless other legislative action is taken, setting it at 16 years.
On 30 June 2018 the Lithuanian Parliament officially adopted the national GDPR implementation law – Asmens duomenų teisinės apsaugos įstatymas – and it came into force on 9 July 2018. The age of child consent for digital services was changed to 14 years (article 6).
On 12 September 2017 the draft law establishing the National Commission for Data Protection and implementing the GDPR was published in Luxembourg. The draft law does not address the issue of parental consent, therefore, setting it at 16 years old.
On 16 August 2018 the official Act implementing the GDPR and establishing the National Commission for Data Protection was published and entered into force on 20 August 2018. The law, as its previous draft, does not mention children, thus, setting the age of child consent for digital services at 16 years.
On 27 April 2018, the Maltese Data Protection Act 2018 (Bill No. 40) was published in the Supplement to the Government Gazette. According to article 1(2) of the Act, different parts of the law may come into force on different dates, depending on when the Minister responsible for data protection prescribes specific regulation on different aspects of the Act. Article 33 explains that the Minister may prescribe regulations concerning, among other matters, "the establishment of a lower age than sixteen years where the processing of the personal data of a child shall be deemed to be lawful in the absence of consent by the holder of parental responsibility over the child". Until the Minister decides to lower the age of digital consent for children, it appears that the general GDPR threshold of 16 years will apply.
On 29 May 2018, however, the new detailed Maltese Data Protection Act was published. In addition to the general document, separate chapters relating to the implementation of the specific aspects of the GDPR were also published. One of these additional acts addresses the Processing of Child's Personal Data in relation to the Offer of Information Society Services (S.L. 586.11) in particular. The chapter, published on 1 June 2018, specifies that "[t]he processing of personal data of a child in relation to information society services shall be lawful where the child is 13 years of age."
The proposal for a Dutch GDPR Implementation Act that sought to implement the GDPR was published online on 9 December 2016 for the purpose of a public consultation. This document stated that there is no reason to deviate from 16 as the age for consent, this being the age that was also used in the previous Data Protection Act. The Dutch Data Protection Authority has confirmed afterwards that in all probability there would be no derogation from the age of 16 in the Netherlands.
A new proposal for a law laying down the rules implementing the GDPR was published on 13 December 2017. Article 5 of this proposal clarified that if article 8 GDPR was not applicable, the age of consent for children would be 16 years. The Explanatory Memorandum accompanying the proposal stated that the age of 16 was already introduced in the Dutch Personal Data Protection Act and there was no reason to make a different assessment. For this reason, no lower age limit was included in the Implementation Act.
The final GDPR implementation act was published in the Official Journal of the Kingdom of the Netherlands on 22 May 2018. Article 5 of the implementation act sets the child age of consent for the use of digital services at 16 years.
On 28 March 2017 the Ministry of Digital Affairs presented a preliminary draft of certain provisions of a new Personal Data Protection Act. It was proposed that the consent of parents or legal guardians of a child to process that child's personal data will be required for children under the age of 13. On 14 September 2017, an updated Draft Personal Data Protection Act was published which kept the age of consent at 13 years.
An introduction to the draft law on the protection of personal data which is published together with the draft law, explains that the age of 13 was chosen due to similar age threshold provided by the Polish Civil Code (article 15) which states that a person who has reached the age of 13 has limited legal capacity and can therefore conclude ‘minor contracts of daily life'. In this context, the document explains that it is also justified to accept the age of 13 for the effective expression of consent by the child for the processing of personal data relating to him or her as there is no reason to assume that a person who can manage his or her earnings and conclude minor contracts is not entitled to consent to the processing of his or her personal data in accordance with the provisions of the GDPR also bearing in mind that consent may be withdrawn at any time.
On 10 May 2018 the final text of the Law on the Protection of Personal Data adopted by the Senate was published. Unlike the draft law, the final law does not refer to children – the child age of consent provision was removed without explanation, setting the age at 16 years.
In the end of March 2018, the draft law implementing the GDPR in Portugal was approved by the Council of Ministers. A press release from the Presidency of the Council of Ministers included the decision to set the age of digital consent for children at 13 years.
The draft law implementing the GDPR in Portugal (Proposta de Lei n.o 120/XIII) was officially published in April 2018. Article 16 of the draft law provides for 13 years as the age of consent for children. The second part of article 16 specifies that in cases when a child is younger than 13 years, parental consent must be obtained. The draft law also specifies two possible methods of parental authentication – the law states that parents should preferably use secure means of authentication, such as the Citizen's Card or the Digital Mobile Key.
The draft law also explains as to why the age of 13 was chosen as the child age of consent for digital services. The age of 13 is considered appropriate and in line with the choices made in other Member States of the EU and also corresponds with the age required by the terms and conditions of many translational digital services and platforms (Statement of reasons, Exposição de Motivos, page 5).
The draft law was approved by the Portuguese Parliament on 14 June 2019. Article 16 of the final GDPR implementation law sets the age for the ‘consent of minors' at 13 years. According to the second part of the article, if the child is less than thirteen years old, processing is only permissible if the consent is given by the child's legal representatives, preferably through the use of secure means of authentication.
As explained in the report of further considerations, paragraph 2 of article 16 was reformulated. The change concerns the unanimously approved removal of the words ‘such as the Citizen Card or the Digital Mobile Key', therefore, deleting the reference to the concrete means of secure authentication.
The final law approved by the Parliament still awaits the promulgation by the President of the Republic and will come into force the day after its publication in the Official Gazette of Portugal (Diário da República).
On 5 September 2017, the Romanian Ministry for Internal Affairs published a Draft Law for Amending and Completing the Law no. 102/2005 Regarding the Establishment, Organization and the Functioning of the National Supervisory Authority for Personal Data Processing, as well as for the repeal of Law no. 677/2001 for the Protection of People with Regard to the Processing of Personal Data and the Free Movement of Such Data. On 14 March 2018, the proposal was submitted to the Senate. The Draft Law mainly regulates the organisation and functioning of the national data protection authority and does not mention any derogations in terms of article 8 GDPR.
On 26 July 2018 the Romanian Data Protection Law implementing the GDPR was published in the Official Gazette. The final law does not mention children and their consent in cases when information society services are offered to them, consequently, leaving the age of child consent at 16 years.
The proposed Law on the Protection of Personal Data and on Amendments to Certain Acts (Zákon o ochrane osobných údajov a o zmene a doplnení niektorých zákonov) has been published in Slovakia. Currently, this Draft Law is being negotiated by the National Council of the Slovak Republic. Article 15 of the Draft Law provides that personal data may be processed by operators in the context of the provision of information society services in cases where the data subject has reached the age of 16 years. The Explanatory Statement accompanying the Draft Law (Dôvodová Správa) explains that children deserve special protection of their personal data as they are less aware of the risks and consequences associated with the processing of their personal data, especially when their data is obtained through a publicly accessible internet network.
On 30 January 2018, the new Slovakian Data Protection Law (no. 18/2018 Coll.) was published. It entered into force on 25 May 2018. The age of digital consent for children was left at 16 years (article 15).
In January 2018, a draft of the new Personal Data Protection Act was published for a second round of public consultation which was closed on 2 February 2018. Article 11 of the Draft Law regulates the conditions applicable to the consent of the child in relation to the use of information society services and specifies that the age of digital consent for children is set at 15 years. The explanatory part of the Draft Law makes a reference (on page 90) to the US COPPA and specifies that the age of 15 was chosen with regard to the systematic guidance of the Slovenian Family Code, according to which a 15-year-old child can take legal action on his or her own, unless the law provides otherwise.
On 4 April 2018 an updated version of the proposal of the Personal Data Protection Act (ZVOP-2) was published. Article 11 still provides for the conditions applicable to the consent of a minor to use information society services and keeps the age of 15. Notably, part 3 of the article also specifies that the consent provided by a minor shall not be conditional. In more detail, the provision of consent shall not be conditional for playing games, receiving price offers, taking part in social media or other similar activities which could lead to a minor providing more personal data than necessary for the performance of such activities.
As the proposed law has not been adopted yet, the current article 8 GDPR age is 16 years.
Previously, in its publication "The GDPR in 12 questions" the Spanish Data Protection Agency explained that the age to obtain valid consent from children in Spain was 14 years and would continue to be the same when the GDPR would come into force.
However, in June 2017, the Draft Law for the Protection of Personal Data was published by the Spanish Ministry of Justice and was passed by the Council of Ministers in November 2017. Article 7 of the Draft Law refers to the consent of minors and sets the age of digital consent for children at 13 years. The document evaluating the impact of the proposed draft law (pages 47-49) explains, in section G, that the Draft Law has a positive impact on childhood since it provides for greater possibilities for development and participation in society for young people. Moreover, it is stated that restrictions on the access to the Internet and its services could lower children's possibilities of development and obtaining capacities and skills needed to face the challenges of digital life. References to the child's right to be heard, the promotion of children's maturity and autonomy, practical difficulties concerning age verification, especially bearing in mind the need for location tracking of children in those instances, are also made in the document.
On 6 December 2018 the Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights was published in the Official Gazette of Spain. Article 7 of the Law officially sets the age of child consent for the processing of his or her personal data at 14 years.
Interestingly, article 84 provides for the rules applicable with regard to the protection of minors on the Internet. According to the article, parents, guardians or legal representatives of a child shall endeavour to ensure that minors use digital devices responsibly and in a balanced manner in order to guarantee children's right to the development of their personality and to preserve their dignity and their other fundamental rights. The second part of the article states that the use or dissemination of images or personal information of minors in the social networks and equivalent information society services, the use of which could result in an illegitimate interference with children's fundamental rights might lead to the intervention by the Public Prosecutor's Office, which will urge the precautionary and protective measures provided for in the Organic Law 1/1996, of January 15, on the Legal Protection of Minors.
Under article 92, which focuses on the protection of children's data on the Internet, the educational facilities and any natural or legal persons that provide activities in which minors participate are required to guarantee the protection of the best interest of the child and his or her fundamental rights, and especially their right to data protection. When children's personal data is published or disseminated through social network services or equivalent services, the consent of the child or a parent must be obtained in accordance with article 7.
On 12 May 2017 Sweden's data protection authority published an extensive evaluation document on the recommended implementation of the new data protection standards introduced by the GDPR. It concerns national derogations that are permitted according to the GDPR, as well as the impact of the GDPR on national legislation and the changes that will have to be introduced. In terms of consent and children, the document indicates that minors who have reached the age of 13 should be allowed to consent to the processing of their personal data. For children younger than 13, parental consent would be required.
On 18 April 2018, the Swedish Parliament (Riksdag) adopted the new Swedish Data Protection Act, setting the age of consent for children at 13 years (2 kap 4 §).
On 7 August 2017 the Department for Digital, Culture Media & Sport published its statement of intent on a new Data Protection Bill. The document addresses the issue of the age of consent specifically, stating that the planned legislation will allow a child aged 13 years or older to consent to their personal data being processed. In September 2017, the UK Data Protection Bill was published and officially set the age of consent for children at 13 years (article 8). Since then, the UK Information Commissioner's Office published draft Guidance on Children and the GDPR. The Bill was also discussed by the House of Lords. They have proposed to impose an obligation on the ICO to prepare a code of practice which contains such guidance as the Commissioner considers appropriate on standards of age-appropriate design of relevant information society services which are likely to be accessed by children. During subsequent discussions in the House of Commons, this amendment was supported as well.
The final UK Data Protection Act 2018 was adopted (received royal assent) on 23 May 2018. Section 9 of the UK Data Protection Act sets the age of child consent with regard to information society services at 13 years. According to the Explanatory Notes on the Act, this decision is "in line with the minimum age set as a matter of contract by some of the most popular information society services which currently offer services to children (e.g. Facebook, WhatsApp, Instagram)." Moreover, the explanatory note also provides that "as long as a child is capable of understanding the processing to which they are consenting and is capable of making a free and informed decision, then it is considered that the child is capable of consenting to any processing of personal data."
Section 123 imposes on the Information Commissioner's Office to prepare a code of practice which contains such guidance as the Commissioner considers appropriate on standards of age-appropriate design (i.e. design of services so that they are appropriate for use by, and meet the development needs of, children) of relevant information society services which are likely to be accessed by children. Views of children, parents, persons who appear to the Commissioner to represent the interests of children, child development experts, and trade associations must be taken into account while preparing this code. Interestingly, the section explicitly mentions that regard must be had to the fact that children have different needs at different ages, and to the United Kingdom's obligations under the United Nations Convention on the Rights of the Child.
Additionally, section 208 of the UK Data Protection Act 2018 provides information on the treatment of children in Scotland. The first parts of the section entail some explanation as to the legal capacity of a child and state that a child who is under 16 may exercise rights conferred to him or her by data protection regulation and give consent to data processing. According to part 3 of this section, "a person aged 12 or over is to be presumed to be of sufficient age and maturity to have such understanding, unless the contrary is shown." According to part 2 of section 208, "the person is to be taken to have that capacity where the person has a general understanding of what it means to exercise the right or give such consent".
The ICO held a consultation on an Age Appropriate Design Code, in which views from parents, carers, and children were sought. The consultation closed on 5 December 2018. Responses to the call were published on the ICO's website.
Most recently, in mid-April 2019, the ICO published a first draft code for consultation under the title ‘Age appropriate design: a code of practice for online services'. It proposes a number of concrete recommendations for collection and processing practices with regard to children's personal information regarding, for instance, the best interests of the child, transparency, detrimental use of data, default settings, data minimisation, geolocation, parental controls, profiling, nudge techniques, connected toys and devices and data protection impact assessments.
Non-EU Member States
Norway (Member of the European Economic Area)
In July 2017, the consultation paper for the new Draft Personal Data Act implementing the GDPR in Norway was published. Section 8 of the consultation paper set the age of consent for children at 13 years (section 32 Behandling av barns pers onopplysninger). The paper also rather thoroughly explained the main principles applicable to the treatment of children's personal data, such as children having the same rights as adults and the importance of the principle of the best interest of the child (pages 112-116). The paper also stressed that the GDPR does not define a child and thus referred to the UN Convention on the Rights of the Child, according to which all persons under the age of 18 are considered children. The consultation paper also included a lengthy discussion on the age of maturity of children and detailed the opinions of different actors involved.
In May 2018, the Storting (Norwegian Parliament) approved the new Personal Data Act which implements the GDPR in Norway. The Law, the draft of which was initially proposed by the Norwegian Ministry of Justice and Public security, states that the age of consent for digital services should be 13 years (article 5). The Norwegian policymakers have provided extensive attention to the regulation of the age of consent of children (pages 95-100). In particular, the policymakers mention the fact that children and adults have the same rights, the best interest of the child shall be respected and that children merit specific protection with regard to their data processing. Section 13.4.2 provides the insights by different consultation bodies, some of them arguing that setting the age of consent at 13 would not protect children enough, while other bodies stressed the need for respect for the child's right to self-determination, child's right to information and freedom of expression.
Switzerland (Member of the European Free Trade Association)
In September 2017, the Preliminary Draft of the Federal Act on Data Protection and the amendment of further decrees on data protection was published by the Federal Council. The press release of the Federal Council stressed the need for improved data protection and strengthening business opportunities. The draft law does not mention children or their age of consent to digital services, thus, setting it at the age of 16 years.
This mapping has been drafted in the context of the project ‘A children's rights perspective on privacy and data protection in the digital age: a critical and forward-looking analysis of the General Data Protection Regulation and its implementation with respect to children and youth' (Ghent University, Special Research Fund). This project monitors the implementation of the GDPR in relation to children(‘s rights) from 2017 until 2021.
The authors wish to express their sincere thanks to everyone who has provided them with information so far.
This is the updated version of the article first published on 19 June 2017 which was further updated on 10 July 2017, 16 August 2017, 12 October 2017, 8 February 2018, 16 April 2018, 25 May 2018, 28 June 2018 and 22 January 2019.
1 Please note that other legitimation grounds can also be used by data controllers (article 6 GDPR). For more information, see the Report on the Roundtable on the GDPR and children's rights.
- BIK Team
Friday, 25 May 2018 marked a turning point in Europe in terms of data protection thanks to the GDPR (General Data Protection Regulation) which came into force precisely one week ago. The GDPR, however, is a very complex set of regulations leaving many a company and professional confused. When it comes to children and youth in particular, it is even more important that they know their rights under the new legislation, in order to be in control of their personal data.
- UK Safer Internet Centre
With the imminent introduction of the General Data Protection Regulation, which comes into force across Europe on Friday, 25 May 2018, many are struggling to understand what this means in practice. Here, Will Earp, Digital Experience Manager at the South West Grid for Learning (one of the partner organisations in the UK Safer Internet Centre (SIC)), takes a look at particular considerations for schools.
- UK Safer Internet Centre
With the imminent introduction of the General Data Protection Regulation, which comes into force across Europe on Friday, 25 May 2018, many are struggling to understand what this means in practice. Here, Will Earp, Digital Experience Manager at the South West Grid for Learning (one of the partner organisations in the UK Safer Internet Centre (SIC)), takes a look at the rush for many online service providers to update their privacy policies.
- BIK Team
There has been a great deal of discussion recently about the EU General Data Protection Regulation (GDPR) and particularly around the impact on children and young people. The Information Commissioner's Office in the UK has recently launched a consultation document which provides more detailed guidance for (UK) organisations who are processing personal data under the GDPR.
- Insafe network
Today, the Insafe network of Safer Internet Centres (SICs) begins a two-day training meeting in Berlin, Germany. The meeting aims to facilitate experience and good-practice sharing across the network on a range of topical eSafety issues, while continuing to enhance the collaborative learning community that has developed within Insafe. Open Space Technology will be used during the meeting as a method of encouraging interaction and debate.
- BIK Team
In each edition of the BIK bulletin, we look at a topical issue - our main focus this month is on positive online content as we introduce our new campaign and reflect on the importance of being aware of what constitutes positive content for a wide range of stakeholders.
- BIK Team
From May 2018, the General Data Protection Regulation (GDPR) will take effect in EU Member States. The GDPR aims to strengthen, simplify and harmonise data protection regimes across Europe, giving individuals control over how their data are processed. It explicitly acknowledges that children merit specific protection.