Children and data protection in Estonia
- Estonian Safer Internet Centre
The General Data Protection Regulation (GDPR) of the European Union entered into force on Friday, 25 May 2018. Although the media in Estonia has quite thoroughly covered the changing data protection rights, they have not paid attention to children's rights. What does the new data protection framework mean for children?
Firstly, it is important to stress that children are subject to all the same personal data protection rights that apply to adults – for example, the rights of data subjects to access, rectification, and erasure of data. Why are we, then, speaking about children's rights separately? The regulation stresses several times that children's personal data deserve special protection, compared to adults'. Children simply might not be aware of all the dangers that can accompany a liberal use of their personal data, they don not comprehend the potential consequences. That is why they do not always know how to protect themselves from these threats.
Information society services
First and foremost, parents should stand for their children's rights. That principle also applies in terms of data protection. Parents give consent for using and gathering the personal data of their minor children. The new regulation creates one exception for this rule. According to the regulation, children can consent to their personal data being processed by the information society services if they are at least 16 years old. These services include different communication platforms, social media and email.
All members of the EU are free to lower the limit even further. However, the allowed age ranges between 13 and 16. According to the new Personal Data Protection Act, which was passed by the Parliament at the end of the year, Estonia has made a decision that children could decide for themselves after turning 13: do they want to give consent to their personal data being processed by a social media company or not. If the child is under 13, parents have to give consent. This would not establish a new restriction, but actually lower the age limit. Until today, parental consent has been the basis for processing children's personal data until the age of 18. From now on, the bar has been lowered when it comes to information society services. Estonia has actually taken quite a liberal approach – if the member state does not impose any exceptions, the 16-year old limit in the regulation will stand.
One important exception that has been addressed in connection to the regulation is that of counselling and prevention services. Parental consent is not needed and should not be required if the child is the direct consumer of these services. The most basic examples here are advice lines and helplines that the child can call on their own.
The new regulation requires all information regarding personal data processing to be presented clearly and simply. This especially concerns information meant for children. Adults might also sometimes struggle to understand the terms and conditions or contracts in complex judicial lingo. That only proves that children cannot grasp these messages. That is why the information has to be presented concisely, should be worded so that children can understand it easily. Visualising the data is also recommended. For example, online games for children should clearly explain to the child what data are gathered and why it is done. The same applies to all apps, programmes and services meant for children, regardless of whether they serve an educational purpose or are simply entertaining. Teachers, parents and youth workers should explain to kids that if the terms and conditions are unclear, they should seek parental advice. In case the child is not sure what data are being gathered and how they are used, they should be careful and avoid using these services.
Find out more information about the work of the Estonian Safer Internet Centre (SIC) generally, including its awareness raising, hotline and youth participation services, or find similar information for Safer Internet Centres throughout Europe.
- Estonian Safer Internet Centre
We consume online services more and more, and the skills to consume and shape these services knowledgeably are becoming more and more important. Children learn to use new technologies faster than adults as they are born into a world where the internet and smart devices are a natural part of life. Supporting the development of media and digital competences enables children and youngsters to participate in the digital society positively and respectfully.
- BIK Team
There has been a great deal of discussion recently about the EU General Data Protection Regulation (GDPR) and particularly around the impact on children and young people. The Information Commissioner's Office in the UK has recently launched a consultation document which provides more detailed guidance for (UK) organisations who are processing personal data under the GDPR.
- BIK Team
From May 2018, the General Data Protection Regulation (GDPR) will take effect in EU Member States. The GDPR aims to strengthen, simplify and harmonise data protection regimes across Europe, giving individuals control over how their data are processed. It explicitly acknowledges that children merit specific protection.