Joseph Savirimuthu, Senior Lecturer in Law at the University of Liverpool, argues that the revised EU General Data Protection Regulation, announced in December 2015, has been poorly thought through and, by preventing children from consenting to the use of their data on social networking sites, does not take the rights of children into account.
‘Europe Could Kick Majority of Teens Off Social Media, and That Would Be Tragic‘. This is just one of many headlines that struck a chord when agreement was reached on the General Data Protection Regulation (GDPR). The headline refers to a provision inserted in the GDPR, which, in one swift move on 15 December 2015, turned the clock back to the days when decisions about children were firmly placed in the hands of adults. From 16 December 2017, data protection policymakers unilaterally decided that children under 16 will be unable to consent to the use of their data by online information service providers such as Facebook, thereby effectively kicking them off many social media platforms.
This headline also reminded me of the case of Re Agar-Ellis ((1883) 24 Ch D 317). During the Victorian age, children were expected to follow the wishes and commands of their parents. Non-compliance was met with severe sanctions such as financial restrictions, banishment and even being cut-off from their inheritance. The power of the parent to control every aspect of a child’s live only ceased when a child attained the age of majority. The context may be different now, but the reasoning and consequences all too familiar.
Social networks and online communication services are the lifeline to childhood in the digital environment. Article 8 of the GDPR states that where information society services, such as those provided by social networking sites and mobile apps providers, rely on a child’s consent when processing his or her personal data, prior authorisation would be needed from persons with responsibility for the child. Article 8 feels so wrong in many respects. It effectively turns the clock back. It is anachronistic. It perpetuates the image of a vulnerable child whose choices, preferences and decisions cannot be trusted. And it is policymaking that has not been thought through to the point of being derided.
Of course, as many have pointed out, there are some qualifications. Where Article 6 (1)(a) applies, in relation to the offering of information society services directly to a child:
“the processing of personal data of a child below the age of 16 years, or if provided for by Member State law a lower age which shall not be below 13 years, shall only be lawful if and to the extent that such consent is given or authorised by the holder of parental responsibility over the child.” Information services providers will now be required to make “reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.”
The policy fudge is all too apparent – “or if provided for by Member State law a lower age which shall not be below 13 years.” Any contradictions thrown up by Article 8 are now to be delegated to Member States, with no guiding principles but ad hoc reasons framed as policy. There is an important point of principle that should not be overlooked – children’s rights and interests should not based on whims or founded on arbitrary rule-making.
It is not surprising that Article 8 has met with rightful indignation and disbelief. Children’s rights campaigners and advocates such as Janice Richardson questioned the short-sightedness of policymakers in using data protection regulation to encroach into broader social and developmental issues. Larry Magid, another renowned child safety campaigner, regarded this new provision as nothing short of policymaking that was well out of kilter with the cultural, social and developmental needs of children in the digital age. John Carr, a long time advocate of online child safety, felt strong enough to post a short comment in his blog highlighting the practical and likely adverse consequences of this last minute policy intervention. Sonia Livingstone who has been championing a digital rights agenda for children all over the world, gets to the heart of the issue by questioning the democratic credentials in the decision to introduce the age restriction. Article 8 sends out the wrong message at a time when significant strides are being made to ensure that children’s rights become the cornerstone in digital media governance and that their voices are heard before decisions that impact their daily lives are taken, and not after. Policymakers, and more specifically, the UK government should take the lead and address these concerns.
I want to conclude this short post by highlighting the salience of a common feature in all these reactions – the touchstone of children’s rights in the digital age is respect for their human rights. I discussed this aspect briefly, in Networked Children, Commercial Profiling and The EU Data Protection Reform Agenda: In the Child’s Best Interests? One concern buried in the analysis in that paper was that I was not entirely convinced that data protection policymaking was familiar with the values encapsulated in Article 24 of the Charter of Fundamental Rights, which states that in all actions relating to children, the best interests of the child must be a primary consideration. The inclusion of age and verification requirements in Article 8 of the General Data Protection Regulation suggests, at least from my reading of this provision, that policymakers have yet to fully grasp the significance of translating Article 24 of the Charter into meaningful policy adjustments into data protection law. If we learnt anything from the UK House of Lords judgement in Gillick about how law strives to balance societal, parents and children’s interests, it surely cannot be regarded as endorsing this mind set –
“Provided that if the parent of any pupil gives to the authority notice that he objects to the pupil availing himself of any of the provision [for medical treatment etc.] so made the pupil shall not be encouraged . . . so to do.”
Regardless of whether we think consent in the digital age is meaningless or just illusory, it still has a role in society, particularly where children are concerned. What is missing from the way policymakers have drafted Article 8 is an ability to appreciate, at a practical level, that if children as individuals are taken seriously, respect for their human rights would mean that their interests and needs are not readily assumed to be aligned with those of their parents. This is a debate for another time. Sometimes, it may not be a bad idea for policymakers in data protection to familiarise themselves with the wisdom of the common law, as considered by Gillick:
“The law relating to parent and child is concerned with the problems of the growth and maturity of the human personality. If the law should impose on the process of ‘growing up’ fixed limits where nature knows only a continuous process, the price would be artificiality and a lack of realism in an area where the law must be sensitive to human development and social change. If certainty be thought desirable, it is better that the rigid demarcations necessary to achieve it should be laid down by legislation after a full consideration of all the relevant factors than by the courts, confined as they are by the forensic process to the evidence adduced by the parties and to whatever may properly fall within the judicial notice of judges. Unless and until Parliament should think fit to intervene, the courts should establish a principle flexible enough to enable justice to be achieved by its application to the particular circumstances proved by the evidence placed before them. The underlying principle of the law …is that parental right yields to the child’s right to make his own decisions when he reaches a sufficient understanding and intelligence to be capable of making up his own mind on the matter requiring decision.”
As reactions to Article 8 of the GDPR have shown, in a democratic society founded on the rule of law, children (like adults) expect that laws are not imposed as an act of sovereign command. One wonders what the policymakers’ response would have been had children aged 13 appeared at the press conference holding placards with the following message: “How can this be, when now it is lawful for children above 13 to have a Facebook account?” Article 8 seems like a policy prescription attempting to address the future and does nothing more than mirror prejudices of the past.
This article gives the views of the author, and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics.