The General Data Protection Regulation, due to become law across the EU in May 2018, proposes introducing 16 as the minimum age at which a person can join an online service without the consent of their parents. John Carr, member of the Executive Board of the UK Council for Child Internet Safety, highlights the implications of the new regulation for child grooming laws and points to a major difficulty. For more analysis on the GDPR and children, see here.
At the moment none of the big companies that dominate the social media space engage in any kind of age verification in respect of anyone seeking to join or remain a member of their sites, or use their services. Unless they are targeting young children with a service such as Disney’s Club Penguin, neither do they try to obtain any form of verifiable parental consent.
As a result, gigantic numbers of children are on sites like Facebook and Snapchat, hanging with the (older, cool) kids, even though these sites specify 13 as their minimum age. In the UK, more than 75% of all 10-12 year olds have social media accounts. The proportions are higher in some other EU Member States.
The owners of a number of these social media sites e.g. Facebook, say they are helpless to do anything about this large scale breach of their rules. They cite parental collusion. But there has never been a legal obstacle to businesses engaging in age verification or seeking verifiable parental consent but because they are not obliged to, and because it’s messy and expensive, companies simply don’t. That being so, attempting to shift the blame on to the shoulders of parents seems a little mean-spirited, to say the least.
Right now though, for the purposes of the operation of grooming laws, all of this is irrelevant because the great bulk of sites and services currently specify 13 as their qualifying age and in no country in the EU is the age of consent to sex as low as 13. Thus, at the moment, nobody can go on a site and engage in any kind of interaction with a person in the belief that they MUST be old enough to take part in sexual activity.
This may well be about to change. Under Article 8 of the new EU data protection regime – the General Data Protection Regulation – 16 has been made the minimum age at which someone can join an online service without the site having to obtain parental consent. This becomes operative in May 2018 (but see below for more detail). Thus, if internet sites and services stick to their previous practice of NOT age verifying anyone or seeking parental consent and instead, as now, they simply draw a line at the legal minimum age, saying you must be 16 to be a member, any third party using that site or service in future will be entitled to say they had good reason to believe everybody they engaged with on the site was at least 16 and therefore was old enough to engage in sexual activity with them.
This effectively abolishes the crime of grooming in 25 out of the 28 EU Member States or at the very least it compromises the operation of the grooming law, making the task of bringing successful prosecutions that much harder. In these 25 Member States the age of consent to sex is 16 or less. Only in Malta, Ireland and Cyprus is the age of consent greater than 16, although quite how anyone will necessarily know they are addressing a person in one of those countries or what the age of consent to sex is there, is not entirely clear.
Now suppose someone – say an adult male – gets into a sexual conversation and they arrange to meet in real life in order to have sex. When they meet it is obvious, or should be, that the younger person cannot be 16, and more likely they are 12 or 13, but nevertheless they have sex anyway. The police find out. They decide to prosecute on the grounds that the adult male could not have had a reasonable belief that the person was 16. The consequences for the child as a witness could be catastrophic. The obvious first question from the defence will be “Are you a habitual liar or do you only tell lies when you are looking to have sex with older men?” There are rules which oblige the judge to protect a child from aggressive questioning, but equally there are rules which say the defence must be allowed to make their case.
Whichever way you look at it, Article 8 of the GDPR is bad news when looked at from this key perspective. How did it happen?
The original proposal from the Commission – first made in the draft proposal published in 2012 – was to establish the minimum age at 13. As previously noted, had that been agreed the grooming problem discussed here could not have arisen as in no country in the EU is the age of consent to sex as low as 13.
However, because the age of consent sits at the interstices of social policy and data protection, Commission officials anticipated that getting agreement on the age issue might be tricky. It could even raise a question mark over whether the EU had the legal competence to take such a decision at all. Maybe it is a social policy or educational issue? In the previous data protection regime, the one being replaced by the GDPR, a specific age is not even mentioned.
Officials therefore took a decision to delay discussion of the “age question” until the latest possible moment in the cynical belief that everyone would by then be completely fed up and would just want to be done with the text so they could move on. The “rule of 13” would therefore slip through on the nod. Their plan nearly worked.
On the fateful day in December, 2015 the moment finally arrived. The Luxembourg Presidency was in the chair at the Trilogue meeting. They asked the obvious question: “Why is 13 being proposed?” The truthful answer – which was boldly given – was that 13 was being suggested because it was the age that was already commonly in use because of a US Federal law (COPPA) adopted in the 20th Century, before social media existed. This did not go down well. Then without ANY consultation with ANY experts the politicians in the room plucked 16 out of thin air.
They did that at a meeting on or around 10/12th December 2015. Word leaked out. On 14 and 15 December, European media outlets were full of highly negative stories. Politicians hurriedly reconvened, and while they decided to stick with 16 as the default they also decided to give Member States a discretion to adopt a lower age, as long as it was not less than 13. Again they did this without talking to anyone in the child protection community but by introducing an element of choice they got the media off their backs. Mission accomplished.
The process was utterly shambolic from a child protection point of view. Nobody thought about the grooming angle and nobody thought about how having different ages in different countries might complicate enforcement questions in relation to grooming. Neither was there any discussion about the rights of the children themselves. Does setting an arbitrary age limit of 16 conflict with children’s rights under the UNCRC? Almost certainly it does.
Maybe having a single age is wrong-headed to begin with? Inconvenient though it may be, perhaps we need variable ages for different types of sites or services or different types of interactions? And where is the research to back up any particular age anyway? Relying on data from the pre -social media 20th century is just bizarre.
This post gives the views of the author and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics and Political Science.