Last week, the UK government announced its plans for a new Data Protection Bill that would give people “more control over their personal data” and enable them to be be “better protected in the digital age.” LSE’s Sonia Livingstone looks the implications of the Bill for child rights and highlights areas that might need more work.
Unexpectedly for many interested observers, in these slow days of summer, the government has suddenly announced its statement of intent regarding the Data Protection Bill that will bring the European General Data Protection Regulation into UK law by next year. As my colleague Orla Lynskey observes, this welcome extension of UK citizens’ rights is, from the UK’s point of view, little more than a re-branding exercise for the already-agreed European regulation with, she adds, some “lamentable” and “glaring” UK mistakes thrown in for good measure.
But for those of us concerned with child rights, it is even more welcome that the statement of intent includes 23 mentions of the word “child.” Anyone following our series of posts on this blog, extending the insights from our GDPR Expert Roundtable last October, will know that we’ve been calling for a process that involves public consultation, rigorous evidence, and includes the views of children (as is their right).
Someone glancing through the long list of organisations that responded to the (opaquely named and easily missed) “Call for views on the General Data Protection Regulation derogations will be perhaps partially reassured at the range of views available to the government, although remarkably few of them represent children (or, indeed, parents). It is unclear though whether any of them submitted, or are even aware of, relevant evidence concerning children’s ability to consent to providing their personal data on private (or public) online information services (though I sent in mine and I’m sure the Children’s Commissioner for England sent in hers, as I’m assuming did Young Scot).
Expectations are running high – there’s a discussion paper just out from UNICEF on business responsibilities for children’s privacy rights in a digital world; a Council of Europe consultation ongoing for member states to promote, protect and fulfil children’s rights in the digital environment; the recent House of Lords report on growing up with the internet reviewing the evidence that privacy-by-design is now urgent; a current class-action lawsuit against Disney for exploiting kids’ personal data without parental consent; and more.
So do those 23 mentions in the government’s Statement of Intent cut the mustard?
- 13 not 16 as the age of consent: see the claim that this “will require parents or guardians to give consent to information services where a child is under the age of 13.” No surprises there, no change from present practice, and certainly this is good for teenagers’ participation in the digital world. But since Ofcom’s evidence shows that fewer than half of 12-15 year olds can identify an online sponsored result, let alone understand how companies exploit their personal data, this surely must be accompanied by a significant increase in media education, as well as better privacy-by-design.
- Perhaps 13 was chosen because, as John Carr has noted, once Ireland – where the big social media companies are based – decided on age 13, the UK’s decision was all-but irrelevant. Incidentally if it were really the case that “Child online safety is one of the top priorities for this government” then 16 would have been a better age – if kids couldn’t go online without parental permission till they were 16, I’d guess that much cyberbullying, sexting and other online trouble would be eliminated among teens.
- But of course this is to beg the crucial question about under-age use. Here the Statement is inadequate, noting weakly that “We expect responsible websites to have minimum age rules and policies to ensure that children are not exposed to inappropriate content.” We’ve always expected them to be responsible, but what’s going to change? Facebook blames parents for the fact that it is used by 55% of the 26% of 8-11 year olds with a social media account and even more 12 year olds, and Instagram doesn’t even ask (presumably hoping that if they don’t ask, it’s not their problem).
- Media education will be vital. Whatever the government’s reasons, and whatever one’s expectations of social media and other online providers (and, indeed, the Information Commissioner’s Office, which is already backing away from fining companies), the importance of education remains considerable. The Statement says: “Through our work on online safety, the government aims to give children the tools they need to maximise these opportunities, including through education and awareness, to build their digital literacy skills, and stay safe online.” Great. But we’ve said this since 2009 when the UK Council for Child Internet Safety was formed (and before). So, have we made progress? Hard to say, especially since the complexity of what children need to know – think of the Internet of Things, robots, AI, VR, algorithmic processing and more – is surely outpacing teaching training.
- The right to be forgotten is strongest for children, including once they’ve grown up: “a post on social media made as a child would normally be deleted upon request.” Good idea, but we’re all waiting to see how that is going to be practical. What kids know already is that once their posts have been screen-shot and shared, there’s little to be done.
- The right to know looks set to be interesting – “privacy notices – which set out how an organisation plans to use the personal data it collects – [must] be in a format which children can understand” (which is far from easy).
- That’s all, folks. Nothing to answer the many legal and regulatory queries raised in a recent EC Better Internet for Kids expert meeting regarding, for instance, the legitimacy of data profiling of children, protections for children aged 13-17, what constitutes an ‘information society service’ ‘directly offered to a child’, other legitimate grounds for processing a child’s data other than consent, etc.
Next is for Parliament to debate the Bill, with the first reading in September and presumably much lobbying and argumentation to follow. Let’s hope that in the headline-grabbing struggles to regulate ill-prepared businesses, children’s right to privacy is not overlooked. Let’s hope, too, that everyone who cares about children’s rights in the digital environment now gets involved.
This post gives the views of the author and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics and Political Science.
Are we expecting that legislation that operates at the point of data collection will ever be able to help much with the issue of risks to children? Unless there is mandatory age verification for all internet users, children will always be able operate in this environment without being detected – once they have reached the maturity level to know how to lie successfully about their age and are motivated to do so.
Could the focus on WHAT is done with children’s data be more effective than focusing on the moment of data collection? When it comes to the ‘what’, it can be much easier to detect that children are involved: for example, targeting of advertising towards products for minors. There also could be bans on data sharing that is based on age (or age-proxy) profiling and that result in an identified ‘minors’ group.
Regarding rights to erasure, these should be available to all (and are available to all under the GDPR, with some limited exceptions).
Sonia’s article is an interesting one, and I agree there are many dangers affecting children which do need to be addressed relating to social media. I must say though I also agree with your comments, whether it was getting into a pub under age back in the 60’s (and beyond) or using social media now at the age of 8yrs, children will always find a way. If the age for any information social service be restricted to 16 or above it needs to be for that purpose only, For me there is another point worth mentioning, that being the age of capacity, could the government really turn the clocks back to the early 80’s when a 15year old could not make a personal choice, even with the help of the medical profession but without parental consent? I personally think not, and if they had it would have made that long fight well into the mid 90’s all for nothing. If the government had used the Data Protection Bill to change the age of capacity back to16 it would have had adverse effects in many other areas.