On 14 October 2016 a group of experts from various backgrounds joined a round table organised by LSE’s Media Policy Project, the UK Council for Child Internet Safety’s Evidence Group, the Centre for Digital Democracy and the School of Communication at American University, in order to discuss the impact of the General Data Protection Regulation on children and young people. In this post professor Eva Lievens of Ghent University urges the research community to identify concerns and challenges and communicate those to policymakers, data protection authorities and industry. To read more about the round table discussion see here.
The General Data Protection Regulation (GDPR) contains a number of provisions that may be particularly relevant to children and young people. Much attention has been devoted to article 8, which requires information society providers to obtain parental consent in order to lawfully process personal data of children under 16 years of age. EU Member States may choose to lower this age, provided that is not below the age of 13. This approach has been criticised for a number of reasons, including the possibility that providers may decide to stop offering their online services to children below the chosen age, the fact that reliance on parents will not always be possible or desirable and that technological solutions used to verify parental consent may be cumbersome or unreliable.
Another important consequence that has been the focus of much less debate since the adoption of the GDPR, is that from whichever age is chosen, adolescents will be put on a par with adults as regards consenting to the processing of their personal data. That may be from 16 upwards, or could be from 15, 14 or 13.
Furthermore, throughout the GDPR, both in the recitals and in the articles, reference is made to obligations (providing age-appropriate information; article 12; or conducting data protection impact assessments; recital 75) or prohibitions (profiling; recital 71) in relation to ‘children’ in general, without reference to any age. Does this mean that these provisions are actually applicable to all under 18s, if the universal definition of the United Nations Convention on the Rights of the Child is used?
Finally, there are a number of articles that do not explicitly refer to children, but that may be of particular relevance to implementing the necessary safeguards provided by the GDPR. One is article 25 that imposes the use of data protection by design and by default.
Given the fact that, in light of the above-mentioned provisions, many important decisions will need to be made before 25 May 2018, by policymakers (e.g. whether or not to choose a lower age), data protection authorities (e.g. with respect to the enforcement of the obligations) and data controllers (e.g. concerning the implementation of parental verification), it is crucial and urgent to construct an interdisciplinary evidence base that can support children’s rights-based policies with regard to the GDPR.
A four-year research project looking at the legal perspective will start at Ghent University, Belgium from 1 January 2017. The project will critically evaluate the GDPR and monitor its implementation with regard to the impact on children. This includes a comprehensive mapping of the various relevant provisions of the GDPR that may have an impact on the protection of personal data of children, as well as an in-depth children’s rights-based assessment of
(1) the rights and responsibilities of the various actors (children, parents, data controllers, data protection authorities),
(2) the principles and safeguards that need to be adhered to (for instance, security), and
(3) the mechanisms that will be introduced to implement the requirements imposed by the GDPR (e.g. data protection by design, verification tools, provision of information in understandable language, digital literacy, self-regulatory codes).
A comparative analysis will focus in particular on legislators’ motivation to choose a certain age, data protection authorities’ interpretation, practices and guidelines to data controllers regarding the GDPR, and practices and mechanisms used by data controllers, framed within different countries’ constitutional, legislative, jurisprudential and policy approach to the child’s right to privacy and data protection in the online environment.
Ultimately, this should lead to an answer to the question whether and how the right to privacy and data protection for children and youth in the digital age should be re-thought. Whereas the starting point for thinking about privacy in relation to children is often protectionist, the research project aspires to study to what extent the closely linked rights to privacy and data protection are multi-dimensional, and how they should be implemented in practice in order to advance children’s development and participation in the information society.
However, aside from legal research, research in other disciplines such as communications science, psychology, educational science, and computer science, will be essential in order to construct an evidence base that assembles information about the reality of children’s use of online services, their developmental capacities and understanding of data collection practices, and the potential of technology to implement safeguards and strengthen rights.
It seems clear that children and their rights have not been thoroughly considered in the course of the data protection framework review process. With its 173 recitals and 99 articles, the GDPR is a very extensive piece of legislation which covers many topics, obligations, sectors and actors. However, as children under 18 constitute an estimated one third of all internet users, it is urgent that the implementation of the General Data Protection Regulation that affects them is put high on the priority list of policymakers, children’s rights advocates, data protection authorities and industry.
This post gives the views of the author and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics and Political Science.