The General Data Protection Regulation, which will apply throughout the EU (including the UK) from 25 May 2018, contains provisions intended to enhance the protection of children’s personal data. LSE Professor Sonia Livingstone has been leading an effort by experts to explore the implications of the regulation and highlight issues that policy makers should address.
In the digital age, how is the balance to be achieved between children’s rights to information and participation and their rights to privacy and protection? Who knows best in making this judgement – industry, the government, parents or children themselves?
On 14 October 2016 the Media Policy Project hosted an expert round-table meeting at the LSE to discuss the impact of the General Data Protection Regulation (GDPR) on children. Combining robust discussion with explanation of how the challenges of interpretation and implementation look from different stakeholder and legal perspectives, the result is a report, produced by Pascal Crowe, which raises some crucial questions.
A series of blog posts from participants preceded and followed the event, as summarised below. There’s plenty to worry about, in terms of children’s wellbeing, as Jeff Chester documents:
“The largely unchecked role that data-driven digital marketing plays in the lives of adults is troubling enough. But we should all be concerned about its impact on young people. From undermining their privacy, to encouraging them to buy junk food, “pester” their parents to spend money, promote products and brands to their friends by serving as influencers, or stealthily honing their identity and social development to promote life-long brand loyalty, marketers and media companies are playing an important role shaping this and future generations of young people.”
There’s also plenty to worry about in terms of the commercial basis of the internet, as Joanna Adler observes:
“If we’re not paying for something that costs something to produce, how is it funded? We’re the data. Ad-tracking and algorithm-based filtering are based on our choices, but are not neutral. We pay for all the stuff we like to access or own ‘for free’, through our privacy, our preferences and those of our children – data from phone beacons, search engines, streaming selections, the outcomes of conscious and non-conscious decisions that we make on devices and that we pass on, time and again, without thinking. The extent to which that’s a problem depends on who is getting data, about whom, the security of data, the extent and efficacy of anonymisation, the uses to which the data are put, whether or not users have genuinely chosen to pass on such data, whether or not they are legally empowered even to consent to their data being used in such ways, and the impacts this all has on us.”
But is the GDPR well suited to address these problems? On the regulatory requirements, Member States – and information service providers (the “internet value chain”) – face some major challenges, as Sonia Livingstone reviewed, including:
- Article 8: Verified parental consent required for under 16s (or 13s, if member states so determine) to use ‘information society services’.
- Article 12: Transparency of communication in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’ for data subjects, especially children.
- Recital 71: No data profiling of children (now seemingly defined as under 18). This is stated in a recital not an article, so does this mean that children’s personal data should not (and will not) be collected for commercial profiling purposes? Can children’s data even be reliably distinguished from the rest?
- Recital 65: The right to be forgotten (for all, but especially if consent was given when a child). This is often called for by children (and is, indeed, also a concern for parents) and is so much to be welcomed (though unlikely to prove straightforward in practice).
- Article 57: Effort to ‘promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing’, with special attention to children.
On the relevant evidence, Sonia Livingstone and Kjartan Ólafsson analysed Ofcom data to show that children progressively gain in commercial media literacy with age, experience and maturity, although even among adults – and parents – there are crucial gaps in how well internet users grasp the commercial nature of the online environment. They conclude that:
“The present data measure the size of the [educational] gap to be filled, to bring 13 year olds up to the knowledge of 16 year olds (and, ideally, to bring up the knowledge of the entire population from present insufficient levels of knowledge about the commercial environment and the conditions of online data exploitation).
“If the UK selects 16 rather than 13 as the age for parental consent of children’s internet use, to the likely dismay of teenagers, also important would be the likely costs in teenagers’ reduced opportunities for creative, educational, civic and communicative activities online.”
These are not only questions for educators and government. Also important is the question of how and when will industry produce the required codes of conduct for dealing with children and children’s data? By what criteria, and drawing on what evidence of risk and likely impact (see Article 35), will the supervisory authority (the Information Commissioner’s Office) approve these? An Article 29 Working Party is working on guidance here but so far has said little about children.
Eva Lievens is rightly dismayed that the GDPR has so far taken no account of evidence about or – as Joseph Savirimuthu notes, views from children and young people themselves. We asked one teen blogger for his views. He commented despairingly, already “my lack of privacy is almost Orwellian,” noting with many that age limits are a crude way of managing children’s rights:
“Whether we argue for more education on how to build a good digital footprint for young people or for more attention to the way companies are using our data as opposed to the way we share it, instead of taking the internet away from young people we should make the internet a safer place for everyone by engaging with social media platforms and other internet services.”
Nor is parental consent really the right mechanism to manage children’s rights online – for consent raises a host of problems, as Nathan Fisk observes, including in relation to the age until which member states require it, as Sonia Livingstone debates.
Vicki Shotbolt considered in more depth the dilemma of parents faced with often incomprehensible and fast-changing digital environments. She argues that if parents are to play this crucial gatekeeping role, which Sonia Livingstone notes can work with younger children at least, they need greater support, information and, indeed, respect. But where parents struggle, children may evade, leaving John Carr worried that the GDPR will have the unintended consequence of generating many “under-age” users, misleading potential sexual abusers about the age of their intended victims or, worse, allowing them to claim a defence in these terms.
“It is urgent that the implementation of the General Data Protection Regulation … is put high on the priority list of policymakers, children’s rights advocates, data protection authorities and industry.”
Indeed. We have tried to do exactly this. Now the UK, along with other Member States, has until May 2018 to get its house in order. Those quoted above and many more are ready to help and advise. Who will take the next step?
This post gives the views of the author and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics and Political Science.