The new data protection regulation – possible wrinkles?

Late last week I was talking to a colleague from Sweden who works for a small social media start up. She was very exercised by the new GDPR.  They had already put their service together based on the notion that 13  was the minimum qualifying age in every country in the EU where they planned to work.

Her point now is that say 10 of the 28 Member States each opt to stick with 16 as the new default age and the other 18, between them,  go different ways across the other 3 options (15, 14 or 13) or  maybe they’ll split in some other way?  Anyway, potentially, this is going to involve the Swedish platform in having to rework the site, have more complex systems and get new Ts&Cs drawn up. They are going to have to spend money on lawyers and programmers – money they can ill afford but probably it won’t be such a burden for the larger, better established, richer  sites, most of which, she noted wryly, are not  European owned enterprises and have their Headquarters thousands of miles away.

But then she had a brainwave.  Suppose they just wait until they see which country opts for 13 as the minimum age and they then simply domicile themselves there or put all their servers there?  The Data Protection Authority in that land would have to make a finding that 13 was OK and wouldn’t that then have to be accepted by each Member State? This would achieve a Digital Single Market for young people by stealth – via the back door.

Otherwise the new law will come into effect in 2018 and any youngster who had told the truth about their age could face being kicked off if the site believes they are now or will be below their national minimum age.

Is there another Mr Schrems waiting to challenge such an expulsion?  My guess is because of the way the EU adopted this new rule the chances of them succeeding in overturning the decision will not be negligible.