The EU gets it completely wrong

I am Secretary of the UK Children’s Charities’ Coalition on Internet Safety (CHIS). In that capacity today I sent a letter to Claude Moraes MEP, who is Chair  of the European Parliament’s LIBE Committee.

If you want  the letter itself go to the CHIS site or try here  Below is the full text.

Dear Mr Moraes,

The General Data Protection Regulation (GDPR)

As representatives of leading British children’s organizations we would be grateful for the opportunity to discuss two things with you

  1. The substantive outcomes of the GDPR insofar as they affect young people
  2. The process which led up to the adoption of the GDPR

It is a matter of record that the adoption of the GDPR was preceded by a Trialogue. As is now seemingly routine, decisions taken within the Trialogue are being or have been endorsed within the European Institutions’ formal machinery. In the case of the LIBE Committee, of which you are Chair, this took place in December, 2015.

We understand the final stages of the adoption process will be completed in or by June of this year. Even at this late stage we would like to know if there is anything that could be done to reopen the question of the minimum age at which a young person might decide for themselves whether or not to hand over personally identifiable information to a commercial third party e.g. Facebook?

As things stand under the GDPR 16 will become the default. Member States were given an option to choose 15,14 or 13 as an alternative to 16 but for the reasons given below that does little to deflect or diminish our concerns. The UK Government has yet to make clear whether it will stick with the default or adopt one of the other options.

However, at no point in the several years of consultations which preceded the decision to make 16 the default age was such a potential outcome foreshadowed in any EU documents. Neither was there any mention of the possibility of Member States being offered, as it were, a menu of different ages from which to choose.

The only option referred to in any of the EU’s official consultative papers was 13 years of age, and that was presented as a proposed single EU-wide standard. 13 was justified solely on the grounds it was already in widespread use because it is a legal requirement imposed on US companies (by a Federal law passed in 1998, before the emergence of social media as we now know them). In the context of the EU’s declared intention to move towards a Digital Single Market having one EU-wide age at least had a certain logic. It is less obvious how having four will help deliver the larger objective.

Thus, we deplore the fact that to begin with no impact assessment was carried out prior to proposing 13 then, to compound the felony, neither was an impact assessment carried out to make the case for 16, 15 or 14.  The whole basis on which these decisions have been taken therefore remains completely opaque. This runs counter to assurances given by the European Parliament in respect of transparency.

We cannot overstate the magnitude of the decision you have taken but it looks to all the world as if it was made in a hurry, at the last minute, without any serious thought being given to its practical, legal, cost or welfare implications. The EU constantly tells us it takes youth issues seriously. The picture painted by this episode tells quite a different story.

Research published by the BBC earlier this month showed that over 75% of 10 and 12 year olds in the UK are members of social media services despite the companies’ stated minimum age being 13. Studies carried out over the years have shown similar high levels of non-compliance in pretty much every EU Member State. The GDPR will do absolutely nothing to address this because it imposes no obligation on social media services to verify the ages of its members. In that respect the GDPR unambitiously and timidly maintains the status quo. It is widely anticipated that when it comes into effect, country by country online platforms will simply adjust their minimum age to whatever is decided at national level and if that is higher than the current standard it will merely result in larger numbers of young people misrepresenting their real age. That is hardly a desirable outcome.

The UK’s children’s organizations cannot afford to employ lobbyists in Brussels so we rely heavily on our directly elected representatives to ensure our views are considered on relevant issues as and when they arise. Plainly that did not happen on this occasion

We have established there are no formal rules governing the conduct of Trialogues. Thus, when it became clear the original proposal to have a single age of 13 might be modified or abandoned you could have consulted with us or sought our views but you did not. Was there a reason for this? There was no way we could have reached out to you during the Trialogue, so to speak unilaterally, to  offer an unsought opinion on a matter we did not know was being considered.

We have also established that you did not consult with or discuss these matters with the Children’s Commissioner for England or the Office of the Information Commissioner. The failure to consult the OIC is especially perplexing given that any and all of the four options offered by the GDPR involves a change in the law.

If we are able to meet, inter alia we would also like to discuss how children’s rights and interests can become a more prominent part of the development of the Digital Single Market and any associated initiatives which impact on the quality of young people’s lives.