Life is full of surprises

This blog could be a modern parable or warning that if you get fixated on one big thing you can easily miss other important stuff that is happening at the same time. It is also a timely reminder of how massively under-resourced the children’s lobby is when trying to keep on top of some of the major issues coming down the online track.

I speak, of course, about the GDPR. It is very obviously going to preoccupy many of us over the coming period – even those living in Brexitland.

Think about it. If the EU can compel the USA to agree to the new Privacy Shield – and the USA went along with it because they want their online businesses to continue being able to access European markets – does anyone seriously think Britain is going to develop  its own or a significantly different set of privacy rules for the internet? It’s absurd.  One way or the other the UK is going to have to work with the GDPR. And you will hear no complaints from me on that score. At least not yet.

A conversation in Brussels

Earlier this week I was in Brussels for two days, surrounded by privacy experts from the Commission, from national Data Protection Authorities, the new European Data Protection Supervisor, the Article 29 Working Party, from civil society and industry.  This was a hard core gathering.

I will now relay the gist of a key conversation I had with one of the most senior people. It mirrored another discussion I had with a different official the previous week so I am now confident this is not mere speculation or wishful thinking either on my part or on the part of the officials.

No express obligation to carry out age verification

I referred to the fact the GDPR does not expressly require any online service provider to verify the age of anyone joining or using their service (although there are rules about obtaining parental consent where the service is aimed at children).

As we know,  each Member State can set its own minimum age at which a young person is considered competent to hand over personal data to providers of online services such as Facebook without the provider having to obtain parental consent.  Member States can choose between 13 and 16 but if they do nothing in May 2018 automatically the default age will become 16.

The widespread assumption is that, as with the present arrangements, the big internet companies will just say that, in any given jurisdiction,  no-one below the minimum age can be a member or use their site or service. That simplifies everything.

However, absent any obligation to verify anyone or anything, particularly in countries where 16 is the lower age limit, the fear is all we will see on social media platforms is even larger numbers of young people misrepresenting their age so they can hang out with the older, cool kids.

A very unwelcome scenario

I then went on to say that, for example if, in a given country, the age limit for data was the same as or less than the age of consent for sex, on the face of it anybody using a relevant service would have a case to argue they had reasonable grounds for believing the person they were engaging with on or through the same service was old enough to talk about sex or meet up for sex. The crime of grooming would essentially wither on the vine, even though, as previously noted, there could nevertheless  still be millions of young people on the site who were in fact below the legal age.

At this point the official raised an eyebrow and said

That’s bit of a leap. Look at what it says about impact assessments

Here is the text of Recital 84

..where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation. Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.

Article 35 gives effect to Recital 84.

To be perfectly honest I can see scope for arguing about how extensive the obligations are under Article 35. The Article speaks about the assessment being made in relation to the

impact….on the protection of personal data.

In other words not in relation to matters that are not connected with the protection of personal data e.g. the possibility of a minor being sexually abused or otherwise being exposed to an age inappropriate  environment.

Could such a literal reading lead to such a ridiculous outcome? Perhaps. Does that mean it definitely won’t happen? No.

The officials were clear

Even so the officials certainly saw the Recital and the Article as laying down a foundation for mandatory age verification in respect of certain classes of online services. We did not discuss any particular online sites or services but the major social media platforms were not far from my contemplation.

We shall see. I am not sure the officials fully grasped the revolutionary nature of what they were saying and therefore they might be unaware of the potential scale of the push back which, even now, is likely to be gathering force.