The UK’s children’s organizations have submitted a detailed note to our data protection authority – the Office of the Information Commissioner. I won’t try to summarise it here. You can download it from the CHIS website. If you have any comments or suggestions please let me know.
In Brussels earlier this week at the ICT Coalition a few other matters arose that I had missed. One is important and obvious, the others were just important!
Obvious and important: we are all fixated on May 2018 but that is not a once and for all date. In May 2018 the GDPR comes into effect . This means unless a Member State has already “derogated” from a provision where derogation is allowed e.g. Article 8, all of the defaults will apply automatically. A country could, of course, still revisit a particular item afterwards and change its domestic law. I guess the only point is that between now and May 2018 everybody with an interest will or ought to have their heads down as they try to get ready for the big bang. Thus I am not sure if there will be any real appetite to reopen anything to do with the GDPR anytime soon after May 2018. This means May 2018 remains an incredibly important target date.
If a company sets itself up in a jurisdiction within the EU where the age of consent is, say, 13, can it apply the (traditional) “country of origin principle” and, in effect, make 13 the standard in every jurisdiction where it operates? I doubt it, otherwise what would have been the point of allowing Member States to choose in the first place?
Similarly, where the service is provided from outside the EU what latitude will there be to ignore or have terms and conditions or operational principles which would not be permitted if the business was within the EU? I think here the answer is “none” because somewhere there is a provision which says data can only be transferred across national boundaries if the third party has a data regime which is consistent with that prescribed by the EU in the GDPR. An age limit of 11 or 12, for example, would therefore not be allowed unless verifiable parental consent was obtained.
Within a classroom, if a teacher wishes to use a particular online resource in the course of a lesson is it necessary for every child in the class to have given their permission either for that specific site to be displayed or would a general consent be sufficient? What happens if such consent has not been given? Is the teacher allowed to proceed or must the child be excluded for the duration?
And if the children are below the age of data consent and their parents refuse to give permission?
The GDPR does not change or affect any rights children may have which are not linked to an “information society service”and it has been suggested that, for example, the “right to be forgotten” encompasses both online and offline environments.