As expected it looks as if Ireland is going to end up with 13 as the age of consent for data purposes under the GDPR. This was the recommendation of Dr. Geoffrey Shannon, the Irish special rapporteur on child protection. It was made to a committee of the Irish Parliament. Apparently, all or most of the Irish children’s organizations supported Dr. Shannon although, according to the Irish Times, he suggested there had not, as yet, been any consultation with children themselves. Dr. Shannon wants that put right. We can only guess what might happen if children take a view which differs from his.
Will the country of origin rule apply?
As I have remarked in a previous blog, there is a view abroad that the country of origin principle should be applied to the GDPR. If that opinion prevails and Ireland does indeed go for 13 it could render Article 8 a dead letter, or at least reduce its importance considerably. Facebook, Google and many other tech companies are incorporated in Ireland and since their current minimum age is 13 they will be able to insist that nothing changes – not just in Ireland but anywhere in the EU. Even Spain’s existing law (which stipulates 14) and Holland’s (which is 16) in effect would have to be repealed or amended.
Other countries still agonising over where to draw the line can stop bothering. The views of children in those jurisdictions similarly are rendered irrelevant. Businesses that at the moment specify 13 will instantly have a major incentive to relocate to Ireland if their home jurisdiction opts for a higher one.
Businesses based outside the EU
What will happen to online services domiciled outside the EU? Will they be the only ones that have to have variable ages depending on the local decision in a given EU Member State? There would be a certain irony there as they are likely to be smaller concerns who may struggle to find the resources to implement the more complex systems implied by such a position. Maybe they too will have to relocate to the Emerald Isle.
It’s a funny old world
Back in 2012 when the Commission first published its draft of the GDPR they said there should be a single age for the whole of the EU and that age should be 13. Politicians in the European Parliament and national governments took a different view – that’s how we ended up with what is now Article 8 – but it could be that the Commission’s original position is going to win out in the end anyway, even if by a rather circuitous, unanticipated or unplanned route. This is bound to raise potentially uncomfortable questions about an issue of great sensitivity – a nation’s right to say how its children should be protected.
The arguments in favour of 13
The two strongest arguments in favour of 13 are, firstly, it avoids any possible erosion or compromise of the grooming laws because in no country in Europe is the age of consent to sex as low as 13 and, secondly, it represents the least restrictive of the available options in terms of potentially limiting a child’s rights to access information or their rights to express themselves. By the way, it does not do away with that latter risk altogether because who is to say that even 13 is lawful under the UNCRC and other binding legal instruments? The actual capacities of the individual child are meant to be the guiding principle and that cannot be determined solely by reference to a fixed age.
However, the latter is a counsel of perfection which is utterly unworkable in the internet age, or rather to make it work would require companies to collect so much extra information about children as to be unacceptable for other reasons.
Thus we are driven back to having to accept fixed ages. They are a practical necessity for the foreseeable future.
The way this whole thing has been handled has been profoundly unsatisfactory. I have never said I am against 13 being the age, but neither have I said I am favour of it. There should have been large scale, independent research looking at the way in which the modern internet works in the context of how children and young people relate to it and understand the core, commercial driving principles on which it is based and, above all how they understand and relate to the privacy dimensions of the new realities of cyberspace.
The idea that 13 was the right age for everything emerged in prehistoric times when, for practical purposes, social media did not exist. Major commercial interests have now coalesced around 13 so they, at least, will be pleased. The rest of us are left wondering what if?