Yesterday the British government announced its intention to bring a Bill to Parliament to enact the provisions of the GDPR, thereby embedding them in UK law. Brexit? What Brexit? The story led the news throughout the day. There is no doubt about the overall importance of this measure. In certain circumstances companies can be fined up to £17 million or 4% of their turnover if there is a breach.
On page 17 of the Government’s statement of intent in respect of the forthcoming Data Protection Bill the following appears
In view of all these considerations, we will legislate to allow a child aged 13 years or
older to consent to their personal data being processed.
One of these considerations was referred to in the following way
No respondents to our call for views expressed a firm view that the minimum age to
consent to data processing should be set higher than age 13.
Strictly-speaking this is true. The bulk of the children’s organizations simply pointed out that no one had made a positive, broadly-based case for 13 and that before any final decision on the age limit was agreed two things needed to happen: children ought to be consulted directly and there should be some thorough, scientific, independent research to establish precisely how children of different ages experienced and understood the modern internet, in particular its commercial and privacy dimensions. Neither of these things has happened.
The children’s organizations also relied in part on an undertaking given in March, 2017 by the Office of the Information Commissioner. In their consultation on consent the following appeared at page 27
We’ll be developing further specific guidance on children’s privacy. It will include more detail on identifying an appropriate lawful basis for processing children’s data, and issues around age verification and parental authorisation.
This was linked to a promise to consult. This too hasn’t happened. Will Parliament say this is not acceptable before allowing the Bill to pass?
One other comment by the Government particularly caught my attention.
…..age checks at age 18 are increasingly commonplace online but at that age it is possible to check credit records, driving records and electoral records. These do not exist for children aged 13 to 16 and most websites therefore start by asking questions, building trust and then investigating unusual behaviour or complaints.
I put this last part in bold to draw attention to it. I know this is what social media companies say they do but it has been a longstanding complaint by the children’s organizations that there has never been any verified quantification of this assertion, neither has there ever been an independent assessment of how well the companies perform such vital tasks.
In the forthcoming internet safety strategy review this must change. It is clearly in the public interest for there to be a body, independent of Government, which has the legal power to require companies to provide it with information about their operations insofar as they affect children. Logically, based on an analysis of whatever information it receives, such a body ought also to have the power to make legally binding decisions which require companies to act in specified ways to safeguard children.
These things are too important to be taken wholly on trust. The internet is too intimately embedded in all of our lives, and above all children’s lives, for internet companies to be exempt from scrutiny. Internet exceptionalism no longer rules. OK?