Questions about the GDPR

Thanks to a series of guidance notes that have been issued by the Article 29 Working Party we now know a lot more about the way several parts of the GDPR are likely to work when they come into force in May next year.

However, as far as the impact of the GDPR on children is concerned, while there have been one or two references to children within some of the aforementioned documents, nothing has been produced which tries to pull it all together and present a complete picture. Given the almost universally acknowledged complexity of some of the challenges faced in respect of children that is most regrettable.

Probably the first thing that will emerge into the public domain from anywhere in “official Europe” is a discussion paper from the British data protection authority, the Information Commissioner’s Office. It will be available before the end of December. Maybe that will kick off a wider debate across the EU. It should.

In the meantime, I reproduce below my list of questions or points I think could benefit from some clarification.

Apologies for the length but I hope it is helpful to some of you.

A question of age

  • In the original Commission proposal, the age of 13 was suggested as the single minimum age of consent for data processing purposes for the whole of the EU in relation to “Information Society Services (ISS) offered directly to a child.”
  • The only argument advanced in support of it was that 13 was already in widespread use because of COPPA, a US Federal law passed in 1998.
  • Since the emergence of Facebook, YouTube and other major social media platforms in the early part of the 21st century does anyone know if any data protection authority, national government or other body has carried out research to establish the age at which a young person, typically, is likely to be capable of giving informed consent to joining a generic or non-specialised commercial ISS such as Facebook, Snapchat, Instagram or YouTube?
  • In its final form Article 8 of the GDPR allows Member States (MS) to choose from four age levels for consent for data processing purposes: 13, 14, 15 and 16.
  • Has each of these been reconciled with the provisions of the UNCRC where, it will be noted, no specific qualifying age is stipulated? The only consideration referred to there is the capacity of the child.
  • In the event of a legal challenge, won’t the absence of any evidence or reasoned argument to support a particular age within a given jurisdiction, potentially weigh heavily with the court? Jurisdictions that opt for 16 or 15 are most likely to be at risk.
  • Is it right that an Article 8 age limit is not a once and for all decision? MS can change their minds and introduce a new level within the permitted range at any time?
  • Can we unequivocally confirm that wherever the word “child” or “children” appears in the GDPR it refers to persons below the age of 18?
  • What is the legal basis for that?

Information Society Services offered directly to a child

  • Article 8 speaks of “information society services offered directly to a child”. It is extremely important to be clear what these are.
  • One suggestion is that if a service solicits or allows persons below the age of 18 to be members then that makes it a service that is being offered directly to a child.
  • The fact that the same service may also solicit or allow persons above the age of 18 to be members does not change the fact that it also offers those services directly to a child.
  • The implications of this could be far-reaching.

Risk assessments, variable ages and one-off permissions

  • Presumably, every ISS will need to consider each discrete and particular data processing activity that is possible on their site or within their service? They will need to do this in order to ensure they have completed an impact assessment for all of them and have obtained the appropriate permissions.
  • A common assumption is that giving parental consent for a child below the Article 8 age is a one-off action. But is that really the case?
  • Might it not be that once admitted to most of the services we know about today, sub Article 8 age children could engage in a wide range of different kinds of activities and some of these may require a specific or additional form of parental consent before they can proceed? In other words the original permission may not cover everything. Some services aimed at very young children already work like that but now it will be a legal requirement.
  • Is there scope, in effect, to have more than one age level within a MS? Might it be possible to say that in order to join a generic ISS you must be at least 13 (or whatever) and no parental consent is required, but if you then wish to do x or y on or within the service you must be a higher age and if you are not, parental consent must be obtained before you can proceed? The practicalities may be fearful but that is a different matter.
  • Has any thought been given to the implications for individual platforms of there being among their users children with the power to agree to certain things on their own while children from a different country may need parental consent for the same actions?

Categories of persons

  • The GDPR in effect creates four categories of persons:
  • Fully competent adults i.e. persons who are over 18
  • Children who are below the age of 18 but above the Article 8 age.
  • Children who are below the Article 8 age
  • Recital 75 speaks of “vulnerable persons”. Clearly, this will include adults but might there also be such a thing as a “vulnerable child” or is it the case that, for GDPR purposes, all children are considered to be equally vulnerable and there are therefore no varying degrees of vulnerability to which an ISS may need to pay attention?

Persons above a certain age

  • Will there be any sort of expectation for ISS to ensure persons above a specified or recommended age are NOT using services intended for persons below that age?

Person below a certain age

  • It is anticipated that, as now, a great many online services will simply draw a line at the Article 8 age and declare that persons below it are not allowed to join or remain as members. This will enable them to avoid getting involved in the potentially messy and expensive business of obtaining verifiable parental consent.
  • However, absent any age verification requirement, what is likely to happen, again as now, is enormous numbers of children will simply tick a box or make up a date of birth to declare themselves to be at or above the Article 8 age.
  • In the UK, for example, this has led us to a situation where over 75% of all 10-12-year-olds are members of services which specify 13 as the minimum. In other MS the proportion is even higher. Doubtless, many parents (although by no mean all) will have colluded or acquiesced but that raises different issues.
  • How will the GDPR address this problem? Will ISS be under any sort of obligation to engage proactively in curbing or reducing unauthorised usage involving underage persons?
  • In those countries which raise the Article 8 age above the current minimum specified by the ISS, typically 13, what will happen to children who fall below the new, higher age, e.g. 16, when the GDPR comes into force? Are they automatically kicked off? Do they lose all their photographs and posts?

Adult services

  • Is it the case that any site or service, or part thereof, which expressly states it is intended only for adults will be required to have robust age verification services in place at least to cover off those adult sections? How might this work with services such as Twitter and YouTube?

Counselling services

  • Recital 38 makes clear that counselling services would not be expected to obtain parental consent prior to offering an ISS to a child below the Article 8 age but this is not repeated in an Article. Is there any doubt about the lawfulness of not obtaining parental consent in such circumstances?

Applicable jurisdiction and going on holiday

  • Which country’s law matters? The suggestion is that for the whole of the rest of the GDPR the jurisdiction that counts is that of the data controller. So if a service is based in Sweden, Swedish law and the Swedish data protection body have primacy.
  • However, when it comes to children, because of the Article 8 derogation, there are three possibilities and, to the best of my knowledge, no one in a position of authority has so far said which is the right one.
  • Thus, as above, it could be the country in which the ISS is domiciled, but maybe it is the country in which the child is domiciled or the country where the child is physically located at the time of using the service.
  • Then there’s the holiday problem. A child is properly signed up to a service in country A where she normally lives and the Article 8 age there is 13. She then goes on holiday to country B where the age is 16. Can she continue to use the service while in country B? What if the stay in country B is longer than a normal holiday of a few days or weeks, e.g. is several months?


  • According to the Article 29 Working Party guidance, Article 22 of the GDPR does not prevent controllers from making profiling decisions about children, if the decision does not have a “legal or similarly significant effect” on the child.
  • By contrast Recital 71 says profiling “should not concern a child” Discuss.
  • The Article 29 Working Party guidance goes on to say where the profiling influences a child’s choices and behaviour it could potentially have a “legal or similarly significant effect”, depending upon the nature of the choices and behaviours in question.
  • Is it therefore the case that the results of different types of profiling e.g. advertising, are only definitely allowed if they do not produce a legal or similarly significant effect?
  • But if that means the only acceptable advertisements that may be directed at children are ones which do not prompt a purchasing decision why would any business want to place them anyway?
  • It would be useful to have more case studies illustrating the kinds of profiling activities which would be acceptable in respect of children so as to get a better idea of how to decide whether or not something would be likely to have a “ legal or similarly significant effect”.

Consent needed/not needed

  • In relation to joining or performing others acts on an ISS, where the child is below the Article 8 age, is it clear their consent is not needed or is irrelevant? The only consent that matters is that of the parent?
  • By the same token, is it the case that a child under the Article 8 age cannot withdraw their consent because they have never given it?
  • Will this not produce some strange results, particularly in those countries which have opted for a higher minimum age e.g. 16?
  • And how would this interface with the right of erasure?
  • What position would an ISS be in if they learned that a parent was coercing a child into using or being a member of a particular service and the child did not want to use it or be on it?
  • Presumably, even if a sub-Article 8 age child’s consent is strictly not needed the ISS still has a legal obligation to explain the nature of the service and any associated data processing in language which is understandable to the child?

Differences in infrastructure between MS

  • Not every country has the same technical or other infrastructure that would allow parental consent to be verified by online means, or possibly even by non-online means. Some parents may therefore be “more verifiable” than others.
  • Yet the implication will be that “this child is on this site or service only because their parents have been verified”. That may carry with it a further implication that somehow the (apparent) child can be trusted to a higher degree. After all the identity of the (apparent) child’s parent has been checked and confirmed so there is some comeback if anything goes wrong.
  • Has any thought been given to the security or child safety implications of there being platforms where sub-Article 8 age children will be present where their parents have been checked according to potentially radically different standards?

Welcome to our world

  • It is clearly the case that henceforth the privacy community is going to be involved in a major way in online child protection and children’s rights issues. How do we imagine the privacy community will get itself up to speed and stay up to speed with research and the full range of issues that impact on children’s use of the internet? Too narrow a focus on purely data privacy issues could mean they miss the mark.

About John Carr

John Carr is one of the world's leading authorities on children's and young people's use of digital technologies. He is Senior Technical Adviser to Bangkok-based global NGO ECPAT International and is Secretary of the UK's Children's Charities' Coalition on Internet Safety. John is now or has formerly been an Adviser to the Council of Europe, the UN (ITU), the EU and UNICEF. John has advised many of the world's largest technology companies on online child safety. John's skill as a writer has also been widely recognised.
This entry was posted in Consent, Default settings, E-commerce, Facebook, Google, Internet governance, Privacy, Regulation, Self-regulation. Bookmark the permalink.