At the end of November the Article 29 Working Party published its proposed guidelines on consent. It has invited comments. The closing date is 23rd January, 2018.
A preliminary point: Article 6 of the GDPR sets out six different bases on which data may lawfully be collected and processed. Consent is only one of them. It would be useful if someone somewhere could pull out and illustrate, with examples, how the other five might work in respect of children. A particular reference to the rights and responsibilities of educational bodies would be welcomed along with a note on the rights of children vis a vis such bodies.
Obviously the November document falls short of being a comprehensive overview of how the GDPR is likely to affect children but even so the issue of consent highlights a number of key areas of interest.
A curious omission and a statement about age verification
The document does not at any point say a child is a person below the age of 18. This is a little odd but by implication there is a reference to that magical crossover point in paragraph 7.1.2 where it says
The inclusion of the wording ‘offered directly to a child’ indicates that Article 8 is intended to apply to some, not all information society services. In this respect if an information society service provider makes it clear to potential users that it is only offering its service to persons aged 18 or over….. then the service will not be considered to be ‘offered directly to a child’ and Article 8 will not apply.
I guess this allows us to infer that someone below 18 is a child for GDPR purposes but it also does something else. It suggests that where a service is clearly intended only for adults the service provider will be free of certain expectations. Yet that freedom is also bounded. Look at 7.1.3
Although the need to verify age is not explicit in the GDPR it is implicitly required, for if a child gives consent while not old enough to provide valid consent on their own behalf, then this will render the processing of data unlawful. (emphasis added)
Age verification and risk assessments
Linked to the above and consistent with it the following is an extract from further on in para 7.1.3
When providing information society services to children on the basis of consent, controllers will be expected to make reasonable efforts to verify that the user is over the age of digital consent, and these measures should be proportionate to the nature and risks of the processing activities. (emphasis added)
In the past vast numbers of children simply ticked a box or made up an age so they could gain access to a service that was not meant for them. Because US legislation imposed no obligation to check anything that was that. Facebook just said there was “nothing they could do about it” adding that very often parents simply colluded with their children in advancing the lie.
Even if that were true it is a different point. However, now the game has changed. Facebook and others are going to have to do something. It will be interesting to see how the various companies respond.
The new rule also reflects a commonsense approach. If someone sets up a service which, for example, provided access solely to curated pictures of cute little kittens playing with familiar household objects, and they specified that only persons aged 13 or above were allowed to be members, you would not imagine the provider has to go to extraordinary lengths to make sure no 12 year olds or younger are sneaking in under the radar.
Elsewhere we are told Age verification should not lead to excessive data processing but I guess that is simply a restatement of the principle of data minimization.
Children’s consent and parental responsibility
This topic is principally discussed in para 7.1.4 where we are reminded
The GDPR does not specify practical ways to gather the parent’s consent or to establish that someone is entitled to perform this action.…...
Amen to that.
What is reasonable, both in terms of verifying that a user is old enough to provide their own consent, and in terms of verifying that a person providing consent on behalf of a child is a holder of parental responsibility, may depend upon the risks inherent in the processing as well as the available technology…..
Trusted third party verification services may offer solutions which minimise the amount of personal data the controller has to process itself……
WP29 acknowledges that there may be cases where verification is challenging (for example where children providing their own consent have not yet established an ‘identity footprint’, or where parental responsibility is not easily checked. This can be taken into account when deciding what efforts are reasonable, but controllers will also be expected to keep their processes and the available technology under constant review. (emphasis added)
On your birthday
Once a child reaches the minimum Article 8 age for their country
From that day forward, the controller must obtain valid consent from the data subject him/herself.
On changeover day
The guidance provides no information about what to expect on the day the GDPR kicks in. If a country opts for 16 and someone joined two years previously truthfully stating their age as 13, what happens to their profile and all their stuff? Will it all go? Will it be held in abeyance for a while until the child can get parental consent to carry on using the service?
The Article 29 document says
It is important to point out that in accordance with Recital 38, consent by a parent or guardian is not required in the context of preventive or counselling services offered directly to a child. For example the provision of child protection services offered online to a child by means of an online chat service do not require prior parental authorisation.
No explanation is offered as to why this is not reflected in any Article of the GDPR.
I am not sure we are any further forward in our understanding of how this dimension will work. Or to the extent that we are the picture is potentially chaotic. There will not be “one law to rule them all”. Here are the relevant words
In particular it should be noted that a controller providing a cross-border service cannot always rely on complying with only the law of the Member State in which it has its main establishment but may need to comply with the respective national laws of each Member State in which it offers the information society service(s). This depends on whether a Member State chooses to use the place of main establishment of the controller as a point of reference in its national law, or the residence of the data subject……. The Working Group encourages the Member States to search for a harmonized solution in this matter.
Pick the bones out of that.