Children’s privacy moves forward in the UK
The UK Parliament adopted the GDPR pretty much as it came out of the EU’s law-making machine. Under Article 8 we agreed 13 as the age at which a child could be considered competent to give consent to their data being processed by a commercial concern without the need for the company to engage with a child’s parent or carer to obtain verifiable consent. In effect this created new law and at a stroke made redundant the advice the data protection authority, the Information Commissioner’s Office (ICO), had given for years. Like everyone else in the EU the UK decided on its Article 8 age without having regard to any evidence which supported it in terms of its relevance to the “modern” internet. Lazily, we adopted the de facto status quo, established by a 20th century law passed in the USA for an altogether different purpose. Previously 13 had no legal standing or recognition of any kind in any of the four countries that make up the UK. Neither is it widely recognised as an important child development milestone. However, the ICO is to be congratulated for commissioning research into the matter. Professor Sonia Livingstone and her team at the LSE will look at children’s use and understanding of the contemporary, highly commercialised environment that is the internet. Depending on the findings we may all need to look at the issue of age again. However, there was one important way in which what the UK did differed radically from every other EU Member State. Thanks largely to Baroness Kidron’s efforts the Government proposed and Parliament accepted that the ICO should be asked to draw up an “Age Appropriate Design Code”. Its title doesn’t quite convey or do justice to the ambition behind the idea. The code will have legal standing and force but, taking the UK-adopted version of the GDPR as its starting point, in reality it is a document which will spell out how data privacy rules ought to be applied to children. The ICO organized a consultation to help it gather in views about what the code should say. The UK’s principal children’s organizations made a submission which is now available on the CHIS web site. I helped with the drafting and in so doing I achieved a much better understanding of just how woefully inadequate the whole GDPR process was in respect of children’s interests. This proves, once again, if you are not in the room you are not part of the conversation. Maybe the EU has been resting on its laurels for too long. They need to up their game substantially. If you download the CHIS evidence I hope you find it interesting. Here are a few of my favourite extracts Hitherto too much reliance….. has been placed on the importance of children and their parents and carers getting to know the privacy settings for an individual App or service. There is, of course, a great deal to be said in favour of this but the protection of children’s privacy should not be a prize to be claimed only by those children who can either do it for themselves or are lucky enough to have parents who are capable of solving the puzzle and able to engage with the App or service long enough. Some of the neediest children may have parents who lack the necessary capacities. The company should have the prime responsibility for guaranteeing the privacy rights of its users. That cannot be delegated or assigned by them to unknown parties with unknown competencies. It is simply unfair and unacceptable to make children the object of techniques which are designed to maximise revenues via disguised or manipulative techniques…… it is known that adults have difficulty negotiating or understanding such things (so) there can be no justification for using them with children. Particularly in the present climate businesses should be going out of their way to reassure the public, parents and children alike that they are taking all reasonable and proportionate steps not to take advantage of or exploit children’s lack of worldly experience.