I will try not to make a habit of adding supplements to my blogs. However, a further point has cropped up.
In my last couple of blogs (see sidebar) I mentioned that as the GDPR was progressing through the EU’s legislative processes an enormous row blew up around the age of consent.
The question was
“At what age can a child decide for themselves whether or not to give permission for an online business or organization to collect and further process their personal information?”
At or above that age there was no need for the company or organization to do anything more. Consent provided a sufficient legal basis. For under-18s this was all very democratic and consistent with UNCRC principles.
For younger children, below the stated age, the business or organization had to engage in the messy and potentially expensive administrative business of obtaining the consent of the child’s parents.
Bait and switch? Probably not
Maybe because of the fuss about the age of consent the children’s lobby (me included) got somewhat fixated on the issue of consent.
Consent was obviously a “good thing” so imagine my surprise when, after the GDPR had been agreed, as the transitional and implementation processes began, led by Giovanni Buttarelli, the European Data Protection Board put out a statement, essentially saying consent was potentially troublesome as a legal basis for collecting children’s data. We were told “legitimate interests” provided a stronger legal basis for businesses and organizations.
To be fair Buttarelli, and I think the Irish DPA also said using “legitimate interests” placed greater burdens on the businesses and organizations. I am not sure I ever entirely understood why that would be the case but in the end the matter became academic as pretty much everyone then abandoned consent as the basis of collecting and processing children’s personal data.
Looking back it makes you wonder……
If “legitimate interests” had come to the fore to a greater extent during the debates might it have been shaped and delivered differently?
To reassure you, I was not the only one caught out by this strange and unanticipated or under-discussed dichotomy. Within the EU, initially Facebook created two ways in which a person could join. In countries that stuck with 13 as the minimum age nothing changed, but they did change in countries which opted for 14, 15 or 16.
One way of joining required parental consent, the other didn’t. My recollection is in the latter case certain features were not available.
It felt like a bit of a cheat
Think about it. “Legitimate interests” really means ” legitimate business interests”.
Whereas previously, at least in countries which opted for 14, 15 or 16 as their minimum age, there was at least the possibility that children and parents would need to engage with each other and the company or organization in order to open an account. That was all blown away.
It’s hard to see that as a child-focused improvement, although against a background where nobody was required to do age verification anyway, we are reminded just how luidicrous the whole edifice was and whose interests it principally served.
Those days are not yet wholly behind us but they are receding.
At last.
Desiderata 