Data protection for minors

The General Data Protection Regulation (GDPR) is due to become law across the EU in May 2018. The UK will apply the GDPR standards in the UK Data Protection Bill (the Bill). This article examines the current positon for protection of children’s data and the improved measures afforded under the GDPR.

Children make up one out of every three internet users globally. Many businesses hold children’s data such as law firms, private nurseries and schools, sports and activity clubs, charitable organisations, online educational and gaming industries.

Children’s data provisions are also relevant to Directors as the Bill goes further than the GDPR by including directors’ personal liability where a company breaches data protection legislation.

Current position in the UK under Data Protection Act 1998 (DPA)

The DPA does not provide for an age threshold for consent to be valid for processing personal data.

The ICO (the UK's independent body set up to uphold information rights) provides that children under 12 should not be able to provide valid consent, and that for children over 12 it must be determined on a case-by-case basis whether they are mature enough to provide consent, taking into account the level of complexity of the data processing and the risk presented to the child.

The DPA does however, refer to ‘children’ in Scotland (but not England); persons of 12 years or more shall be taken to have “sufficient age and maturity” to understand what it means to exercise their rights under the DPA.

Improvements under the GDPR

The GDPR replaces the Data Protection Directive 1995 which does not refer at all to “children” or “age.”

The GDPR does not prescribe an age at which a person is to be considered a child. It simply refers to children as “vulnerable individuals” who are deserving of “specific protection.”

For the first time, the GDPR will bring in special protection for children’s personal data particularly in the context of commercial internet services such as social networking. The key measures are:

• Privacy notices for children: where services are offered directly to a child, you must ensure that your privacy notice is written in clear, plain way that a child will understand;
• Online services offered to children: 
• A child under the age of 16 cannot sign up to “information society services” without explicit approval from a person with “parental responsibility” for the child. “Information society services” includes most internet services provided at the user’s request, normally for remuneration.
• Data controllers should “make reasonable” efforts to verify that consent has been given or authorized by the holder of parental responsibility in light of available technology.
• The GDPR allows Member States the right to decide the age of consent between 13 or 16. If they do not specifically decide by May 2018, the minimum age will default to 16. In the UK, the Bill officially sets the age for consent at 13 years.
• The GDPR emphasises that protection is particularly significant where children’s personal information is used for the purposes of marketing and creating online profiles.

The GDPR does contain some key exceptions regarding children’s data for example, parental/guardian consent is not required where the processing relates to preventative or counselling services offered directly to a child, for instance by helplines.

Not enough protection?

Whilst these measures are clearly an improvement, children’s rights experts have criticised the GDPR for its lack of clarity over protection of children’s data. Despite children’s data being particularly sensitive, the GDPR does not even define what a child is.

Furthermore, what about offline data? The GDPR’s special protection for children’s data relates to online commercial services only. Member States should therefore remain aware of national legislation for offline processing of children’s data.

Comment

In practice, this means that businesses should consider:

• Whether they are likely to be affected by rules on children.
• Putting systems in place to verify individuals’ ages and ensure that appropriate parental consent mechanisms are implemented, including verification processes. For example, if schools or activity clubs arrange for children to sign up for apps in the classroom, or for homework, they will need to think about how consent can be obtained.
• Where services are offered directly to a child, ensure notices are drafted clearly with a child’s understanding in mind.
• The individual State’s age of consent if they operate and process children’s data across several Member States. For example, the UK’s proposed age is 13, Austria’s proposed age is 14 and Germany has decided not to set a limit, which defaults to 16 under the GDPR.