Cyber and Data Protection
The Data Protection Bill is in the process of being debated and finalised. It is intended that the Bill will incorporate the measures Ireland needs to implement under GDPR and to create a new regulatory framework for the enforcement of data protection laws in Ireland. In the course of this consideration, the digital age of consent needs to be set down. Under the GDPR, Article 8(1) provides that the digital age of consent is set at 16 but that countries in the EU can enact national legislation which specifies a lower age limit, that being between the ages of 13 to 16.
The issue has been previously considered by the Joint Committee on Justice and Equality and it had been recommended that the digital age of consent would be set at 13. However, when the legislation was voted upon in the Dail on the 16 May last, a majority ruled in favour of setting the digital age of consent at 16 for the purposes of Article 8(1) of the GDPR. Essentially this means that the processing of data of children under the age of 16, in respect of online services, shall not be lawful without parental consent. Furthermore, a provision was made for the creation of a criminal offence prohibiting the processing of personal data of a child for the purpose of direct marketing, profiling or micro-targeting.
But what is the Digital Age of Consent? Prof Barry O’Sullivan defines this as being “about child data protection and specifically when can a child sign-up to online services, such as online gaming, social media, [and] various personal services etc that use and process their personal data without the need for parental consent” As a consequence companies have to make reasonable efforts, taking into consideration available technology, to check that the consent given is truly in line with the law. This may involve implementing age-verification measures such as requesting that the minor provides his parents’ email to enable written consent.
Preventative or counselling services offered directly to children are exempted as they seek to protect a child’s best interests.
Prof O’Sullivan says that the Digital Age of Consent has been conflated with all sorts of issues such as a child’s right to participation online, a right to information, a right to a voice. Children have all those rights, but the cost of exercising them should not be their personal data. Services can support those rights of children without requiring their personal data. He says that the online services that offer counselling or preventative services to children have an exemption from the requirement of parental consent because those services are in the best interest of the child. The question we have to focus on is the relationship with commercial entities that seek to profit from our children’s data. Parents need to have the right to be involved in that.
Setting our Digital Age of Consent at 16 would be in line with Germany, Netherlands and France.
Many prominent children’s rights advocates have warned against this higher age threshold however, from the Ombudsman for Children to the ISPCC. Fergus Finaly of Barbados has said that setting the digital age at 16 could lead to unintended consequences. He further notes that, to date, no Digital Safety Commissioner has been put into place and there is currently no public body with the power to regulate the online world to make children safe.