On Wednesday 26 July 2017, Cabinet agreed to set the “digital age of consent” at 13. This follows a recent call by Geoffrey Shannon, the special rapporteur for child protection, in addressing the Joint Oireachtas Committee on Justice and Equality, that the “digital age of consent” for children should be set at 13. The digital age of consent concerns the issue as to what is the appropriate age for minors in providing their consent for information society services (i.e. any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services). The definition extends to virtually any internet service.
EU General Data Protection Regulation
The GDPR (due to come into direct legal effect in all EU Member States, including Ireland, on 25 May 2018) allows Member States discretion on this issue between the ages of 13-16. Persons above 16 are considered to have appropriate maturity and understanding and fall within the general rules on consent under GDPR. Member States may set the age but it must not be below 13 (Article 8.1 GDPR). Depending on the age level that is set, minors under that age (say under 13 years of age as indicated for Ireland) would not be considered to have the appropriate maturity levels and capacity of understanding of the context in which their consent for certain data processing activities is being sought. In those circumstances, consent must be authorised by the holder of parental responsibility over that child. In Ireland, the General Scheme of the Data Protection Bill (the “Bill”) makes provision for the age of digital consent. Cabinet has now agreed that it should be set at 13.
To put the right of the child in context, it is important to note that Article 5 of the UN Convention on the Rights of the Child recognises the right and duty of parents and guardians to provide, in a manner consistent with the evolving capacities of the child, appropriate direction and guidance in the exercise by children of their rights. In addition Article 12 of the UN Convention on the Rights of the Child goes on to provide that children who are capable of forming their own views enjoy the right to express these views freely in matters affecting them and that due weight be given to them. Therein lies the difficult question that Member States, including Ireland have been debating what is the appropriate “digital age of consent”?
As the GDPR allows Member States a degree of scope in this area (between the ages of 13-16), many people might hold the view that the higher the age level that is set, the more protection is afforded to minors. It is not quite that simple as Mr. Shannon alluded to in his recent comments. Children’s civil and political rights including the freedom of information and expression need to be considered and there is danger that in placing a higher age for digital consent, it can have the effect of restricting children’s access to educational, political and socially informative content. To date there has been diverging opinions coming from various interest groups as to what the appropriate age should be. The Children’s Rights Alliance (representing more than 100 organisations involved in child welfare) has advocated the lowest possible age. The interest of the child has been the common theme amongst the various interest groups expressing views on this issue. The divergence in views arises in trying to balance the freedoms of the child with suitable protection levels.
Obligations of the Data Controller
It is the responsibility of the data controller to make “reasonable efforts” to verify that consent is given is authorised by the holder of the parental responsibility over the child, “taking into account available technology” (Article 8.2). What exactly satisfies this test is not clear. Given modern technologies such as the ease at which video or visual content can be shared – is it reasonable to require the consent of a minor to be delivered in a form such as this to prove to the service provider that the child’s consent has in fact been authorised by the person holding parental responsibility over that child? Is it enough for the service provider to seek confirmation of age by completing details on its website or app or by sending an email seeking consent to the person identified by the child as the parent, without actually verifying that information?
In the USA, the Children’s Online Privacy Protection Act (COPPA) addresses the issue of consent for children under 13 years of age. The US Government guidance in the area states if a service provider is going to disclose children’s personal information to third parties, or allow children to make it publicly available (e.g., through a social networking service, online forums, or personal profiles) then it must use a method that is reasonably calculated, in light of available technology, to ensure that the person providing consent is the child’s parent. Such methods include:
- Providing a consent form to be signed by the parent and returned via U.S. mail, fax, or electronic scan (the “print-and-send” method);
- Requiring the parent, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
- Having the parent call a toll-free telephone number staffed by trained personnel, or have the parent connect to trained personnel via video-conference; or
- Verifying a parent’s identity by checking a form of government-issued identification against databases of such information, provided that you promptly delete the parent’s identification after completing the verification.
Much has been said about the eye watering fines that apply under the GDPR. It is worth noting that infringements of Article 7 (conditions for consent) attract fines of up to €20m or 4% of worldwide turnover (whichever is higher) and Article 8 (concerning a child’s consent) can attract fines of up to €10 million or 2% of worldwide turnover (whichever is higher).
Practical consequences for service providers
The consultation process ran by the Department of Justice and Equality on the age of digital consent primarily dealt with the age issue and not how parental / guardian consent might appropriately be given.
One practical difficulty in this area for service providers will be the potential lack of consistency in the applicable laws where Member States adopt different age levels and where the service is global so the rules outside of the EU must be also considered (e.g. COPPA).
Providers of information society services should use plain and understandable language when explaining how they intend to process personal information so that a child can easily understand. Service providers should monitor the Bill adoption process on this particular issue of the age of digital consent in Ireland. The issue is likely to attract debate before the Bill passes through the legislative adoption process. Consideration should also be given to the chosen age in other Member States where the service provider carries out its business. What amounts to an appropriate method of obtaining consent is likely to require an analysis for each particular circumstance with no one size fits all. Service providers should watch out for guidance and awareness campaigns issued by the office of the Data Protection Commissioner and the Article 29 Working Party. The methods of consents outlined above in the US context and COPPA are also worth considering.