Personal data has become a valuable commodity in this digital era. Users of one digital platform can become the customers of another, and so the personal data of users is processed, bundled together and sold to others. Adults using the internet and its services are, or at least should be, aware of the associated risks. Children, however, require a greater protection.
The Irish government announced at the end of July that it would be setting the ‘digital age of consent’ at 13 years. This means that before children under the age of 13 can access online services that process users’ data, they need the consent of a parent or guardian. This move is part of the implementation of the European Union’s General Data Protection Regulation (GDPR) into Irish law, the protections of which will be fully effective by the 25 May 2018.
The GDPR leaves the exact ‘digital age of consent’ to the discretion of individual Member States, requiring only that it falls between the ages of 13 and 16. The consultation paper on the issue, launched in December 2016, noted that children, in particular, are vulnerable when using internet services and are open to the “risks of abuse, grooming, cyber bullying, access to unsuitable materials and the potentially adverse impacts of direct marketing activity.” Bodies such as the Ombudsman for Children responded in favour of maintaining a low age, arguing that legislation should recognise the role that the internet now plays in the lives of children.
Whether such controls are effective in reality remain to be seen. The USA has had a similar system in place since 2000, but it has not been without its critics. Given the difficulty on the part of service providers to ensure that under-13s have parental permission to use online platforms, companies have tended to prohibit these younger users from accessing their websites outright. It is argued that this leads to children lying about their age when registering for sites such as Facebook. This behaviour may also occur under the forthcoming Irish Act.
There is additional cause for concern; the digital age of consent applies to ‘information society services’ offered directly to children. This term is defined in point (b) of Article 1(1) of EU Directive 2015/1535 as being “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. The Court of Justice in Mc Fadden v Sony Music Entertainment Group clarified that this does not necessarily mean that it is the users of the service that must pay for it. The Court of Justice favoured a broad interpretation to include services provided free of charge for the purposes of advertising the service provider’s goods and services. Nonetheless, the digital age of consent would seem to be limited in application to online services and facilities to which there is an economic dimension.
This restricted coverage places a question mark over the aim of this provision of the Data Protection Bill 2017 to safeguard the “physical or emotional safety and welfare” of children, as suggested by the Department of Justice. In fact, with its focus on the economic aspect of internet usage, the GDPR cannot be said to take an all-encompassing approach to the protection of children’s data.