European legislation is failing children
One of the major problems in EU policy regarding children is related to its legislation. This legislation and its enforcement often are incomplete and symbolic and are, as a result, failing children. Below I’ll focus on the GDPR as a prime example.[i]
The GDPR
The GDPR concerns itself with two topics: the protection of personal data and the free movement of such data. It tries to balance the needs of the free market with the rights of individuals. As such, the rights of individuals, be they adults or children, are not absolute; they are always subject to deliberation.
Processing grounds
One of the major deliberations in the GDPR in weighing market versus rights is by parties who decide to process personal data: they need to choose a processing ground. Article 6 provides six processing grounds, of which only two involve individuals playing an active role: when implementing a contract with an individual (or preparing it) and when asking an individual for consent. In cases the law requires the processing of personal data, in cases the performing of a public task requires it, in cases the party processing pursues legitimate interests, and in cases the processing party protects vital interests, there is no need to involve individuals.
Special position of children in the GDPR
In the deliberation on processing grounds, the GDPR assigns a special position to children. Legitimate interests as a processing ground are harder to defend when the processing of data concerns children (Art. 6(f)); consent for the processing of minors’ personal data needs to be provided by holders of parental responsibilities (Art. 8).
National laws beyond the GDPR exclude the processing ground ‘contract’ for children. In order to be liable for any contractual obligations an individual in principle needs to be an adult by law.[ii][iii]
In addition, children are given in the GDPR a special position before the deliberation on processing grounds and while concerning the implementation of a chosen processing ground. Before the deliberation, the party deciding to process personal data should assess the risks of this processing for children more thoroughly (Recital 75). While implementing the processing ground ‘consent’ a code of conduct should be in place on the manner in which parental consent is obtained and on “the information provided to, and the protection of, children” (Art. 40.2(g)). The language used in communication with children should be clear and plain (Art. 12; Recital 58). Children should also have a special position when it comes to the right to be forgotten (Recital 65) and should not be profiled (Recital 71).
Interpretation of the position of the child in the GDPR
The GDPR is divided into two broad sections: a text that sets out the reasons for the legislation and provides context for interpretation of the legislation (Recitals) and the legislation itself. The requirements of a more thorough risk assessment when processing children’s personal data, the child’s special position concerning the right to be forgotten, and the prohibition of profiling of children are only mentioned in the Recitals and not in the actual legislation.
The UK’s independent authority Information Commissioner’s Office (ICO) explains what this means regarding the prohibition of profiling of children.[iv] According to ICO, the content of Recital 71 stating that “[s]uch measure should not concern a child” “cannot be taken to represent an absolute prohibition on this type of processing in relation to children” because it is not included in the main body of legislation. Rather, “it does give a clear indication that such processing of children’s personal data should not be the norm”.
Whereas Recital-only texts are legally softer, articles included in the legislation are harder. Regarding children, included in this harder legislation are the constraints on the processing grounds ‘legitimate interests’ and ‘consent’, the need for a code of conduct on how to protect children, and the obligation to communicate with children using clear and plain language.
Grounds for the special position of children
Recital 38 explains why children warrant special protection against “the use of personal data of children for the purposes of marketing or creating personality or user-profiles and the collection of personal data with regard to children when using services offered directly to a child“. It states that children “may be less aware of the risks, consequences, and safeguards concerned and their rights in relation to the processing of personal data”.
The special position of children in EU legislation rests on the foundation of the UN Convention on the Rights of the Child. The Convention’s Preamble states: “the child, by reason of his physical and mental immaturity, needs special safeguards and care”. As a result, according to the UN Universal Declaration of Human Rights (Art. 25(2)), children “are entitled to special care and assistance”. The Convention (Art. 3(1)) explains what this means: always “the best interests of the child shall be a primary consideration”. The Charter of Fundamental Rights of the European Union echoes this (Art. 24(2)): “In all actions relating to children, whether taken by public authorities or private institutions, the child’s best interests must be a primary consideration.”
Although the GDPR does not specifically reference Article 3(1) of the Convention, according to ICO this article is taken into account when assessing the legality of the processing of children’s personal data by processing parties.[v]
Curbed rights
The rights of children, in general, are curbed when compared to adults. Because of their physical and mental immaturity, they are not deemed capable of representing themselves in the same way as adults are. Article 5 of the Convention explains that children have “evolving capacities”. According to the article parents or other holders of parental responsibilities “provide, in a manner consistent with the evolving capacities of the child, appropriate direction and guidance in the exercise by the child of the rights recognized in the present Convention”.
Right to participate
This does not mean that the voice of the child is to be ignored because of the child’s not yet fully evolved capacities. Article 12 of the Convention states that States Parties “shall assure to the child who is capable of forming his or her own views the right to express those views freely in all matters affecting the child, the views of the child being given due weight in accordance with the age and maturity of the child”. The Charter (Art. 24(1)) interprets this as follows: “Children ... may express their views freely. Such views shall be taken into consideration on matters which concern them in accordance with their age and maturity.”
The UN Committee on the Rights of the Child calls this children’s right to participate “one of the four general principles of the Convention” alongside non-discrimination, the right to life and development, and the primary consideration of the child’s best interests.
Interpretation of the right to participate
The UN Committee on the Rights of the Child interprets Article 12 of the Convention. According to this interpretation, the right to participate in decision-making processes concerns individual children as well as groups of children (Section 3). Whether children make use of this right is a choice made by the child or group of children (Paragraph 16). The capability of a child to form their own views should be assumed (Paragraph 20). State parties should not use the child’s evolving capacities as a limitation.
The Committee declares (Paragraph 70) that in all cases that parties are bound by Article 3 they are also bound by Article 12. The parties concerned are: “public or private welfare institution[s], courts, administrative authorities or legislative bodies”. Providing children the right to participate is mandatory for these parties (Paragraph 70). The Committee also states (Paragraph 72): “States parties must examine the actions of private and public institutions, authorities, as well as legislative bodies”. This is in line with the ICO statement on taking Article 3 into consideration when assessing the processing of children’s personal data by parties. It is unclear whether this means that honoring the right of the child to participate in decision-making according to ICO should be taken into consideration too. If it would do so, it would honor a recommendation by the Committee to non-state service providers “to respect the principles and provisions of the Convention on the Rights of the Child” (Recommendation 16) as part of self-regulation mechanisms (Recommendation 17).
Comparing
When comparing the general position of the child in EU legislation and the position of the child in the GDPR it becomes clear that two of the general principles of the Convention, the primary consideration of the child’s best interests and the right to participate in decision-making processes are only implicitly present in the GDPR. And, the role of parents as described in the GDPR is very limited.
The GDPR and the right to participate
In the GDPR there is no mention of child participation. Concerning processing ground ‘consent’ children under the age between 13 to 16 (the exact age threshold is determined by the individual Member States) are to be represented by adults holding parental responsibilities only.
But this does not mean that children have no formal say in the entire process of data protection. The GDPR does mention the need for codes of conduct regarding children and the need for processing parties to communicate in a way that is understandable for a child. ICO explains what the codes of conduct regarding children should encompass. According to this interpretation, there are no age-specific additional instruments for children defined: children generally have the same rights as adults to exercise their rights vis-à-vis processing parties.
Age threshold
In exercising their rights to react to processing parties no hard age threshold is given. This is fully in line with the fundaments of child rights and protection in UN and EU legislation. It is therefore unclear why such a hard age threshold does exist for being allowed to express consent. What is special about consent that a hard age threshold was defined in the GDPR? Is it assumed that a decisive jump in the development of child capacities for all children takes place on their 13th, 14th, 15th or 16th birthday? And is this a different jump than the jump that is supposedly taking place at their 18th birthday when children change their status from ‘child’ to ‘adult’?
It is even less clear why the Member States should have the right to define this hard threshold according to their discretion at an age between 13 and 16. Are child capacities assumed to develop at different paces in different Member States?
Parents
No role description for holders of parental responsibilities is given in the GDPR other than the requirement of their consent for children under an age threshold. There is no mechanism in which they can provide, in a manner consistent with the evolving capacities of the child, appropriate direction and guidance to the child to exercise its rights. ICO even explicitly denies parents their role. It states: “Even if a child is too young to understand the implications of their rights, they are still their rights, rather than anyone else’s such as a parent or guardian. You should therefore only allow parents to exercise these rights on behalf of a child if the child authorises them to do so, when the child does not have sufficient understanding to exercise the rights him or herself, or when it is evident that this is in the best interests of the child. This applies in all circumstances, including in an online context where the original consent for processing was given by the person with parental responsibility rather than the child.”
According to the GDPR, the role of assisting children that in the Convention is explicitly allocated to holders of parental responsibilities seems to befall national supervisory authorities. Article 57(b) states that these authorities shall “promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention”.
Conclusion 1
Taking children’s rights within EU legislation as a point of reference, the GDPR is lacking essential components and on some issues deviates from basic EU legislation.
Summary of hard protection mechanisms
Let’s now consider the four GDPR hard protection mechanisms for children in more detail:
· The need for a code of conduct on how to protect children;
· The obligation to communicate with children using clear and plain language;
· Constraints on the processing ground ‘legitimate interests’;
· Parental consent as an additional requirement regarding the processing ground ‘consent’.
The focus of the considerations below will be on parental consent since it is the most concrete hard protection mechanism provided by the GDPR.
Code of conduct and communication
As we have seen above, according to the interpretation of ICO the GDPR does prescribe child-specific requirements for codes of conduct. The GDPR also does not provide concrete specifications or even a frame on how acts of communication with children should be defined other than that “appropriate measures” (Art. 12(1)) should be taken. What the GDPR does require, implicitly, is that the child’s best interests are honored. It does not specify what this concretely entails.
It is up to personal data processing parties or their representative bodies to draft their own codes of conduct and communication. Next, it is up to national supervisory authorities to evaluate the codes of conduct and the communication efforts by the processing parties and then assess individual parties’ adherence to the codes of conduct and communications on a per case basis.
Unfortunately, national supervisory authorities are understaffed and overburdened.[vi] In addition, their policies do not seem to prioritize children although article 57 (1)(b) of the GDPR concerning national supervisory authorities states: “Activities addressed specifically to children shall receive specific attention”. The Dutch authority for instance does not make special mention of the protection of children in its overview of tasks and powers. In a report on tasks and financials regarding the functioning of the Dutch authority, children are mentioned once in passing as part of vulnerable groups. In its summary of a proposed multiannual budget the authority makes no mention of children. On its site, only one document newer than the GDPR text is available containing the word “child” – and it is not by the authority itself.[vii]
As a result, in reality, the implementation of a code of conduct on how to protect children and the obligation to communicate with children using clear and plain language is mostly dependent on the goodwill of personal data processing parties. The reputation of the industry does not warrant great optimism in this regard.
Legitimate interests
‘Legitimate interests’ as a processing ground are harder to defend when the processing of data concerns children. Whether legitimate interests can be considered to be a defendable processing ground when processing child personal data ultimately depends on a per-case decision by the national supervisory authorities. Taking the understaffing, overburdening, and low prioritizing of the best interests of the child by these authorities as seen above into account, the protection of the child in the realm of personal data again boils down to the level of industry goodwill.
Conclusion 2
Three crucial hard protection mechanisms for children provided by the GDPR, in reality, come down to relying on the goodwill of personal data processing parties.
Parental consent
Parental consent as a protection mechanism is available in case the data processor chooses ‘consent’ as their processing ground. When choosing another processing ground children are basically treated in the same way as adults except for the processing ground ‘legitimate interests’ – which mostly depends on the goodwill of the industry as we have seen above.
The value of parental consent as a protection mechanism
I asked experts on Twitter about the value of parental consent as a mechanism to protect children’s personal data. UCLA professor Safiya Noble reacted: “I have a lot of thoughts about minors and data and they mostly have nothing to do with parental consent.” Data ethicist Piek Visser-Knijff comments: “I think that it's very difficult for most parents to really understand the consequences of sharing the data of their children. Not only because they're unaware of the possibilities, but also because it's unclear what future possibilities will be. The child, the future adult, has to live with the consequences of the choice/consent of their parents. I think it's important that somehow we take the effect on next and future generations into account. In my opinion, to state it baldly: children(s data) are not really protected by their parents (how could they?). And therefore, you could question the consent model. But the problem is more widespread and it's something that concerns a system. E.g. chrome books at school, or other administrative systems that involve children's data. [T]he responsibility does not only lie with parents, it's a system that gives parents little choice (and not only parents but also schools, et cetera).”
Conclusion 3
The fourth hard age-specific instrument provided by the GDPR to protect children is not of undisputed value.
Pilot Project
The instrument of parental consent currently exists on paper only. There is no concrete reliable infrastructure available to execute it in reality. The European Commission suggests implementing parental consent as follows: “[request] that the minor provides his parents' email to enable written consent”. This is hardly a reliable method. In essence, this instrument is purely symbolic.
My wife Beata Staszyńska-Hansen and I initiated a plan to change this situation – a plan that eventually took the form of an EU Pilot Project. Our idea was to design a technological infrastructure in one Member State to implement major EU legislation (including the GDPR) concerning children’s rights and protection mechanisms and to explore on a local level which challenges should be tackled. Integrated into the implementation pilot was child participation, both in the design of the infrastructure and in the drafting of authoritative recommendations to the European Commission. Unfortunately, after a budget was allocated the essence of our proposal was changed by the European Commission in a published Call for Projects. In its final form, the Pilot Project merely requires a proof of concept of a technology that will allow for Internet users’ age verification and for children parental consent in multiple Member States.
Dutch reality
Together with the Dutch top-level domain registry SIDN and the Municipality of Amsterdam we dived deeper into the Dutch implementation challenges of EU legislation concerning children while preparing a response to the Pilot Project Call for Projects (that we never submitted). The following is a short summary of what we found regarding parental consent.
To start with, Dutch civil law (Art1:234) states that parental consent is a precondition for minors being “capable of performing legal acts”. This parental consent is assumed to have been provided when “it concerns a legal act in respect of which it is customary in society for minors of his age to perform this independently”. The default presumption of implicit parental consent by Dutch civil law cannot be extended to the GDPR. Article 8 of the GDPR states that parental consent should be verified; Article 40 requires a description of how parental consent was obtained.
In order to facilitate explicit verification of parental consent, a whole new procedure needs to be designed. This procedure needs to first establish that a user online indeed is a child. Then, it needs to identify who are the parents of the child. Next, it needs to establish whether the parents identified are alive and, if yes, whether they are the legal holders of parental responsibilities. In case they are not, the actual holders of parental responsibilities need to be identified. And then, finally, a valid and reliable procedure needs to be devised in which the identified holders of parental responsibility can make their consent known. This means, for instance, that it should be clear for what concrete purpose the consent is provided. And, there should be a procedure in place to enable retraction of the consent.
Holders of parental responsibilities
Most steps of the procedure to obtain parental consent as required by the GDPR are problematic. One of them is the most problematic in the Dutch context: the identifying of the holders of parental responsibilities who are not the parents. In the Netherlands, only one known set of registers exists in which all holders of parental responsibilities are registered. As a part of a parental consent procedure, these registers could be requested to provide information as to who is to provide parental consent. But here it gets problematic. The Dutch Ministry of Justice that is responsible for these registers needs a legal ground in order to be allowed to provide information stored in the registers. The GDPR does not constitute such a legal ground. Thus, without an overhaul either of existing legislation or at least of existing procedures, the existing registers cannot be part of a procedure to verify parental consent within the framework of the GDPR. And, as a result, the parental consent mechanism is rendered incomplete.
Conclusion 4
Taking a tech-only approach to enabling the implementation of parental consent means creating an incomplete instrument.
Loophole
Notwithstanding non-technical challenges in the process of creating an infrastructure to enable the implementation of parental consent, the coming into existence of an infrastructure will lead to an enormous improvement when compared to the current situation. That is if the infrastructure will be used. And this, unfortunately, is far from certain.
The GDPR, like many other legal EU texts, provides a serious loophole for processing parties. Article 8 states that processing parties “shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology”.
The interpretation of this article is the responsibility of the national supervisory authorities. ICO lays out the implication of the article for data processors: “As there is no ‘reasonable efforts’ qualification to obtaining valid consent, it remains a matter of fact whether you have obtained the lawful consent of someone who is able to give it for themselves or not. However, in practice, in the event of a complaint, we will consider whether you have made reasonable efforts to verify that the data subject is old enough to provide their own consent, taking into account the risks inherent in the processing and the available technology. The GDPR also explicitly requires you to make reasonable efforts, taking into consideration the available technology, to verify that any person giving consent on behalf of a child who is too young to provide their own consent, does in fact hold parental responsibility for the child. A data protection impact assessment should help you to decide what steps you need to take to verify age and parental responsibility. It may also help you to evidence that they are reasonable in the event of a complaint to the Commissioner.”
Instead of obliging data processors to use a reliable parental consent instrument when available, the interpretation of what are ‘reasonable efforts’ is leading to establish whether children were sufficiently protected. This interpretation is provided on a per case basis on the precondition that a national supervisory authority finds the time for it. When the authority does find the time it will perform a concrete risk analysis of the case at hand.
DPIA
The GDPR (Art. 35) and the document Guidelines on Data Protection Impact Assessment (DPIA) describe how and when to perform a risk analysis (DPIA). The Guidelines state: “The GDPR does not require a DPIA to be carried out for every processing operation which may result in risks for the rights and freedoms of natural persons. The carrying out of a DPIA is only mandatory where processing is “likely to result in a high risk to the rights and freedoms of natural persons”. The Guidelines provide nine criteria that indicate high risk. ICO states: “While the guidelines suggest that, in most cases, any processing operation involving two or more of these criteria requires a DPIA, you may consider in your case that just meeting one criterion could require a DPIA.”
Children’s personal data and DPIA
The processing of children’s personal data does not automatically trigger the need for a DPIA. The Guidelines state regarding criteria 7 (“Data concerning vulnerable data subjects (recital 75)”): “Vulnerable data subjects may include children (they can be considered as not able to knowingly and thoughtfully oppose or consent to the processing of their data)”. “May include” does not equal “always include”. This is confirmed by a note following the criteria: “supervisory authorities are required to establish, make public and communicate a list of the processing operations that require a DPIA to the European Data Protection Board (EDPB) (Article 35(4)) 18. The criteria set out above can help supervisory authorities to constitute such a list, with more specific content added in time if appropriate. For example, the processing of any type of biometric data or that of children could also be considered as relevant for the development of a list pursuant to article 35(4).”
As we’ve encountered before, a seemingly hard wording of a Recital (75): “personal data of vulnerable natural persons, in particular of children” is phrased softer in the interpretation of the text: “[v]ulnerable data subjects may include children”.
Conclusion 5
The interpretation of what in practice constitutes parental consent is totally up to the national supervisory authority on a per case basis after the fact if it finds the time.
Geographic loophole
The “reasonable efforts ... taking into consideration available technology” loophole is not the only loophole in the GDPR. There exists a second loophole, caused by symbolic ambition.
The document Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) interprets the territorial scope of the GDPR (Art.3; Recital 14). It states that the protection of personal data as defined in the GDPR is for “everyone” who is physically present in the Union.
Regarding child-specific mechanisms, the interpretation means that both age verification procedures and parental consent mechanisms must be in place for all people physically present in the European Union “whatever their nationality or place of residence”.
Whereas the reliable identification of holders of parental responsibilities in a digitalized EU Member State such as the Netherlands faces serious challenges as we have seen above, one can only imagine what challenges are involved in identifying the holders of parental responsibilities from non-EU countries that are digitally less organized states or might even be war zones. Inevitably, the result will be that for some individuals from non-EU countries no reliable procedures can be offered.
Implications
Non-EU residents, children and adults, will be confronted by default with a non-automatic identification method. In some cases, they might not be able to identify themselves for reasons beyond their power, for instance because they cannot obtain an online age certificate or holder of parental responsibilities certificate from a trusted provider in their country of residence. Then, the infrastructure can decide to proceed in one of two ways. The infrastructure could deny all non-identifiable individuals access to services that serve (or also) serve children and to adult-only services since neither age nor parental consent can be established. Or, it could allow access by exception, by means of self-declaration.
In the first case, legitimate children and adults could be denied their rights because of a geographic overstretch of the GDPR and a lack of access by the infrastructure to relevant data beyond the EU. In the second case, the whole infrastructure is compromised resulting from the fact that even for EU-residents the verification of age and the granting of parental consent cannot take place fully automatic in all cases. For instance, a child might use a device of a friend, an online connection on vacation or a pre-paid connection subscription. In these and similar cases a method needs to be available to explicitly identify themselves individually and trigger mechanisms that will protect them and will respect their rights.
In the case of the option of self-declaration, everyone who is able to avoid automatic identification can now choose to be an ‘other’ and get access to data processing services as if the GDPR were nonexistent. This scenario equals our existing current situation: it is sufficient for individuals to click an ‘I’m over 18’ statement to be treated as an adult with no questions asked. The only difference would be that now an infrastructure does exist.
Conclusion 6
The symbolic geographic overstretch of the GDPR either denies clusters of individuals, including children, their rights, and protection under the GDPR or offers a workaround around the GDPR.
Summary
In its current form, the GDPR is incomplete and sometimes deviates from EU basic legislation. The instruments to protect children as provided in the GDPR are unspecific, sometimes disputed, and in end relying on either the off-chance that a national supervisory finds the time to interpret individual cases or the goodwill of the personal data processing industry. In short, in its current form, the GDPR is failing children.
[i] I’m indebted to Internet law specialist Arnoud Engelfriet for taking the time to read a draft of this text and express suggestions for improvement.
[ii] https://fra.europa.eu/en/publication/2017/mapping-minimum-age-requirements/age-majority
[iii] Arnoud Engelfriet is responsible for the adding of the phrasing “in principle” to the sentence. He draws attention to the fact that minors in the Netherlands are allowed to engage in contracts for transactions that are normal for someone that age. See also: De Algemene Verordening Gegevensbescherming en Uitvoeringswet AVG Artikelgewijs Commentaar (in Dutch) by Engelfriet, Meij en Kager (2019).
[iv] Privacy and security advisor Floor Terra (@floorter) recommended viewing this interpretation during a Twitter exchange with the author.
[v] Arnoud Engelfriet stresses fundamental rights as defined in the UN treaties or in the Charter are always valid, no matter whether they are explicitly referred to or not.
[vi] See f.i. a KMPG report (pdf in Dutch) on the Dutch authority (AP); for the Netherlands: https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/meerjarenbegroting_groeiplan_ap.pdf AP admits to a backlog of around 10,000 complaints: https://autoriteitpersoonsgegevens.nl/nl/nieuws/aantal-privacyklachten-blijft-zorgwekkend-hoog. Its supervision is seen as seriously wanting: f.i. https://nos.nl/nieuwsuur/artikel/2374135-de-privacywet-wordt-amper-gehandhaafd-is-meer-geld-de-oplossing.html
[vii] It concerns a document by the Article 29 Data Protection Working Party on data portability: https://autoriteitpersoonsgegevens.nl/en/search-results?sort_by=cbp_date&search_api_views_fulltext=child&cbp_date=&cbp_date_1=.