In the ultimate stage of the GDPR trilogue (General Data Protection Regulation), the minimum age for parental consent for the processing of children’s personal data was raised from 13 to 16 years old, which caused quite a stir. This post addresses the on-going debates on parental consent from a children’s rights perspective and looks at the (future) implementation of the requirement at the national level (i.e. Belgium).
Children’s rights and social media
The narrative of children and social media often revolves around the various risks children may encounter, such as cyberbullying, grooming and commercial risks. However, social media play a crucial role in the lives of youngsters, as they offer great opportunities to connect with friends and family and are a great source of information. In this context, the UN Committee on the Rights of the Child stresses that a balance needs to be found between three different dimensions of children’s rights, i.e. protection, provision and participation. Children are entitled to certain protection rights online (e.g. the right to private life or the right to protection against sexual exploitation or against harmful content), but they also have the right to assembly, leisure and access to good quality media. These different dimensions need to be carefully considered when debating children’s access to social media.
Parental consent in the GDPR
The GDPR contains a number of measures that specifically apply to the processing of children’s personal data. Article 8, which has been highly debated in the past months, requires parental consent for the processing of children’s personal data for minors up to 16 years. In practice, this would mean that youngsters up to 16 years will have to obtain their parents’ permission to gain access to social media. However, the article leaves room for Member States to lower this age limit down to 13 years. The article remains vague about how parental consent should be obtained in practice. It only requires data controllers (such as social network providers) to make reasonable efforts for verification, taking into consideration available technology. When looking at the GDPR’s recitals, no further clarification is provided.
The Belgian Children’s Rights Commissioner
Aside from this, the Commissioner also stressed the difficulty of implementing a parental consent verification mechanism that actually works. Research has shown for example that even a lot of under 13s pretend to be older online. Finally, the Commissioner highlights the importance of media literacy of children, parents and others responsible for the upbringing of children.
Time for action!
During her talk at the IAMCR Preconference, Professor Eva Lievens (University of Ghent) stressed that although the final text of the GDPR has been adopted, it is not too late to act. While the Regulation entered into force on 24 May 2016, it shall only apply from 25 May 2018. In the meantime, Member States should prepare clear guidelines on the issue of parental consent. To do this properly, such guidelines have to be evidence-based and different parties should be consulted, including children – as they have a right to be heard in all matters affecting them (Article 12 UNCRC) – parents, teachers and industry representatives.