GDPR: the Digital Age of Consent

The Dept. Justice is undertaking a consultation on what it terms the “digital age of consent”; submissions are due on Friday, 2nd December.  These submissions will be considered by the Dept. as it draws up the Heads of the new data protection bill, which is required to implement various provisions of the General Data Protection Regulation (GDPR).  The Government’s legislative programme suggests that these heads are “…expected end 2016”.  This time-scale is tight, but necessary, as the GDPR will apply from 25th May 2018, little more than 18 months from now.

Why consult?

Article 8 of the GDPR provides as follows:

“…in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child”

Article 8 then goes onto provide that:

“Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years”

The consultation page concludes that the Minister for Justice:

“…would welcome the views of interested parties, including bodies representing parents and young people, child protection bodies, privacy advocates and other interested parties”

The dangers that social media can pose to children are illustrated by a recent Northern Irish case in which it was alleged that the young plaintiff had posted  “…on her Facebook page from the age of 11 onwards. Those postings were of an entirely inappropriate sexual nature and they prompted responses from others of the same inappropriate sexual nature. In short it is alleged that the plaintiff at the age of 11 was exposed to sexual predators on the internet through the medium of Facebook….”  However it is not just children who can be harmed by internet posts.  Recently a 31 year old Italian woman recently killed herself after battling “…for months to have a sex video removed from the internet…” But as Recital 38 of the GDPR points out:

“Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data”

It also has to be kept in mind that the obligation to check the age of users before processing their personal data on the basis of consent will not solely apply to social media companies such as Facebook but to all providers of information societry services.  These are defined by Directive (EU) 2015/1535 as:

“…any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services

This definition extends far beyond social media, as is made clear from Annex 1 to Directive (EU) 2015/1535, which sets out an indicative list of things that are not information society services such as “medical examinations or treatment at a doctor’s surgery using electronic equipment” and “automatic cash or ticket dispensing machines”  This suggests that a very broad range of internet based activites, such as on-line banking, e-commerce and travel sites, are information society services.

What are the consequences of age verification?

Article 8 of the GDPR requires that providers of information society services be able to do two things before processing personal data on the lawful basis of consent:

  • Identify who is, or is not, a child;
  • Identify who the parents or guardians of those children are.

Age and identity verification is difficult; this difficulty led the US Supreme Court to strike down the Communications Decency Act back in 1997.  It is a difficulty that remains to this day.  And as a result the obligation to verify is not absolute, article 8(2) goes onto provide:

“The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology”

However this is a difficulty that the EU’s legislature is determined to address by regulating for trust services and eIDRegulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions which “…lays down the conditions under which Member States recognise electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State

The Court of Justice is also doing its bit to encourage the verification of internet users identity.  In Mc Fadden it held that in order to protect the respondent’s intellectual property “ … a measure consisting in password-protecting an internet connection may dissuade the users of that connection from infringing copyright or related rights, provided that those users are required to reveal their identity in order to obtain the required password and may not therefore act anonymously


The issue of how information society providers should verify the age of children or the identity of their parents does not form part of the consultation.  All that the CJEU is asking is whether children should continue to get the benefit of the special protections provided by the GDPR until they are 16 or whether they should be able to provide digital consent when as young as 13.  As the consultation explains:

A range of divergent views have been advanced on the subject. Those supporting the retention of 16 years underline the importance of maintaining safeguards for young teenagers, including parental consent, while others who support the lower threshold stress the importance of empowering teenagers themselves to take control of their personal data, especially in the online environment