GDPR does recognise the fact that children are less aware of how the internet works and how their personal information is used by companies, but its rules are far from clear on consent and minimum age.
GDPR also places a premium on customer privacy and data protection but at the same time, the Information Commissioner's Office may allow companies to use legitimate interests instead of consent for collecting children’s' data.
EU's General Data Protection Regulation (GDPR) will come into force exactly a year from today and will raise the bar on how the internet-based industry will treat customer data, implement cyber-security practices and prioritise data protection over profits. However, questions have been raised on whether the industry is ready for the sweeping legislation, whether it will be truly effective in practice and most important of all, if the regulation will be able to safeguard children’s rights.
The Information Commissioner's Office is leading an awareness campaign on GDPR, what it entails and how its rules can be perfected to suit the industry's needs. On the question of children’s rights, The ICO is presently involved in a series of discussions on matters like a minimum age for children to access online content, parental consent and on what basis companies will be able to gather data on children.
On the latter issue, the ICO has released a statement which has led the public to raise some new concerns. The ICO has said that companies may 'consider legitimate interests as a potential lawful basis instead of consent' and that this will help companies assess the impact of processing on children and consider whether it is fair and proportionate. This seems to indicate that companies will not require express consent, either of children or of their parents to gather data but the main question is who will decide if a company's assessment of legitimate interest is fair or not?
Considering the fact that many children below the age of 16 are now online and accessing social media and other websites, a section of the public is demanding the minimum age for consent to be reduced from 16 to 13. While this may bring in a majority of the internet-savvy teenage population under the GDPR's ambit, it does not address the fact that children in the age group of 13 to 15 are not aware of how their data is collected, how it is used and the importance of privacy.
According to the ICO, “parental consent will always expire when the child reaches the age at which they can consent for themselves. You need therefore to review and refresh children’s consent at appropriate milestones.” A lot of social media companies do not know, or ask, the age of their customers and therefore are not aware of how many of their customers are children. Existing provisions of the GDPR neither force companies to determine the age of customers nor do they propose any action on companies that do not profile customers based on age.
Considering these facts, if the minimum age for consent is indeed reduced from 16 to 13, then the government will need to impart social media and internet education to children so that they are aware of the pros and cons by the time they reach consenting age. Considering that the GDPR is just a year away, this is not feasible.
On the other hand, if the minimum age for consent is kept at 16, then there's a major possibility that a lot of children will flout the rules and lie about their age on the internet, thereby derailing the purpose of the regulation.
In such a scenario, the ICO and other government agencies will have to find a middle path to ensure that companies must determine the age of their customers, obtain parental consent when required and use appropriate discretion when collection data on minors. The government will also need to bring in checks and balances and fines to ensure companies will strictly adhere to requirements laid out in the GDPR.