The GDPR comes into full force in just over two months. One of the small number of derogations the GDPR allows is for a Member State to choose a minimum age of consent for the purposes of processing data online. That means Member States are allowed to determine when young people in their country can decide for themselves whether or not to join Twitter, Instagram and the like.
A country can adopt any minimum age between 13 and 16, with 16 as the default. Before deciding which age to go for no Government or DPA commissioned research to try to understand the nature and extent of children’s comprehension of the modern internet. Instead, quite a few e.g. the UK, opted for the de facto status quo, which is 13. A larger number were content to allow the default to become the standard. A variety of influences appear to have been at play in guiding each country’s decision. As far as I can tell the single most common was a reference to some pre-existing law, regulation or practice which bears no relation to what is actually happening to children online.
The decision in France
Last week in France, the National Assembly appears to have decided to ignore the advice of CNIL, the French DPA. CNIL wanted to stick with the default of 16. French Parliamentarians prefer 15. This puts France alongside Greece and Croatia.
A child’s rights activist from Paris told me she thought it crazy for a child to be able to consent to sex at 15 but not be able to choose to go on Snapchat for another year. I can see that looks odd but there is a big and obvious downside. See below.
Meanwhile Belgium went for 13 and Holland, technically, stuck with 16. Spain already had 14 and apparently is not budging. Austria has chosen 14. Previously it was reported that Ireland was going for 13 but the word is moves are afoot to raise it to 16.
In the case of Germany, when the GDPR kicks in it is going to be 16 because their election cycle meant it was just not possible to consider any alternatives within the time available. Now there is a Government they are going to look at this again in July.
The hodgepodge cometh
It is clear in Europe every available age between 13 and 16 is going to be out there. The hodgepodge cometh, as Shakespeare or Eugene O’Neill, or both, might have said. No one knows what the consequences of this are going to be and they are hard to foresee. Maybe I am worrying over nothing.
The obligation to carry out age verification?
If an online service simply draws a line and says they will not accept anyone below the minimum age, which has largely been the position up until now, how far will companies be expected to go to verify the ages of those who do join? Or will we see a continuation of huge numbers of children simply ticking a box to misrepresent their age? That can be done with or without parental collusion.
We know every service provider is meant to carry out a risk assessment in relation to their product but absent any guidance about how to determine what the risks are or what weight to attach to them one can imagine a wide variety of outcomes.
Undermining the grooming law
The obligation to verify, or not, will matter particularly in those countries such as France where the age of consent to sex is the same as or lower than the age of consent for data purposes. In those places everyone who goes to a social media site will be able to say they had reason to believe the person with whom they were communicating was old enough to agree to meet for sex.
That could make prosecutions for grooming a great deal harder. Children below the age of consent to sex who have been manipulated into agreeing to it will be brought to the witness stand to ask if they lie about their age all the time or only when they want to trick someone into having sex with them. Either way this is not a good outcome for children.
And if, having obtained parental consent, sites decide to accept children below the age of consent to sex, will this be apparent on the child’s visible profile? If it isn’t, the same issue could arise. But of course, signifying a user’s age in this way may not be without significant disadvantages.
Differences in national capabilities to verify age or parental consent
While we’re on it, when it comes to age verification or, for that matter, obtaining parental consent, what are the implications of different countries having different capabilities to do either or both? Things get hodgier and podgier.
The only “safe” option
From the grooming law standpoint, the only “safe “minimum age for data purposes is one which is lower than the age of consent to sex. That is a strong argument for 13. I don’t think any country in Europe has an age of consent to sex which is as low as 13. I guess the alternative is for every social media site to make it plain that membership of its site cannot be taken to imply that every user is old enough to meet for sex. That’ll be a challenge for the marketing department.
Not a once and for all decision
However, getting back to the minimum age, the decision on the Article 8 age is not a once and for all thing. Member States can change their minds. In the UK the DPA is funding the sort of research that should have been carried out before anyone took a decision in the first place. By the time the research is completed we will also have some actual experience of how the new hodgepodge regime is working in practice.
Watch this space.