The General Data Protection Regulation (2016/679/EC) has been in force since 25.05.16 and becomes applicable from 25.05.18 and as a result a significant number of companies (establishments in GDPR speak) are well advanced in their preparations.
While it does not affect many, the issues surrounding the handling of child data are of concern to those affected because of the understood and understandable need to protect children in our society.
What the GDPR says
Recital 38 sets out that: “Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.”
Recital 58 adds that communication with children “should be in clear and plain language that a child can easily understand.” This is confirmed in Article 12(1).
Recital 65 emphasises that the key data subject rights of rectification, erasure and withdrawal of consent are particularly important to children and should apply when they progress to adulthood. Many readers, it is submitted, will have done things as children which they would prefer did not follow them into adulthood.
Recital 71 deals with the right to non-profiling which exists for all and concludes that children should not be subject to profiling at all.
Recital 75 stresses that the “rights and freedoms of natural persons” (Charter Rights from the Charter of Fundamental Rights of the European Union (2000/C 364/01)) are particularly important when dealing with children and vulnerable persons.
Article 6(1)(f) provides that the legitimate interest pathway is overridden by the rights and freedoms of the data subject, especially where child data is involved.
Article 8 deals with child consent. The default age of consent in the GDPR is 16 and that Member States can legislate to lower the age to not lower than 13 (Art. 8(1)). Key to consent when below the age of consent is “that consent is given or authorised by the holder of parental responsibility over the child”.
Article 8(2) confirms that the “controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology” and Article 8(3) sets out that Article 8(1) does not overrule Member State law concerning “the rules on the validity, formation or effect of a contract in relation to a child”.
The Codes of Conduct described in Article 40 of the GDPR are not yet in place. Therefore any discussion of these is somewhat speculative. Article 40(2)(g) provides that a Code of Conduct will be established governing “the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained.”
Article 57(1)(b) provides that each supervisory authority (regulator) must give specific attention to promoting public awareness of risks, rules and safeguards relating to child data.
A high-level view of Article 8 of the GDPR might lead the reader to consider that the data controller only needs to make “reasonable” efforts to determine the identity of a person purporting to have parental responsibility for a child. Clearly “reasonable” is subjective and therefore in the limit whether a controller has acted reasonably is likely to be determined by a court considering all of the relevant circumstances, including the emphasis in the recitals to the Regulation.
However, the first hurdle to overcome, especially with on-line businesses, is how the age of the person wishing to use their service can be determined. In some Member States, young persons’ identity cards are available which include the child’s date of birth. Therefore in a State where the GDPR age has been set to 13, the child might be able to prove by independent means (through some government verification of the ID card) that they are aged 13 or over. However, in the United Kingdom no such official mechanism exists at present.
A birth certificate is of no use because it cannot be independently verified in a short time (ie on-line), nor can the person presenting it prove that it is in fact their birth certificate. A passport might assist if visual verification of the holder and the passport photograph is available although these are not always held by children. Nor, it is submitted, is a letter from a “parent” reliable as their status cannot be identified either.
Indeed, the question of identification may turn out to be the biggest hurdle for any enterprise which may be dealing with child data. Failure to deal with child data properly renders the controller liable to regulatory fines and actions in tort which are potentially eye-watering in comparison with those under the previous regime even though the fundamental issue of consent remains unchanged.
The questions any such enterprise will need to consider are:
1. How does one verify the identify of a child and, in particular, his or her age?
2. Where the child volunteers or is confirmed as being below the age of consent in the relevant Member State, how does one verify that the purported parental authority is being properly and lawfully exercised?
It is submitted that in the United Kingdom at least (where child protection laws are similar between the jurisdictions of England and Wales, Scotland and Northern Ireland) to do this in a manner which will pass the subjective test of reasonableness is very difficult. We have, for better or for worse, no national identification scheme. A person (in England and Wales) can call themselves whatever they like; and to carry out a DNA test would not only be manifestly disproportionate but would nevertheless fail to detect parents from whom parental responsibility has been removed and would fail to provide a positive indication for parents who have adopted a child or guardians.
The GDPR, by importing Charter Rights, sets the bar substantially higher for the data controller. Charter Rights overrule all other European Law rights and are therefore very important. There are multiple mentions of “rights and freedoms” of data subjects in the GDPR and each of these is a reference to Charter Rights.
The problem is, it is submitted, very difficult indeed. The simple solution might be to avoid dealing with child data but even for adult services, the question remains about whether a person purporting to be an adult is not actually a child.
Checks of UK identity documents:
The Government publishes information on how to verify UK passports in a regularly updated document called “Basic Passport Checks) which can be found on-line here (document covers passports issued between 1988 and 2016 which includes current passports being issued at the time of writing) but this requires manual inspection of the document and the facility to view it under UV light.
It is possible to verify a driving licence on-line using the same scheme that was introduced when the paper counterfoil was discontinued to facilitate driver records being verified by car hire companies. This can be done here. The document still needs to be manually seen in order to verify that the person presenting it is the proper holder of it. Such a check can only be used to verify the age of a person who is 17 or older (16 or older if the person claims certain mobility benefits) and requires the assistance of the holder.
The UK Government operates a scheme called "gov.uk verify" which allows users to use a number of agencies to validate their identification information and then provide credentials for use of government services. It is understood that these can only work for persons over the age of 18.
National Insurance Number checks are only really available to employers and, in any event, don’t verify the identify of the person presenting the number, only the validity of the number itself.
The ICO guidance is, at the time of writing, not really sufficient to enable a service provider to make an assessment of how to verify the identity of a child or of a person purporting to have parental responsibility.
The National Health Service, in its advice in relation to children and young people, advises that children can give consent in relation to their own medical treatment if they are believed to have enough intelligence, competence and understanding to fully appreciate what is involved in their treatment (see here). This is known as Gillick competence which follows a House of Lords decision in the case of Gillick v West Norfolk and Wisbech Area Health Authority  AC 112 in which it was held that there was no statutory limit on the age of the persons to whom contraceptive facilities might be supplied and that a girl under the age of 16 years had the legal capacity to consent to medical examination and treatment, including contraceptive treatment, if she had sufficient maturity and intelligence to understand the nature and implications of the proposed treatment.
It is submitted that the concept of Gillick competence cannot be relied upon in relation to child consent under GDPR as the GDPR sets down a defined age of legal competence to consent to personal data being processed.
Position elsewhere in Europe
It is abundantly apparent that the issue of child consent is causing debate and reflection worldwide. Within the EU there has been considerable debate in inter-alia, Germany, Belgium and France. CNIL, the French regulator, published a consultation in March 2017 in which the following questions were asked: “How can it be determined with certainty that the person concerned is a minor? How can the consent of the holder of parental responsibility be obtained when a minor is under 16 years old? How can specific consent for the collection of sensitive data be gained?”
In their article “Consent for processing children’s personal data in the EU: following in US footsteps?”, Macenaite and Kosta summarise the debate within EU Member States regarding child consent throughout the passage of the GDPR through the legislative process. However, only passing mention is made of how controllers should validate the authenticity of purported consent from a parent or guardian.
United States of America
The Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501–6505 (COPPA) is a US Federal law enacted on 21.10.98 designed to protect children under the age of 13 from online data collection without consent. COPPA requires the data controller to obtain “verifiable parental consent” such that the controller ensures that the person purporting to consent on behalf of a child has the relevant parental authority. The Federal Trade Commission provides guidance on the obtaining of “verifiable parental consent” which include (from Macenaite & Kosta):
• providing a form the parent can print, fill out, sign and post, fax or scan and email back;
• requiring the parent to use a credit card or similar method of payment (such as PayPal) in connection with a monetary transaction (this could include a membership or subscription fee, or simply a charge to cover the processing of the card);
• maintaining a free-phone (toll free) number staffed by trained personnel for parents to call in their consent;
• permitting the parent to connect to trained personnel via video conference; or
• verifying the parent’s identity by checking a form of government-issued ID against a database of such information, provided that the ID is deleted promptly after verification is complete.
It is apparent that while there is nothing preventing controllers from following this guidance to support their GDPR obligations, they are not mandated and are not currently widely suggested.
It is submitted that while the GDPR represents a step forward in unifying EU law on data protection, the important area of protecting children has been poorly executed. While the importance of protecting children is clearly laid out, the rules have been confused to the extent that a controller seeking to merely do what is needed might consider that doing almost nothing (paying lip-service to the regulation) is an easy option. This doing of almost nothing might avoid even covering the basic steps set out in the US COPPA which requires at least some form of manual intervention to check purported parental consent.
The fundamental issues of how a person purporting to be an adult can be verified or how purported parental consent can be authenticated are not dealt with at all and it is submitted that this represents a significant lacuna in the GDPR as enacted.
Childrens’ advocates should be alive to these issues along with insurers seeking to understand the risk associated with the manner in which their customers deal with child data and the associated consent.