Children’s charities’ coalition on internet safety (CHIS): Letter to Information Commissioner’s Office (UK)
March 28, 2017Dear ICO,
Re: Consultation on GDPR Consent guidance
We were pleased to note there will be a specific and separate consultation in relation to the position of children under the GDPR. We look forward to contributing in an appropriate way at the right time. Please keep us informed.
Beyond that we do have one small, or maybe not so small, caveat. There could be “crossover” issues or areas of overlap or uncertainty e.g. where a website or online service does not target children but nevertheless it attracts significant numbers of children. How should such a site or service be treated? How should it think of itself? Can it proceed as if all users are adults because adults are its target audience? Will sites be under an obligation to “know their customers” so they can determine whether children are in fact present? What duty will site or service owners have in this regard? Should we establish thresholds or triggers to determine when a site reaches a “crossover” point and henceforth must acknowledge it is being used by significant numbers of children and act accordingly?
Our understanding is that while the GDPR makes many references to children it does not actually define what a child is. Therefore, because every EU Member State is also a signatory to the UNCRC and the EU itself recognizes the primacy of Treaties such as the UNCRC, for a range of purposes that are relevant to the operation of the GDPR it remains the case that a child is a person below the age of 18. Please excuse us if it seems we are merely stating the obvious but in the UK and many other jurisdictions being under the age of 18 has an associated range of legal consequences which either limit what a child can do, or it provides extra layers of protection, and usually it’s both.
If this is a correct reading of the situation all references to a child must be understood as being a reference to a person under the age of 18 . Thus for the purposes of this discussion it feels like there are, in reality, four relevant categories of children about whom we need to be mindful in this discussion.
The categories are:
- Children who are at or above the age at which they can give consent to their data being processed by an Information Society Service Provider without that provider needing to obtain the consent of the child’s parent.
- Children who meet the foregoing criterion but nevertheless, by definition and obviously will still be under 18 – there may be many circumstances where it is highly relevant to remind data processors that a person with the capacity to supply data without having to obtain parental consent nevertheless may lack full legal capacity in other important respects and may require additional safeguarding considerations.
- Children at or below the age where parental consent will always be required.
- Children who misrepresent their age in order to gain access to a site or service. Probably these will be children who are below the minimum age whose parents declined to give them permission to join or who were never asked in the first place. Alternatively these could be sites or services which are expressly intended to be used by persons in a higher age range. The precise details of how Article 35 will operate is likely to be of particular relevance here. Any site or service which declares an age limit in respect of all or part of its operations should have the ability to enforce that term, otherwise it might be tantamount to being a deceptive practice. We think this is true generally but it is of particular importance where failure to enforce the age requirement creates a risk of harm to a child.
Different jurisdictions are likely to end up with different lower age limits yet the sites and services will be the same and children will be using them at the same time. Has any consideration been given to the several implications of this scenario?
Wherever an age limit is drawn, will there not be a temptation on the part of Information Society Service providers to regard everyone they have accepted as a user or member to be fully competent to interact with or use every service they supply? In the case of older children we note, for example, that between the (effective) ages of 12 and 18, or even 12 and 16, they do a lot of growing up. It seems unsafe to imagine everybody within such a wide age range forms a single, developmentally homogenous group.
On a related theme, the consultation document refers to the Gillick Principles, which address an individual child’s competencies. Is the application of these principles limited to any extent by the establishment of “hard age borders”? How might the principles be applied within hard age borders? We appreciate the potential practical difficulties but before we go much further we ought to be clear about the basis on which we are establishing the rules.
Of course hanging over all this is the question of the lower age limit. It is still not resolved, nor is the basis on which a decision will be taken any clearer.
Yours sincerely,
John Carr OBE
Secretary
www.chis.org.uk