Published on LinkedIn, 6 May 2019.
Article 8 of the GDPR puts forward the conditions under which children can lawfully consent to the processing of their data by third parties over the internet. In this way it continues the good work of Article 7, expanding the GDPR’s approach on the meaning of consent.
Τhe legal text shall, as always under this series, be taken for granted, this being an article by article analysis of the GDPR from an ethics point of view. No time will be spent here discussing the legal approach of the GDPR on this topic and the many interesting issues it raises, most pertinent among which (to me at least) its relationship to Member States’ contract law.
No, instead I will focus on the fact itself that the GDPR decides to regulate the consent of children over the internet. What does that mean? Is it right for the GDPR to do so?
As regards children, human societies live today under the assumption that there is an age-related cut-off point: Before that children cannot do certain things. After that, they immediately can.
The reasons for this cut-off point are purely protective, the point of view however differs each time. It is (mostly) in order to protect them, for example, that children are not allowed to work, fight wars, buy alcohol, have sex or drive a car before a certain age. But it is (mostly) in order to protect society, that children do not get to vote or be elected.
Accordingly, certain rights are acquired in a formal, celebratory manner while others are quietly acknowledged: For example, coming of age may lead to acquiring a national identity card, being enlisted in the army, being registered in voting lists etc. Other rights, such as the right to enter a contract or to have lawfully sex are silently acquired.
If seen from a different perspective, the rights of children reveal what is considered important in human life: Work, war, transport, sex life, politics (religion is a whole different topic, not to be discussed here).
So then how does the GDPR fit in all that?
The GDPR forcefully intervened in issues already resolved by human rights law and contract law to say that consent over the internet is lawful after the 16th year of age. By doing so, it has indirectly introduced personal data into the pantheon of children’s rights. From now on personal data are placed next to the right to work, to vote, to drive, to have sex etc.
What Article 8 actually means is that before a certain age you cannot navigate freely the web, taking full advantage of the internet experience; After a certain age, you can.
If we were to visualise this, presumably there will be a new family ritual from now on, similar to the first driving lesson or the first time to vote: Parents will ceremoniously hand their offspring total control of the internet accounts they have already opened for them.
Is it right for the GDPR to do so?
Seen from a social perspective, this is a tacit acknowledgement that digital life has increased exponentially in importance. By now, the right to navigate the internet is as important as the right to vote or to work. This is an important addition to human life and the GDPR is, I think, the first legal instrument to identify it and bring it to the fore.
In other words, it is one thing for the law to prescribe how goods and services are to be sold online or how cyberbullying is to be considered unlawful, and a completely different thing to set the lawful age for humans’ right to navigate the web. The former regulate operational (however important) details; The latter creates (or acknowledges existence of) a new human right.
Has the GDPR jumped the gun?
This being predominantly human rights’ rather than Internal Market’s subject-matter, it would presumably be state legislators’ job to regulate the details when it comes to the relationship between children and the internet. Also, it is not the GDPR’s job to regulate children’s lawful age to enter into contracts over the web (technically speaking, this is what they do when opening up new internet profiles etc.). So, yes, the GDPR has indeed jumped the gun.
However, somebody had to. In absence of any other legal instrument discussing in detail the relationship between children and the web the GDPR was, I think, right to step in. It identified a gap, sensed relevant social feelings, and acted accordingly. In doing so, it has perhaps indeed highjacked the field – this is, after all, the basic motive (if not leitmotiv) behind this series altogether (see its opening piece). So, perhaps it is true that the GDPR created a new family ritual, but I believe we should welcome it, even not as the end but the (formal) opening of a much-needed discussion.