The desire to protect children on the Internet is understandable. The Internet can be a dangerous place for unsuspecting adults, let alone children. There have been many stories of bullying, sexual assault and even suicide facilitated by online communication.
On the other hand, some, like Joseph Savirimuthu, Senior Lecturer in Law at the University of Liverpool, disagree. Mr Savirimuthu opines that these revised rules will effectively kick young people off social media. He argues that the provisions in the GDPR actually do not take children’s rights into account.
What do the new rules say?
The GDPR sets the age of consent to 16 years, although countries can reduce that age to at most 13. This is much higher than the 13-year bar under the currently valid Data Protection Directive.
It is expected that most – but not all – countries will do so. 13 years is an interesting age, since it corresponds to the US’s COPPA law, which similarly restricts participation of children under 13 years old on social networks, unless parental consent has been obtained.
Most countries have adopted the 13-year-old age of consent, but some, such as Austria, opted to put it at 14. Others, like Germany, Hungary or the Netherlands, keep it at 16.
Experts such as Janice Richardson questioned the intrusion of laws into developmental psychology by moving the age of consent to 16 years instead of 13 without consultation with the experts or the public. She went on to claim that teenagers are, on average, very knowledgeable then it comes to sharing their data online and know the means to protect it.
Most experts feel that the articles pertaining to children are poorly thought out, with ad-hoc provisions that are difficult to implement. And, put bluntly, can 15-year-olds really be considered children?
Additionally, writes Mr Savirimuthu, the interests of the child might differ from those of their parents’. Requiring their consent could be a direct intrusion into children’s rights.
How should the companies verify consent? This question has gone largely unanswered. Technically, children can still create accounts if they obtain consent from their parents. But how can they verify the parents have indeed consented?
Most verification methods can be faked or circumvented. ID scans? It is very easy for a child to scan them in lieu of their parents. Consent forms? You still cannot know for sure a parent has signed it.
Basically, nothing short of a notarised statement or a digitally signed statement can work – if the goal of the lawmakers is to truly protect children against the evils of social networks.
The result? Teens aged between 13 and 15 will certainly feel the need to embellish their age by rounding it up to 16 in order to avoid cumbersome checks and be able to use the social networks. Likewise, the social networks will not be aware, pending deeper analyses, whether the user really is 16 years old, potentially exposing a very vulnerable group of users to all the ills of social media.
Most likely, the companies will opt to keep all EU teens aged 16 or less off their social networks – like they did with teens under 13 in the US.
Social networks could implement an ‘interim group’ where teens between 13 and 16 would be placed. Profiles belonging to that group would not be served interest-based ads and would not be profiled. This would balance out their privacy rights with their rights to participation in the digital society, according to a proposal by LSE Professor Sonia Livingstone.
Even if the age of consent is left at 16, public funding for other services could fill in the void by creating non-commercial outlets for their creative and communication activities.
While some degree of protection for children is welcome, the lawmakers might have gone a bit too far this time. Time will tell whether the critics were right.