There seems to be general consensus in many EU jurisdictions on the fact that minors should benefit from a stronger protection of their privacy and personal data. The European Commission’s proposal for a new Data Protection Regulation expressly states that the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian (art.8). In one its recitals, the proposal mentions that minors deserve extra protection because they may be less aware of risks, consequences, safeguards and their rights. The proposed Regulation also provides extra protection to children in specific provisions relating to transparency (art.11, recital 46), the right to erasure (art. 17, recital 53), data protection impact assessments (art.33) and codes of conduct (art. 38).
One of the main issues regarding personal data protection of minors seems to be at what age they can be expected to give a valid consent. The law is unclear about this and practices vary in different jurisdictions. Many European jurisdictions seem to draw a vague line around the age of 14. Nevertheless, potential data controllers have an extra duty of care when dealing with minors. In Germany, for example, professionals such as doctors, social workers or teachers have such Fürsorgepflicht when assessing the consent of minors from 12 upwards. In practice this means that the minor’s consent is a priori valid, but the data controller must make a professional judgement and consult the parents or even refuse consent if deemed appropriate. Failure to do so might result in a breach of their duty. The French Data Protection Authority (DPA) has emphasised the importance of involving parents, and expressly stated that written parental consent is required for the collection of personal data in a school environment (en milieu scolaire). Both Germany and France have also stressed that minors should not be consulted with regard to personal data that does not relate to them (but, for example, to their parents or siblings). The Belgian Privacy Commission stated that extra care is required for minors that have not reached ‘maturity’ yet, but leaves this concept deliberately vague. Although the Belgian Privacy Act does not explicitly mention a specific regime for minors, its provisions are flexible enough to make an appropriate balance depending on the context and actors at stake. Put briefly, according to the Belgian DPA specific parental consent will be required when the processing relates to sensitive data (e.g. health information); when the child has not reached maturity yet; when the purpose is not in the direct interest of the child (e.g. direct marketing); or when the data is intended for publication. The Portuguese DPA emphasised that although children over 14 can give a valid consent (even from the age of 12 in trivial matters), it will generally be required that their parents are at least consulted. In Spain, the data protection legislation explicitly states that personal data of over 14 year olds may be processed with their consent, except ‘in those cases where the law requires the assistance of parents or guardians in the provision of such data’. The general rule of thumb in Denmark seems to apply the age of legal competency (15) to data protection as well. The DPA, however, has stressed that this is merely a rule of thumb and that all relevant elements in each particular situation should be taken into account. In Sweden there is a similar guideline (age of 14-15, exceptionally 13) that remains subject to context-specific elements and the minor’s level of maturity. The European NGO Alliance for Child Safety Online (eNacso), finally, has stated that parental consent is required whenever a minor cannot be expected to understand the data transaction. The Alliance continues to say that service provides cannot deduct general consent from the fact that their service is paid/contracted for by the minor’s parents.
Besides issues related to consent, it has been stressed that the transparency requirement must be taken extra care of when dealing with minors. The data controller will have to make its information very accessible, simple and direct. Data controllers in Spain are even legally bound to provide this information in easily understandable language, with express indication of the minor’s rights. In Sweden, data controllers will always have to inform the parents of minors, even if they are deemed to be capable of giving a valid consent. According to the Belgian Privacy Commission, minors should retain full control over their personal data and be encouraged to inform their parents of their online activities.
Put briefly, when processing personal data of minors, data controllers will always have to take extra care. Although age would constitute a straightforward and easy criterion to decide on whether or not consent is an adequate legitimacy ground, other criteria are deemed to be more important (e.g. level of maturity). Data controllers will have an important responsibility and duty of care when dealing with minors. Each situation of data processing will have to be assessed independently, taking into account the specific context, identity of actors and type of personal data (processing). As a general rule, data controllers are advised to put extra efforts into all their legal obligations (supra). More specifically, provide short and understandable information, ask parental consent and clearly define the purpose and scope of processing.