Looking for needles in a haystack: Key issues affecting children's rights in the General Data Protection Regulation

ARTICLE IN PRESS computer law & security review ■■ (2017) ■■–■■

Available online at www.sciencedirect.com

ScienceDirect w w w. c o m p s e c o n l i n e . c o m / p u b l i c a t i o n s / p r o d c l a w. h t m

Looking for needles in a haystack: Key issues affecting children’s rights in the General Data Protection Regulation Eva Lievens a,*, Valerie Verdoodt b a b

Faculty of Law, Ghent University, Belgium Centre for IT and IP Law, KU Leuven, Belgium

A B S T R A C T Keywords:

The EU General Data Protection Regulation (GDPR) devotes particular attention to the pro-

Data protection

tection of personal data of children. The rationale is that children are less aware of the risks

Privacy

and the potential consequences of the processing of their personal data on their rights. Yet,

Child

the text of the GDPR offers little clarity as to the actual implementation and impact of a

Children’s rights

number of provisions that may significantly affect children and their rights, leading to legal

General Data Protection Regulation

uncertainty for data controllers, parents and children. This uncertainty relates for instance to the age of consent for processing children’s data in relation to information society services, the technical requirements regarding parental consent in that regard, the interpretation of the extent to which profiling of children is allowed and the level of transparency that is required vis-à-vis children. This article aims to identify a number of key issues and questions – both theoretical and practical – that raise concerns from a multi-dimensional children’s rights perspective, and to clarify remaining ambiguities in the run-up to the actual application of the GDPR from 25 May 2018 onwards. © 2017 Eva Lievens, Valerie Verdoodt. Published by Elsevier Ltd. All rights reserved.

1.

Introduction

In recent years, significant technological progress, globalisation and the emergence of new business models have contributed to the collection and processing of personal data on an ever-increasing scale. Children’s personal data as well is

being collected in unprecedented quantities, by businesses, governments, schools, and other organisations, leading to children’s lives being increasingly ‘datafied’.1 Children’s online behaviour is being tracked by means of cookies and plug-ins;2 joining a social media platform or downloading an app usually involves a transfer of personal information; advergames offer content tailored to the age or sex of the child; and

* Corresponding author. Faculty of Law, Ghent University, Voldersstraat 5, 9000 Ghent, Belgium; Valerie Verdoodt, Centre for IT and IP Law, KU Leuven, Sint-Michielsstraat 6, 3000 Leuven, Belgium. E-mail addresses: [email protected], [email protected] (E. Lievens). 1 D. LUPTON and B. WILLIAMSON (2017) The datafied child: The dataveillance of children and implications for their rights. New Media & Society Vol. 19, Iss. 5, 780–794; S. VAN DER HOF (2017) I agree. . . or do I? – A rights-based analysis of the law on children’s consent in the digital world. Wisconsin International Law Journal 34, 409–445. 2 In 2015, an international network of data protection authorities conducted a privacy sweep of 1494 children’s websites and apps, which showed that 67% of the websites and apps were collecting children’s personal data and 50% shared this personal data with third parties. GLOBAL PRIVACY ENFORCEMENT NETWORK (2015) Results of the 2015 Global Privacy Enforcement Network Sweep. Retrieved from https:// www.priv.gc.ca/en/opc-news/news-and-announcements/2015/nr-c_150902/. https://doi.org/10.1016/j.clsr.2017.09.007 0267-3649/© 2017 Eva Lievens, Valerie Verdoodt. Published by Elsevier Ltd. All rights reserved. Please cite this article in press as: Eva Lievens, Valerie Verdoodt, Looking for needles in a haystack: Key issues affecting children’s rights in the General Data Protection Regulation, Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.09.007

ARTICLE IN PRESS 2

computer law & security review ■■ (2017) ■■–■■

connected toys interact with children and even record conversations.3 On the one hand, these technologies offer numerous opportunities for exercising children’s fundamental rights under the United Nations Convention on the Rights of the Child (UNCRC)4, including inter alia their right to freedom of expression (article 13), right to freedom of assembly (article 15), right to education (articles 28 and 29) and right to play (article 31). On the other hand, significant risks may arise, such as the potential impact of the vast collection of children’s personal data on their right to development (article 6) and right to privacy (article 16). Against the background of this fast-evolving digital environment, the legal framework is also undergoing significant reforms. The new EU General Data Protection Regulation (“GDPR”),5 devotes specific attention to the protection of children’s personal data.6 This Regulation was adopted by the European Union Parliament and Council on 27 April 2016, and will be applicable as of 25 May 2018. The GDPR is applicable to (most often fully or partially automated)7 processing8 of personal data9 (Article 2 GDPR)10 and is underpinned by the

3

S. CHAUDRON, R. DI GIOIA, M. GEMO, D. HOLLOWAY, J. MARSH, G. MASCHERONI, J. PETER, and D. YAMADA-RICE (2017) Kaleidoscope on the internet of toys. Retrieved from http://publications.jrc.ec.europa.eu/repository/ bitstream/JRC105061/jrc105061_final_online.pdf. 4 GENERAL ASSEMBLY OF THE UNITED NATIONS (1989) Convention on the Rights of the Child. Retrieved from http://www.ohchr.org/EN/ ProfessionalInterest/Pages/CRC.aspx; hereinafter UNCRC. 5 EUROPEAN PARLIAMENT AND COUNCIL (2016) Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 4 May 2016, L119/1. 6 In contrast, the recent proposal for an e-Privacy Regulation does not contain specific references to children: EUROPEAN COMMISSION (2017) Proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), 10 January 2017. Retrieved from https://ec.europa.eu/ digital-single-market/en/news/proposal-regulation-privacy-and -electronic-communications. 7 As well to “processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system” (Article 2 GDPR). 8 Processing is “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (Article 4(2) GPDR). 9 Personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Article 4 (1) GDPR). 10 With regard to the territorial scope, the GDPR applies to (1) the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not; (2) the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or

premise that natural persons should have control of their own personal data.11 Although the EU legislator opted for a high level of harmonisation by adopting a regulation, the GDPR still leaves a margin of manoeuvre to the EU Member States regarding the implementation of certain provisions, including a number of provisions that could be important for children. Hence, at the moment, it is still unclear what the real impact of the GDPR on the daily lives of children and the exercise of their rights will be. This article aims to identify a number of such key issues from a children’s rights perspective and to clarify remaining ambiguities in the run-up to the actual application of the GDPR.

2.

Specific protection for children in the GDPR

The existing EU data protection framework did not make a distinction between children and adults. Directive 95/46/EC does not contain any child-specific provisions and, as such, data controllers have to comply with the same set of legal requirements for processing personal data, regardless of the age of the data subjects. In turn, data subjects can rely on the same rights and principles, regardless of their age. In 2006, the European Commission launched its EU Strategy on the Rights of the Child12, recognising children’s rights as a priority across different policy domains. In 2009, the Article 29 Working Party13 issued an opinion on the protection of children’s personal data, referring explicitly to the 2006 Strategy.14 In this opinion, general principles and guidelines for the processing of children’s personal data are discussed (e.g. concerning consent). The Working Party emphasised that the processing of children’s personal data requires extra care. This idea has been reiterated in other opinions, such as the one on smart devices, in which app developers are recommended to interpret the principles of data minimisation and purpose limitation in a more stringent way when children are involved,15 or in its opinion on online services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union; and (3) the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law (Article 3 GDPR). 11 Recital 7 GDPR. 12 EUROPEAN COMMISSION (2006) Towards an EU Strategy on the Rights of the Child, COM(2006) 367 final, 4 July 2006. Retrieved from http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX: 52006DC0367&from=NL. 13 The Article 29 Data Protection Working Group (“Working Party”) is a European advisory body comprising of representatives of the national data protection authorities. Although the opinions of the Working Party are not binding, significant authoritative value is attached to them, as all the Member States are represented in this body. 14 ARTICLE 29 DATA PROTECTION WORKING GROUP (2009) Opinion 2/2009 on the protection of children’s personal data (General Guidelines and the special case of schools). Retrieved from http://ec.europa.eu/ justice/policies/privacy/docs/wpdocs/2009/wp160_en.pdf. 15 ARTICLE 29 DATA PROTECTION WORKING GROUP (2013) Opinion 02/2013 on apps on smart devices. Retrieved from http://ec.europa.eu/justice/ data-protection/article-29/documentation/opinion-recommendation/ files/2013/wp202_en.pdf, 26.

Please cite this article in press as: Eva Lievens, Valerie Verdoodt, Looking for needles in a haystack: Key issues affecting children’s rights in the General Data Protection Regulation, Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.09.007

ARTICLE IN PRESS computer law & security review ■■ (2017) ■■–■■

behavioural advertising which states that “ad network providers should not offer interest categories intended to serve behavioural advertising or influence children”16. The fact that children merit ‘specific protection’ regarding their personal data has now been explicitly acknowledged by the EU legislator in the GDPR. Recital 38 GDPR explains that children are less aware of the risks and the potential consequences of the processing of their personal data on their rights. Moreover, the GDPR recognises that the processing of children’s personal data may result in risks to the rights and freedoms of natural persons.17 Children merit specific protection especially when their personal data is used for marketing purposes, for the creation of profiles and for the collection of their data when using services offered directly to a child.18 The GDPR refers to this specific protection in several recitals and provisions, sometimes explicitly and at other times more implicitly. The next sections contain an overview of the new elements of this protection introduced by the GDPR and the potential consequences or issues regarding their implementation in practice.

2.1.

Definition of a child

First, it is important to note that the GDPR does not contain a definition of ‘a child’. As a result, it is not entirely clear until what age children can benefit from the specific protection that is referred to in recital 38. In its 2009 opinion, the Article 29 Working Party refers in this regard to the relevant international instruments, such as the UNCRC, indicating that a child should be understood as any person under the age of 18 years, unless he or she has acquired legal adulthood before that age.19 Although this interpretation was integrated in the initial proposal for a GDPR of the European Commission, it disappeared from later iterations by the European Parliament and the Council. During the legislative process the broad interpretation of children as under-18s gave rise to criticism, including from the US Department of Commerce, which argued that it could have a negative impact on the rights of older children (e.g. 13 or 16 to 18 year olds, infra).20 Yet, from a children’s rights perspective, the exercise of the rights under the GDPR should not necessarily be the same for all children. The UNCRC refers to the importance of the evolving capacities of children, and their level of maturity, in exercising their rights.21 Considering this, the Article 29 Working Party stressed that the exercise of 16 ARTICLE 29 DATA PROTECTION WORKING GROUP (2010) Opinion 2/2010 on online behavioural advertising. Retrieved from http://ec.europa .eu/justice/policies/privacy/docs/wpdocs/2010/wp171_en.pdf, 20. 17 Recital 75 GDPR. 18 Recital 38 GDPR. 19 ARTICLE 29 DATA PROTECTION WORKING GROUP (2009) ARTICLE 29 DATA PROTECTION WORKING GROUP (2009) Opinion 2/2009 on the protection of children’s personal data (General Guidelines and the special case of schools), 3. Retrieved from http://ec.europa.eu/justice/policies/ privacy/docs/wpdocs/2009/wp160_en.pdf. 20 K.C. MONTGOMERY and J. CHESTER (2015) Data Protection for Youth in the Digital Age – Developing a Rights-based Global Framework. European Data Protection Law Review, Vol. 1, Iss. 4, 289. 21 Article 5 (i.e. evolving capacities of the child) and article 12 (i.e. the right to be heard in accordance with the age and maturity of the child) UNCRC.

3

children’s rights should be adapted to the level of their physical and psychological development.22 More specifically, children’s data protection rights should be viewed from a dual perspective, i.e. a static and a dynamic perspective. On the one hand, children have not reached physical and psychological maturity (static), but on the other, the child is in the process of developing physically and mentally to become an adult (dynamic).23 The general principles and requirements for the processing of children’s personal data must be considered in light of this dual perspective, according to the Article 29 Working Party. It implies, in our view, that different measures should be taken for younger children and adolescents (infra).

2.2.

The age threshold for consent24

Notwithstanding the possibility for the data controller to rely in certain circumstances on other legitimate grounds for processing,25 the GDPR is fundamentally built on the notion of the informed data subject, who agrees in a freely given, specific, informed and unambiguous manner26 to having his or her personal data processed. As such, the GDPR is underpinned by the idea that a transparent and simple explanation of the purpose(s) of the processing of personal data allows a data subject to make an informed decision.27 It seems obvious that this process is more complex in relation to children. The GDPR does recognise this and has introduced specific ‘protection’ for children in article 8, which defines the conditions for consent as a legitimate ground for processing children’s personal data.28 Article 8 is by far the most debated provision of the GDPR in relation to children. The article states that, in relation to the offer of ‘information society services’ ‘directly to a child’ and when the data controller relies on consent as a legitimation ground, the processing of a child’s personal data shall only be

22 The Article 29 Working Party explicitly refers to the right to development of the child in this context, laid down in article 6 UNCRC. 23 ARTICLE 29 DATA PROTECTION WORKING GROUP (2009) Opinion 2/2009 on the protection of children’s personal data (General Guidelines and the special case of schools), 3. Retrieved from http://ec.europa .eu/justice/policies/privacy/docs/wpdocs/2009/wp160_en.pdf. 24 For an extensive analysis of this issue, cf. M. MACENAITE and E. KOSTA (2017) Consent for processing children’s personal data in the EU: following in US footsteps? Information and Communications Technology Law, Vol. 26, Iss. 2, 146–197 and S. VAN DER HOF (2017) I agree. . . or do I? – A rights-based analysis of the law on children’s consent in the digital world. Wisconsin International Law Journal 34, 409–445. 25 Article 6 GDPR. 26 Cf. the definition of consent in recital 32 GDPR and article 4 (11) GDPR. 27 B-J. KOOPS (2014) The trouble with European data protection law. International Data Privacy Law, Vol. 4, Iss. 4, 3; N. FISK (2016) The Limits of Parental Consent in an Algorithmic World. LSE Media Policy Project Blog. Retrieved from http://blogs.lse.ac.uk/mediapolicyproject/ 2016/11/28/the-limits-of-parental-consent-in-an-algorithmic -world/. 28 Note that the third paragraph of Article 8 GDPR emphasises that the first paragraph, in relation to these requirements for consent, “shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child”. It remains unclear at present what the actual impact of this particular paragraph will be in practice.

Please cite this article in press as: Eva Lievens, Valerie Verdoodt, Looking for needles in a haystack: Key issues affecting children’s rights in the General Data Protection Regulation, Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.09.007

ARTICLE IN PRESS 4

computer law & security review ■■ (2017) ■■–■■

lawful if the child is at least 16 years old.29 If the child is younger, parental consent needs to be obtained. The first essential question that arises is which services fall within the scope of this article. Information society services are defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”30 Such services do not necessarily require payment by the users themselves. It has been established that services financed by advertising would also fall under this definition (i.e. the alleged ‘free’ services such as social media, search engines, news portals, etc.).31 However, it is less clear whether online services for children provided by, for example, non-profit or educational organisations would or could in certain situations fall within the scope of article 8.32 Second, it is unclear what is meant by a service ‘directly offered to a child’. Is this limited to services such as YouTube Kids, for instance, which are targeted at children, or does this include all services that are actually used by children on a regular basis? Taking into account children’s day-to-day use of online services, the actual aim of article 8 would be undermined if the first interpretation would be upheld. Article 8 does allow Member States to lower the age threshold of 16 years to a minimum of 13 years. If Member States use this option, it would mean that in practice different age thresholds would apply throughout the European Union. This entails that companies providing online services in different Member States will have to respect different rules across the European Union, requiring extra efforts and investments, in particular for smaller players. The extent to which this will be necessary depends on whether Member States will require service providers to comply with the age threshold determined in the country in which they are established or in the country where their users reside.33 The first option entails that a company established in Member State A but offering its services in Member State B will need to comply with the age limit of the former. Exceptions could be made if the establishment

29 Note that in the Commission Proposal the age threshold was set at 13; for more information: see K. MCCULLAGH (2016) The General Data Protection Regulation: A Partial Success for Children on Social Network Sites? In: Data protection, privacy and European regulation in the digital age, T. BRÄUTIGAM and S. MIETTINEN, Oikeustieteellinen tiedekunta (Helsingin yliopisto). Retrieved from https://ssrn.com/ abstract=2985724. 30 Article 4 (25) GDPR refers to ‘information society service’ as “a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council”. 31 V. VERDOODT, D. CLIFFORD and E. LIEVENS, (2016) Toying with children’s emotions, the new game in town? The legality of advergames in the EU. Computer Law and Security Review, Vol. 32, Iss. 4, 5. 32 M. MACENAITE and E. KOSTA (2017) Consent for processing children’s personal data in the EU: following in US footsteps? Information and Communications Technology Law, Vol. 26, Iss. 2, 146–197. 33 This question of private international law is being discussed in a group of experts of the Member States; cf. http://ec.europa.eu/ transparency/regexpert/index.cfm?do=groupDetail.groupDetail &groupID=3461 and I. MILKAITE, V. VERDOODT, E. LIEVENS and H. MARTENS (2017) Roundtable Report: The General Data Protection Regulation and children’s rights: questions and answers for legislators, DPAs, industry, education, stakeholders and civil society, July 2017. Retrieved from https://www.betterinternetforkids.eu/web/portal/ practice/awareness/detail?articleId=2018677.

is solely made for circumventing this rule. A second option implies that for services offered within Member State B the age threshold of that Member State will apply regardless of whether the provider is established in Member State A. Perhaps, other criteria might be considered as well. Currently, it remains unclear how this will be put into practice, leading to legal uncertainty for all actors that are involved. Aside from this discussion, it is important to note that many of these providers (also) have establishments in the United States, where their services are subject to the rules of the Children’s Online Privacy Protection Act (COPPA).34 COPPA requires that websites and services that are specifically targeted at children or service providers who reasonably should know that they are collecting personal data of children under 13, obtain prior parental consent. The Article 29 Working Group has already issued a number of guidelines on the implementation of the GDPR (e.g. regarding the right to data portability35, the data protection officer36, the lead supervisory authority37), yet on the provisions in relation to children guidance is lacking. Nevertheless, the first discussions have emerged in several Member States and certain national legislators and/or data protection authorities (“DPAs”) have expressed their opinion on the age of consent. In the Netherlands, for example, the national Data Protection Act already contained a 16-year limit for the processing of personal data of children based on consent.38 The recent proposal for a GDPR implementation act does not deviate from this age limit, proposing to maintain the existing age of consent at 16 years.39 Conversely, other Member States are considering adopting a lower age. Although immediately after the adoption of the GDPR the Spanish DPA stated that the age of consent was going to be maintained at 14 years40, the actual draft implementation

34

Children’s Online Privacy Protection Act (COPPA). ARTICLE 29 DATA PROTECTION WORKING GROUP (2017) Guidelines on the right to data portability. WP 242 rev.01. Retrieved from http://ec.europa.eu/justice/data-protection/index_en.htm. 36 ARTICLE 29 DATA PROTECTION WORKING GROUP (2016) Guidelines on Data Protection Officers (‘DPOs’). Retrieved from http://ec.europa.eu/ information_society/newsroom/image/document/2016-51/wp243 _en_40855.pdf. 37 ARTICLE 29 DATA PROTECTION WORKING GROUP (2016) Guidelines for identifying a controller or processor’s lead supervisory authority. Retrieved from http://ec.europa.eu/information_society/newsroom/ image/document/2016-51/wp244_en_40857.pdf. 38 Wet van 6 juli 2000, betreffende de regels voor de bescherming van persoonsgegevens [Act of 6 July 2000, concerning rules on the protection of personal data]. Retrieved from http://wetten.overheid.nl/ BWBR0011468/2017-03-10. 39 Regels ter uitvoering van Verordening (EU) 2016/679 van het Europees Parlement en de Raad van 27 april 2016 betreffende de bescherming van natuurlijke personen in verband met de verwerking van persoonsgegevens en betreffende het vrije verkeer van die gegevens en tot intrekking van Richtlijn 95/46/EG. [Rules implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95 / 46 / EC (General Data Protection Regulation)]. Retrieved from https://www.internetconsultatie.nl/uitvoeringswetavg/ details. 40 Retrieved from https://www.agpd.es/portalwebAGPD/revista _prensa/revista_prensa/2016/notas_prensa/news/2016_05_26 -iden-idphp.php. 35

Please cite this article in press as: Eva Lievens, Valerie Verdoodt, Looking for needles in a haystack: Key issues affecting children’s rights in the General Data Protection Regulation, Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.09.007

ARTICLE IN PRESS computer law & security review ■■ (2017) ■■–■■

Act sets the limit at 13 years.41 Furthermore, the Austrian Parliament recently adopted amendments to the Austrian Data Protection Act, which now provides that children may consent to data processing in relation to information society services, from the age of 14.42 In Belgium, no decision has been made yet. In its action plan for companies that want to bring their data processing practices in line with the GDPR, the Belgian DPA stresses that companies processing “minors’’ personal data should develop age verification mechanisms and mechanisms for verifiable parental consent.43 The Flemish Children’s Rights Commissioner on the other hand has published an opinion in which he recommends the Belgian government to lower the age of consent to 13 years. 44 According to the Commissioner, a high age threshold would put too much responsibility in the hands of parents. In this regard, it should be noted that in certain situations it might be impossible to obtain parental consent, for instance because parents themselves are not familiar with the digital environment, lack knowledge or skills or are simply not interested. VAN DER HOF underlines that parents are not necessarily better equipped than their children to make decisions on the processing of personal data, as they may also experience serious difficulties in understanding the complexity of modern data processing practices.45 In light of this finding, it is important to mention that the GDPR does not provide exceptions to the parental consent requirement (unless a child’s personal data is processed in the context of preventive or counselling services offered directly to the child46; or unless the processing of children’s personal data is based on another legitimate ground).

41 As is explained in the Preamble of the Act, the rationale is to ensure that the Spanish system is similar to “other States in our surroundings”. See MINISTERIO DE JUSTICIA (2017) Anteproyecto de Ley Orgánica de Protección de Datos De Carácter Personal. Retrieved from http://www.mjusticia.gob.es/cs/Satellite/Portal/ 1292428461386 [ES]. 42 NATIONALRAT (2017) Bundesgesetz, mit dem das Datenschutzgesetz 2000 geändert wird (Datenschutz-Anpassungsgesetz 2018). Retrieved from https://www.parlament.gv.at/PAKT/VHG/XXIV/I/I_02245/ fname_295040.pdf. 43 C OMMISSIE VOOR DE B ESCHERMING VAN DE P ERSOONLIJKE L EVENSSFEER [B ELGIAN P RIVACY C OMMISSION ] (2016) Algemene Verordening Gegevensbescherming – Bereid je voor in 13 stappen. [GDPR – Prepare in 13 Steps]. Retrieved from https://www.privacycommission.be/ sites/privacycommission/files/documents/STAPPENPLAN%20NL %20-%20V2.pdf. Interesting to note in this regard is that article 8 GDPR does not explicitly require the development of age verification mechanisms, but merely mechanisms that can verify parental consent. 44 CHILDREN’s RIGHTS COMMISSIONER (2016) Opinion on the Implementation of the GDPR in Belgium: participation in social media from 13 years. Retrieved from http://www.kinderrechtencommissariaat.be/ advies/toepassing-eu-verordening-privacy-belgi%C3%AB-participatieaan-sociale-media-vanaf-13-jaar. This opinion was also confirmed by the Flemish Knowledge Centre for Children’s Rights, see KNOWLEDGE CENTRE CHILDREN’s RIGHTS (2017) Digital media and children’s rights – The balance is lost in the GDPR. Retrieved from http://www.keki.be/ nl/publications/beleidsadvies. 45 S. VAN DER HOF (2017) I agree. . . or do I? – A rights-based analysis of the law on children’s consent in the digital world. Wisconsin International Law Journal 34, 409–445. 46 Recital 38 GDPR.

5

Additionally, the requirement of parental consent may result in excessive parental oversight and interference with the lives of children, which could also constitute a breach of their right to privacy.47 Recent research of Ofcom, the UK independent regulator for media and communication, has shown that children gradually become more ‘commercially literate’ as they age and become more mature.48 In general, LIVINGSTONE and OLAFSSON found that the commercial literacy of children increases between the ages of 12 and 15 years. This implies that younger children require more protection by their parents or regulators, in particular against privacy-intrusive data processing practices such as profiling (infra). As children grow older, research indicates that establishing a (too) high age threshold could encourage youngsters to circumvent protection mechanisms such as agegating systems, considering the important role of online platforms in their lives (e.g. to communicate with their friends, express their creativity and access information).49 According to LIVINGSTONE, research has demonstrated the benefits of formally including media education into the school curriculum of children and youngsters. The gap in the level of commercial literacy between 13 to 16-year-olds could be reduced by extending media education to all children, in particular from the age of 11, if not earlier, to learn them to critically reflect on and cope within the commercial digital environment, without the need for a parental consent requirement.50 Another crucial concern that is related to the age threshold and the requirement to obtain parental consent is related to the fact that companies might stop offering their services to children under the threshold. If children are excluded from information society services that matter to them, they will be denied important participation rights, such as the right to freedom of expression51 and the right to freedom of assembly52. Finally, there is a risk that adolescents, i.e. minors above the established age threshold, are forgotten. This group of youngsters are equally awarded universal children’s rights such as the right to privacy and freedom of expression. Considering the immense popularity of social networking services and

47 S. VAN DER HOF (2017) I agree. . . or do I? – A rights-based analysis of the law on children’s consent in the digital world. Wisconsin International Law Journal 34, 409–445. 48 S. LIVINGSTONE and K. OLAFSSON (2017) Children’s commercial media literacy: new evidence relevant to UK policy decisions regarding the GDPR. LSE Media Policy Project Blog. Retrieved from http://blogs.lse.ac.uk/mediapolicyproject/2017/01/26/childrens -commercial-media-literacy-new-evidence-relevant-to-uk-policy -decisions-regarding-the-gdpr/. 49 K. MCCULLAGH (2016) The General Data Protection Regulation: A Partial Success for Children on Social Network Sites? In: Data protection, privacy and European regulation in the digital age, T. BRÄUTIGAM and S. MIETTINEN, Oikeustieteellinen tiedekunta (Helsingin yliopisto). Retrieved from https://ssrn.com/abstract=2985724. 50 S. LIVINGSTONE and K. OLAFSSON (2017) Children’s commercial media literacy: new evidence relevant to UK policy decisions regarding the GDPR. LSE Media Policy Project Blog. Retrieved from http://blogs.lse.ac.uk/mediapolicyproject/2017/01/26/childrens -commercial-media-literacy-new-evidence-relevant-to-uk-policy -decisions-regarding-the-gdpr/. 51 Article 12 UNCRC. 52 Article 17 UNCRC.

Please cite this article in press as: Eva Lievens, Valerie Verdoodt, Looking for needles in a haystack: Key issues affecting children’s rights in the General Data Protection Regulation, Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.09.007

ARTICLE IN PRESS 6

computer law & security review ■■ (2017) ■■–■■

mobile applications amongst this age group, as well as the sometimes-associated privacy-intrusive practices, it has been argued by MONTGOMERY and CHESTER that guidelines and a policy on an appropriate level of protection for adolescents should also be developed.53 Moreover, online service providers should, aside from the specific requirements of article 8, still take into account other provisions in the GDPR that are relevant for all ‘children’ (hence all under-18s), such as the necessity for transparent and ‘child-friendly’ information about data collection and processing (infra). In any case, it is essential that legislators carefully balance any decision in this context and adopt an age threshold that recognises the reality of children’s daily digital lives.

2.3.

Verification

If a data controller relies on consent as a legitimate ground for processing personal data of children under the age threshold in the context of the services mentioned above, the controller: “shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology” (article 8, para. 2 GDPR).54 Even though the GDPR explicitly introduces the concept of verification, article 8 does not include criteria to assess what constitutes ‘verifiable consent’ or a ‘reasonable effort’. The Belgian DPA stresses that this does not imply a ‘commitment of result’ for the data controller.55 Furthermore, it is not entirely clear what is meant with consent that “is authorised” instead of given. Additionally, questions arise as to whether the data controller needs to obtain ‘fresh’ consent for existing data processing practices concerning children’s personal data, (1) if the prior obtained consent does not fulfil the GDPR-standard56 or (2) when the child reaches the age of consent.57 53 K.C. MONTGOMERY and J. CHESTER (2015) Data Protection for Youth in the Digital Age – Developing a Rights-based Global Framework. European Data Protection Law Review, Vol. 1, Iss. 4, 291. 54 Emphasis added by the authors. 55 COMMISSIE VOOR DE BESCHERMING VAN DE PERSOONLIJKE LEVENSSFEER [BELGIAN PRIVACY COMMISSION] (2017) De versterkte toestemming [Enhanced consent]. Retrieved from https://www.privacycommission.be/de/node/ 19411 (Dutch). 56 Recital 171 GDPR provides in this regard that to allow the controller to continue such processing after the date of application of this Regulation, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation. Emphasis added by authors. 57 In this regard, the Article 29 Working Party provided that “if the processing of a child’s data began with the consent of their legal representative, the child concerned may, on attaining majority, revoke the consent. But if he wishes the processing to continue, it seems that the data subject need give explicit consent wherever this is required.” ARTICLE 29 DATA PROTECTION WORKING GROUP (2009) Opinion 2/2009 on the protection of children’s personal data (General Guidelines and the special case of schools), 5. Retrieved from http://ec.europa.eu/justice/policies/ privacy/docs/wpdocs/2009/wp160_en.pdf.

For the sake of legal certainty for data controllers it is, therefore, crucial that DPAs or EU-level bodies develop clear and practical guidelines for the implementation of verifiable consent and methods of verification. In this regard, article 40, para 2 (g) GDPR also refers to the possibility of drafting codes of conduct on this topic. Inspiration can be found in the United States. The COPPA Rule provides that parental consent can be obtained by any means, if the method can reasonably ensure that the person providing consent is the parent of the child. Additionally, the COPPA Rule contains several non-exhaustive options from which companies can select.58 The list mentions inter alia the ‘print-and-send’ method, by which parents can sign a consent form and send it back to the controller; the use of a credit card or other online paying system; mechanisms where parents can call a free telephone number or set up a video-conference with specially trained personnel. Selecting an appropriate method should be done on a case-by-case basis. For instance, different methods are recommended when companies share children’s personal data with third parties or if children publish the data themselves (e.g. on social media, online fora)59, than when the data is only used for internal purposes60. In addition to the listed methods, companies that develop new verification mechanisms can apply to the Federal Trade Commission to have them pre-approved.61

2.4.

Transparent information

Considering the focus on specific and informed consent in the GDPR, the data controller’s information obligation forms a crucial part of the specific protection that children merit. Article 12 GDPR determines that users should be provided with information concerning the processing of their personal data “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”. Recital 58 clarifies that, when provided to children, the information should be formulated in “such a clear and plain language that the child can easily understand”. The manner in which this should be done in practice can be determined by means of a code of conduct (article 40 para 2 (g) GDPR). Research insights into effective provision of information

58 FTC (2015) A guide for business and parents and small entity compliance guide. Retrieved from https://www.ftc.gov/tips-advice/ business-center/guidance/complying-coppa-frequently-asked -questions#Verifiable%20Parental. 59 FTC (2015) A guide for business and parents and small entity compliance guide. Retrieved from https://www.ftc.gov/tips-advice/ business-center/guidance/complying-coppa-frequently-asked -questions#Verifiable%20Parental. 60 Including the methods mentioned above, but also the socalled ‘e-mail plus method’, where first the email address of the parent is asked and after a certain period a confirmation email is send. 61 In 2015, a new method was approved by the FTC, which makes use of photographs and facial recognition technology (“Face Match to Verified Photo Identification”, or FMVPI). FTC (2015) FTC Grants approval for New COPPA Verifiable Parental Consent Method. Retrieved from https://www.ftc.gov/news-events/press-releases/2015/ 11/ftc-grants-approval-new-coppa-verifiable-parental-consent -method.

Please cite this article in press as: Eva Lievens, Valerie Verdoodt, Looking for needles in a haystack: Key issues affecting children’s rights in the General Data Protection Regulation, Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.09.007

ARTICLE IN PRESS computer law & security review ■■ (2017) ■■–■■

to users or consumers can be useful in this regard. HELBERGER, for instance, warns that providing information to users does not automatically lead to informed users. The process of providing information to users will only empower them if this happens in an efficient and effective way. 62 This is even more so when children are concerned. It requires a special effort to make information attractive and understandable to children of different ages, for example by visualisation or producing short video clips. In this context, co-creation methods where designers, lawyers and children work together to simplify information could be useful.63

2.5.

Direct marketing

Recital 38 emphasises that the processing of personal data of children for marketing purposes merits specific protection. Article 21 states that data subjects have the right to object at any time to processing of their personal data for direct marketing. Yet, according to recital 47 GDPR, direct marketing may constitute a legitimate interest of the controller under the GDPR, and hence offers a legitimation ground other than the consent of the data subject.64 When this ground is relied upon, the controller must balance its own legitimate interest with the interests or the fundamental rights and freedoms of the data subject, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.65 When the data subjects are children, article 6, 1) (f) GDPR indicates that the interests of children may override

62 N. H ELBERGER (2013) Forms Matter: Informing consumers effectively – (Study commissioned by BEUC), 5–8. Retrieved from http://www.beuc.eu/publications/x2013_089_upa_form_matters _september_2013.pdf. 63 E. WAUTERS, V. DONOSO NAVARRETE and E. LIEVENS (2014) Optimizing transparency for users in social networking sites. Info – The journal of policy, regulation and strategy for telecommunications, information and media 2014, Vol. 16, No. 6, 8–23. 64 Recital 47 GDPR: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. Yet, according to the Belgian Privacy Commission obtaining consent of the data subject is a best practice, in the light of informational self-determination. Achieving a balance between the legitimate interest of the controller and interests or fundamental rights and freedoms of the data subject is very difficult in practice; when the balance is lost, the processing will need to be discontinued. COMMISSIE VOOR DE BESCHERMING VAN DE PERSOONLIJKE LEVENSSFEER [BELGIAN PRIVACY COMMISSION] (2013) Aanbeveling nr 02/2013 van 30 januari 2013 betreffende direct marketing en bescherming van persoonsgegevens [Recommendation no. 02/2013 of 30 January 2013 regarding direct marking and the protection of personal data], 12. Retrieved from https:// www.privacycommission.be/sites/privacycommission/files/ documents/aanbeveling_02_2013.pdf. 65 Recital 47 GDPR. This balancing exercise must be undertaken continuously, and as soon as the interests of the controller do no longer outweigh the interests of the data subject the processing must be stopped: COMMISSIE VOOR DE BESCHERMING VAN DE PERSOONLIJKE LEVENSSFEER [BELGIAN PRIVACY COMMISSION] (2013) Aanbeveling nr 02/2013 van 30 januari 2013 betreffende direct marketing en bescherming van persoonsgegevens [Recommendation no. 02/2013 of 30 January 2013 regarding direct marking and the protection of personal data], 13– 15. Retrieved from https://www.privacycommission.be/sites/ privacycommission/files/documents/aanbeveling_02_2013.pdf.

7

the interests of the data controller more easily.66 Hence, when this legitimation ground is used in relation to children’s personal data, it must be assumed that a heavier responsibility is imposed on the data controller. Yet, how data controllers must undertake this balancing exercise in practice remains a source of legal uncertainty.

2.6.

Is profiling of children prohibited?

Children’s activities in the digital environment reveal a significant amount of information on their lives, personal interests and preferences. Given today’s advanced technologies and huge storage capacities this information can be continuously collected, processed and stored in detailed profiles, for instance by deploying cookies and other tracking tools.67 Such profiles can be applied to categorise individuals and predict their preferences or future behaviour based on statistical methods.68 In this way, profiles are very valuable to online service providers as well as to third parties (e.g. advertising networks) who will be able to offer targeted advertising to children or take other decisions in related to those children with specific profiles.69 This is a complex and largely opaque or ‘invisible’70 process which is very difficult to understand for children (or adults for that matter). Much attention is devoted to profiling in the GDPR.71 The notion is defined in article 4 (4) as: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, 66 Article 6, 1) (f) GDPR states that as a final legitimation ground that “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”. Emphasis added by the authors. 67 F. ZUIDERVEEN BORGESIUS (2015) Improving privacy protection in the area of behavioural targeting. PhD Dissertation University of Amsterdam IViR; E. KOSTA (2013) Peeking into the cookie jar: the European approach towards the regulation of cookies. International Journal of Law and Information Technology, Vol. 21 No. 4, 380–406. Recital 30 GDPR also mentions the use of internet protocol addresses or other identifiers such as radio frequency identification tags, “leaving traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons”. 68 COUNCIL OF EUROPE, COMMITTEE OF MINISTERS (2010) Recommendation on the protection of individuals with regard to automatic processing of personal data in the context of profiling. Retrieved from https://rm.coe.int/16807096c3. 69 Y. POULLET (2011) E-Youth before its judges – Legal protection of minors in cyberspace. Computer Law and Security Review, Vol. 27, Iss. 1, 11. An example of a decision or measure vis-à-vis a child in the commercial sphere is adapting the price of a specific product or service, based on the consumer profile of the child. 70 See the work of Esther KEYMOLEN, who has coined the notion ‘invisible visibility’ in relation to online interactions: E. KEYMOLEN (2006) Onzichtbare Zichtbaarheid. Helmuth Plessner ontmoet profiling. Rotterdam, not published (Dutch) and E. KEYMOLEN (2016) Trust on the line. A philosophical exploration of trust in the networked era. Wolf Legal Publisher. 71 The word ‘profiling’ appears 21 times in the GDPR.

Please cite this article in press as: Eva Lievens, Valerie Verdoodt, Looking for needles in a haystack: Key issues affecting children’s rights in the General Data Protection Regulation, Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.09.007

ARTICLE IN PRESS 8

computer law & security review ■■ (2017) ■■–■■

economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.72 A similar definition was adopted in a Recommendation of the Committee of Ministers of the Council of Europe on the protection of individuals with regard to automatic processing of personal data in the context of profiling.73 According to that recommendation profiling consists of three phases: (1) the collection of data on individual behaviour or characteristics on a large scale, (2) analysis of these data to correlate certain behaviour(al characteristics), and (3) the application of the correlation to an identified or identifiable person in order to deduct previous, current or future characteristics.74 This profiling process thus – in turn – creates new personal data. Recital 75 GDPR finds that processing of personal data “in order to create or use personal profiles” may give rise to risks to the rights and freedoms of natural persons.75 The preamble of the GDPR provides a twofold protection for children in relation to profiling. First, circumstances in which personal data of children are processed in order to create personal or user profiles are explicitly acknowledged as requiring extra protection.76 However, no clarification is provided as to how this protection should be envisaged. In any case, it is necessary that the data subject is informed about the fact that profiling is being deployed and the potential consequences thereof.77 Again, although this may be challenging, informing children will need to happen in a clear and understandable manner.78 Second, according to recital 71, a decision that may include a measure evaluating personal aspects relating to a data subject that is based solely on automated processing should not concern children.79 However, this is only prohibited as far as a decision produces legal effects for or similarly significantly affects the child.80 Contrary to earlier interpretations of this recital,81 in our view, the GDPR does not prohibit the sole creation of personal or user profiles of children. This point of view is also underpinned by the debates in the process of the

data protection reform, during which various Member States observed that profiling is a type or form of automated processing that does not necessarily result in the taking of decisions or measures that produce legal effects or similarly affect data subjects.82 In contrast to the preamble, the general ‘profiling article’ – article 22 GDPR – does not mention anything in relation to the specific protection that children deserve.83 It remains unclear how an assessment will be made whether a decision will have a legal or a ‘similarly significant’ effect in relation to a child. General (non child-specific) examples that are given in recital 71 are “an automatic refusal of an online credit application or e-recruiting practices without any human intervention”. From a children’s rights perspective a number of crucial questions arise in relation to the rules on the profiling of children. Notwithstanding the fact that recital 38 GDPR indicates that specific protection should apply to “the use of personal data of children for the purposes of marketing or creating personality or user profiles”, companies can still legitimately build profiles of children as long as they comply with the general data protection principles embedded in the Regulation and if no solely automated decisions are made that have legal or other significant effects for children. This could be perceived as violating children’s right to privacy, as well as their right to development.84 The right to development, also in a digital and commercialised environment, requires that children’s basic needs be fulfilled, so that they can grow up to be independent and autonomous human beings. According to ARIELY and BERNS, the creation of profiles does have a potentially negative impact on the development of children.85 The collection and use of personal data for profiling may undermine children’s right to experiment with and critically reflect upon their interactions, because they might think that the digital environment in which they communicate and explore is free from supervision and tracking. From this perspective, the lack of control by children over the management of their personal data may harm their capacities to develop, get to know and experiment with their own identity.86 Also in this context, the age

72

Emphasis added by the authors. COUNCIL OF EUROPE (2010) Recommendation CM/Rec(2010)13 on the protection of individuals with regard to automatic processing of personal data in the context of profiling. Retrieved from https:// rm.coe.int/16807096c3. 74 Ibid. 75 Recital 75 GDPR underlines that the processing of personal data may result in a risk to the rights and freedoms of natural persons, in particular “[. . .] where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles” (emphasis added by the authors). 76 Recital 38 GDPR. 77 Recital 60 GDPR. 78 Article 12 GDPR. 79 Recital 71, first paragraph, final sentence GDPR. 80 Recital 71, first paragraph, final sentence GDPR. 81 See for instance: S. VAN DER HOF (2014) No Child’s Play: Online Data Protection for Children, in S. VAN DER HOF et al. (eds.), Minding Minors Wandering the Web: Regulating Online Child Safety. Information Technology and Law Series. The Hague: Asser Press, 137; M. MACENAITE (2017) From universal towards child-specific protection of the right to privacy online: Dilemmas in the EU General Data Protection Regulation. New Media and Society, Vol. 19, Iss. 5, 7. 73

82 COUNCIL OF THE EUROPEAN UNION (2014) Presidency note concerning profiling. Interinstitutional File: 2012/01(COD), 5. Retrieved from http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2010617 %202014%20INIT. 83 Earlier case-law of the Court of Justice of the European Union (CJEU) has shown that recitals from the preamble must be used to interpret provisions in the legislation, and that courts may rely upon them to exercise their supervisory tasks. A recital, however, cannot be used as a ground to deviate from a provision of a directive or regulation. See Case C-244/95, P. Moskof AE v. Ethnikos Organismos Kapnou, 1997 E.C.R. I-06441; L. HUMPHREYS et al. (2015) Mapping Recitals to Normative Provisions in EU Legislation to Assist Legal Interpretation. Retrieved from http://icr.uni.lu/leonvandertorre/ papers/jurix2015.pdf. 84 Articles 16 and 6 United Nations Convention on the Rights of the Child. 85 D. ARIELY and G.S. BERNS (2010) Neuromarketing: the hope and hype of neuroimaging in business. Nature Reviews Neuroscience, 11(4), 284–292, also cited by J. SAVIRIMUTHU (2014) Unfair commercial practices, the consumer child and new technologies: what should we regulate?, in: Eurochild, Protecting and Valuing Children as Consumers: European Perspectives. 86 Ibid.

Please cite this article in press as: Eva Lievens, Valerie Verdoodt, Looking for needles in a haystack: Key issues affecting children’s rights in the General Data Protection Regulation, Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.09.007

ARTICLE IN PRESS computer law & security review ■■ (2017) ■■–■■

and level of maturity of the child will play an important role. Based on these findings, it is advisable that policymakers (and DPAs) develop guidelines to create more transparency and awareness regarding profiling activities, towards children as well as parents. Moreover, default limitations on the collection of personal data of children for the development and application of user profiles could be considered. Companies should take up their responsibility in this regard,87 and should carry out an in-depth data protection impact assessment, with attention for the best interests and rights of children.88 In 2013, the Article 29 Working Party already demonstrated a preference for a holistic approach of profiling, with specific legal requirements for the collection and use of personal data for profiling purposes, with more responsibility and accountability for data controllers.89 According to its working plan, the Working Party will issue further guidance on profiling in the course of 2017.90 Finally, specific rules exist in relation to profiling for direct marketing purposes. As mentioned above, data subjects, including children, have the right to object at any time to profiling to the extent that it is related to direct marketing (see also supra).91 The data controller needs clearly and explicitly to inform the data subject of this right.92

2.7.

Right to erasure (‘right to be forgotten’)

In addition to the protection measures described above, the GDPR confirms data subjects’ right to erasure of personal data. Recital 74 GDPR clarifies that this right is particularly relevant for children that have given their consent not being fully aware of the risks involved by the processing, and who later want to remove personal data, especially when being made public on the internet. According to article 17 GDPR, this right entails that data subjects may require the erasure of personal data when no longer necessary for the purposes for which they have been collected; when consent is withdrawn or they object to the processing; when the processing is unlawful; when the personal data have to be erased for compliance with a legal obligation; or when the personal data have been collected in relation to the direct offer of information society services to a child.93 Yet, the right to erasure is not absolute. When

87 K.C. MONTGOMERY and J. CHESTER (2015) Data Protection for Youth in the Digital Age – Developing a Rights-based Global Framework. European Data Protection Law Review, Vol. 1, Iss. 4, 291. 88 Article 35 and recital 91 GDPR. See also infra. The ‘best interests of the child’ is a general children’s rights principle embedded in article 3 UNCRC. 89 ARTICLE 29 WORKING PARTY (2013) Advice paper on essential elements of a definition and a provision on profiling within the EU General Data Protection Regulation. Retrieved from http:// ec.europa.eu/justice/data-protection/article-29/documentation/ other-document/files/2013/20130513_advice-paper-on-profiling _en.pdf. 90 INFORMATION COMMISSIONER’s OFFICE (2017) Guidance: what to expect and when. Retrieved from https://ico.org.uk/for-organisations/dataprotection-reform/guidance-what-to-expect-and-when/. 91 Recital 70 and Article 21, (2) GDPR. 92 Recital 70 GDPR. 93 Article 17 GDPR.

9

considering whether a request should be granted, other interests, such as the right to freedom of expression and information, and the public interest, must be taken into account.94 From a children’s rights perspective, it can be argued that the right to erasure is beneficial to children. As mentioned above, children have the right to explore and experiment with their identity. The persistence, visibility, spreadability and searchability of online information can hinder this exploration.95 Children and young people are often not yet capable of foreseeing the consequences for their privacy in the long term when sharing information about themselves or others on social networking sites for instance.96 Consequently, having a possibility to erase certain information, as they grow older in order not to be linked to information with which they do not longer identify might be in their best interests. As BLUME warns, however, exercising this right will not always be straightforward in practice, nor possible in certain circumstances.97 When children grow up to be public figures, such as politicians, for instance, their online past might possibly be of interest to the public. Practical obstacles may also occur, as dealing with potentially very numerous requests may require investments and substantial resources by data controllers. In any case, the exercise of the right to erasure as well as the storing of data must be approached from a dynamic and fundamental rights perspective.

2.8.

Other provisions with a potential impact on children

Furthermore, the GDPR contains a number of provisions and recitals that could prove to be of particular importance from a children’s rights perspective. The first two provisions can be framed within the responsibilities of data controllers. First, article 25 GDPR explicitly refers to the principles of data protection by design and data protection by default. It states that data controllers should implement appropriate technical and organisational measures to integrate necessary safeguards and protect the rights of data subjects and to ensure that, by default, only personal data that are necessary for each specific purpose of the processing are processed. Assessing which measures result in an appropriate level of protection should happen on a case-by-case basis, taking into account “the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing”.98 This provision offers the data controller the 94

Article 17, para 3 GDPR. d. BOYD (2014) It’s complicated: the social lives of networked teens, Yale University Press; INFORMATION COMMISSIONER’s OFFICE (2016) The right to erasure (the right to be forgotten). Retrieved from https:// ico.org.uk/for-organisations/data-protection-reform/overview-of -the-gdpr/individuals-rights/the-right-to-erasure/. 96 ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT (2011) The protection of children online: risks faced by children online and policies to protect them. OECD Digital Economy Papers. OECD, Paris. Retrieved from http://www.oecd-ilibrary.org/science-and-technology/ the-protection-of-children-online_5kgcjf71pl28-en. 97 P. BLUME (2015) The data subject. European Data Protection Law Review, Vol. 1, Iss. 4, 258–264. 98 Recital 83 GDPR. 95

Please cite this article in press as: Eva Lievens, Valerie Verdoodt, Looking for needles in a haystack: Key issues affecting children’s rights in the General Data Protection Regulation, Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.09.007

ARTICLE IN PRESS 10

computer law & security review ■■ (2017) ■■–■■

possibility to build a specific level of protection for children into the technology or the offer of services, or to use different default settings for children. In addition, the GDPR also includes an obligation for data controllers to assess the impact of processing operations that are likely to result in a high risk to the rights and freedoms of data subjects, prior to the processing (i.e. a ‘data protection impact assessment’; DPIA).99 Recital 91 states for instance that a DPIA must be carried out when personal data are processed for taking decisions regarding specific natural persons based on profiling. The processing of personal of data of children is not explicitly mentioned as a processing activity that carries a high risk,100 but in the light of recital 38, it could be considered a good practice to carry out a DPIA in such cases. When undertaking a DPIA a data controller should adopt a children’s rights perspective that takes into account the full range of children’s rights at stake as well as the best interests of the child.101 Finally, article 57 GDPR entrusts the supervisory authorities with the task of promoting public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Specific attention should be paid to activities addressed specifically to children.

3. Towards a children’s rights inspired interpretation of the GDPR The explicit acknowledgement in the GDPR that children merit specific protection with regard to their personal data can only be applauded. Yet, there are few (clear) provisions that really zoom in on the best interests of children and the specific measures that should be taken by data controllers to guarantee a ‘fair’ level of protection. This results, contrary to recital 7 GDPR which acknowledges the importance of legal and practical certainty, in uncertainty, not only for data controllers, but also for children and parents. Hence, clarifications, advice and guidelines by data protection authorities and the Article 29 Working Party or the European Data Protection Board are needed in the short term. Given the fact that it may take quite some time to integrate new procedures, for instance to obtain verifiable parental consent, into existing services, it is crucial that this happens sooner rather than later. In light of the steady development of children, it is important that they can exercise their right to data protection in a manner that is adapted to their level of maturity. From a certain age onwards, they are more and more capable to understand the (commercial) impact of the processing of their personal 99

Article 35 GDPR. Note that in recital 75 in relation to the responsibility of the controller processing of “personal data of vulnerable natural persons, in particular of children” is considered a potential “risk to the rights and freedoms of natural persons”. 101 UNICEF has developed a children’s rights impact assessment tool for companies; for more information; cf. https://www.unicef .org/csr/css/Children_s_Rights_in_Impact_Assessments_Web _161213.pdf. 100

data.102 Hence, it is more crucial than ever to include (digital) media literacy and commercial literacy in school curricula, from a very young age onwards. In addition, service providers, such as social networking sites or providers of mobile apps, also need to acknowledge that they need to adapt their data protection policies when a substantial number of their users are children. Such a policy must be multi-dimensional, ranging from offering privacy policies that make sense to children to adopting fair and child-friendly marketing practices. M ONTGOMERY and C HESTER emphasise that companies should differentiate between young children and adolescents in their data processing activities.103 Large service providers, such as Facebook and Google, who have extensive technical capacities and expertise to create detailed user profiles, should be encouraged to also use this expertise to deploy specific protection measures vis-à-vis children. In any case, it is essential that children (being anyone under 18) are offered an appropriate level of protection and skills to benefit optimally from the opportunities that are offered by the digital environment and to exercise their rights fully. At the same time, it is essential that their right to protection does not undermine their rights to participation (such as their right to freedom of expression or their right to freedom of association).104 This entails that when decisions are taken regarding the different aspects of processing personal data of children a multi-dimensional children’s rights perspective must be adopted, with attention for the full range of rights that are explicitly attributed to children by the UNCRC. Finally, an effective enforcement of these rights must be facilitated, for instance by means of child-friendly complaint mechanisms offered by providers or data protection authorities, and as a last resort, by means of judicial procedures.

Acknowledgment This article builds on research carried out in the framework of two research projects: (1) A children’s rights perspective on privacy and data protection in the digital age: a critical and forward-looking analysis of the General Data Protection Regulation and its implementation with respect to children and youth, Special Research Fund of Ghent University (STA046-17) and (2) AdLit: Advertising Literacy in a New Media Environment Investigating Minors’ Persuasion Knowledge in Relation to New Advertising Formats, Research Fund Flanders (IWT SBO 13008). 102 S. LIVINGSTONE (2017) Children’s commercial media literacy: new evidence relevant to UK policy decisions regarding the GDPR. Retrieved from http://blogs.lse.ac.uk/mediapolicyproject/2017/01/26/ childrens-commercial-media-literacy-new-evidence-relevant-to -uk-policy-decisions-regarding-the-gdpr/. 103 K.C. MONTGOMERY and J. CHESTER (2015) Data Protection for Youth in the Digital Age – Developing a Rights-based Global Framework. European Data Protection Law Review, Vol. 1, Iss. 4, 290. 104 Cf. also the 2011 EU Agenda for the Rights of the Child which emphasised that “[t]he Commission aims at achieving a high level of protection of children in the digital space, including of their personal data, while fully upholding their right to access internet for the benefit of their social and cultural development”: EUROPEAN COMMISSION (2011) Communication: An EU Agenda for the Rights of the Child, 15 February 2011, COM(2011) 60 final.

Please cite this article in press as: Eva Lievens, Valerie Verdoodt, Looking for needles in a haystack: Key issues affecting children’s rights in the General Data Protection Regulation, Computer Law & Security Review: The International Journal of Technology Law and Practice (2017), doi: 10.1016/j.clsr.2017.09.007