New politics and the digital age of consent

An Interesting Game

An Interesting Game (1881)
Frederick Arthur Bridgman (1847-1928)
via Brooklyn Museum
New politics certainly make for interesting times. Minority governments are no strangers to defeats, even to two defeats in one day, but yesterday marked another milestone, when the government lost not merely two votes, but votes on two successive legislative amendments. They both related to the protection of children in the Data Protection Bill, 2018. The first will make it an offence to process the personal data of a child for the purposes of direct marketing, profiling or micro-targeting; the second will set the digital age of consent at 16. In fact, seeing the writing on the wall, rather than suffer the indignity – surely unique, even in this era of new politics – of four defeats in one evening, the Minister accepted a third amendment and declined to press a fourth of his own. The third amendment that he accepted will permit not-for-profit bodies to seek damages on behalf of data subjects; and the amendment that he withdrew would have undercut the effect of the third successful amendment. (The three successful amendments are amendments 14, 15 and 115 here (pdf), amending this version (pdf) of the Bill, and debated here). Earlier versions of all three successful amendments had been defeated by the government at every previous stage of the Bill. Time will tell if any of them proves significant, but the one that has generated the most coverage so far is the amendment to the digital age of consent.

The aim of the Bill is to incorporate the General Data Protection Regulation (Regulation (EU) 2016/679) into Irish law. Article 6(1) GDPR sets out six bases for lawful processing of personal data, the first of which, specified in Article 6(1)(a), is that “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” [on consent, see ICO | WP29]. A child can, in principle, provide such consent; but a minimum age at which children as data subjects can consent to having their personal data processed is not specified in the GDPR. Article 7 GDPR provides that the controller must be able to demonstrate this consent, and the younger the child is, the more difficult it will be for the controller to do so. To these flexible general rules relating to the consent of children, Article 8 GDPR provides a bright-line exception. It provides:

1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

For the purposes of sub-section (1), a provider of “information society services” [an ISS provider] is “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. Hence, Article 8 GDPR articulates a minimum age at which children may consent to the processing of their data by ISS providers. This is the digital age of consent. It is intended to augment the protections for children online. The EU Commission’s initial proposal (pdf) simply provided for a common digital age of consent of 13, but political consensus could not be reached. So, the first sentence of Article 6(1) GDPR sets the standard digital age of consent at 16, and the second sentence allows Member States to provide for a lower age, provided that it is no lower than 13. Reflecting ongoing political dissensus, the 28 Member States of the EU have not legislated with one voice on this issue.

In Ireland, when the Government published the draft General Scheme of a Data Protection Bill 2017 in May 2017, Head 16 provided that “[ ] years shall be the age” for the purposes of Article 8 GDPR; and the explanatory notes clarified that a “separate Government decision [would] … be sought on ‘the digital age of consent’ for the purposes of this Head”. The Government duly opened a consultation on the issue (here | here); there were many responses; and the overwhelming majority of them supported a digital age of consent of 13. The Government decided to set the digital age of consent at 13. The Joint Oireachtas Committee on Justice and Equality undertook pre-legislative scrutiny of the Scheme, and, in their Report, they recommended that the digital age of consent be set at 13. Not long after, the Taoiseach reaffirmed the Government’s commitment that the digital age of consent would be set at 13. Hence, when the Data Protection Bill, 2018 (pdf) as initiated was published on 30 January 2018, section 29(1) provided that the “age of a child specified for the purposes of Article 8 is 13 years of age”.

The Bill was taken first in the Seanad, where amendments to change the age to 16 were not accepted by the Minister for Justice. Instead, he proposed that the issue would be reviewed 3 years after the coming into operation of the Act, and this amendment was agreed to. The Bill passed all stages in the Seanad by the end of March; due to amendments elsewhere, the section concerning the digital age of consent was renumbered section 30 in the version of the Bill (pdf) as passed by the Seanad; the text of sub-section (1) was unchanged; and a new sub-section (3) was added:

The Minister shall—
(a) not later than 3 years after the coming into operation of this section, commence a review of the operation of subsection (1), and
(b) complete that review not later than one year after its commencement.

Meanwhile, the Joint Committee on Children and Youth Affairs was considering the question of cybersecurity for children and young persons, and, in their Report (pdf), they recommended that the Joint Committee on Justice and Equality should look again at the matter in the context of its Committee Stage consideration of the Data Protection Bill 2018. At that stage in the Dáil, opposition parties put down amendments to set the digital age of consent at 16 (consolidated as Amendment 27 here (pdf)). However, the Minister was not for turning; children’s rights representatives and organisations re-iterated their support for 13; the amendment was defeated; and the outcome was warmly welcomed by children’s rights groups.

At Report Stage, the same forces arrayed themselves again. Once again, opposition parties put down amendments to set the digital age of consent at 16 (see Amendment 14 here (pdf)). Once again, the Minister was not for turning. And, once again, children’s rights representatives and organisations re-iterated their support for 13. But, this time, the amendment was successful; the digital age of consent was set at 16; and this outcome was met with dismay by children’s rights groups. The Bill has now passed all stages in the Dáil, and there were no other amendments to section 30. This means that subsection (3) remains, and there will be a review of the issue in 3 years time.

Ireland joins nine other countries [Croatia, Germany, Hungary, Lithuania, Luxembourg, Malta, Romania, Slovakia and the Netherlands] setting the digital age of consent at 16; four [The Czech Republic, France, Greece, and Slovenia] have chosen 15; four [Austria, Bulgaria, Cyprus, and Italy] have opted for 14; and ten [Belgium, Denmark, Estonia, Finland, Latvia, Poland, Portugal, Spain, Sweden, and the UK] have gone for 13.

One consequence of this differential incorporation of Article 8 GDPR is that the fragmentation of ages in national legislation in the EU’s members states may, in practice, lead to convergence at 16. For example, WhatsApp (but not Facebook) will raise the minimum age of its users from 13 to 16 in Europe to comply with the GDPR. Periscope (but not Twitter) is doing the same thing. Less drastically, Snapchat will stop retaining location data on under-16s in Europe. Other ISS providers could also draw lines at 16. If they do so in sufficient numbers, then 16 could become the de facto norm, even in Member States that have adopted lower ages.

Another consequence of the differential incorporation of Article 8 GDPR may spell bad news for Ireland. Ireland has chosen to set the digital age of consent at 16. It means that processing of data of children under 16 in Ireland, in the words of Article 8 GDPR, “shall not be lawful” without parental consent. However, whilst Ireland is one of ten countries which has chosen to set that age at 16, in eighteen other countries, the digital age of consent is less than 16. For example, in Sweden, it is 13. In the case of a Swedish teenager aged between 13 and 16 who is a member of an ISS provider, that provider will be able to process that teenager’s data in Sweden on the basis of that teenager’s consent. However, if the ISS provider has its European data headquarters in Ireland, it will not be able to process the Swedish teenager’s data in Ireland without parental consent. This means, in practice, that ISS providers processing EU data in Ireland will have two choices. They can raise the minimum age for their users throughout Europe to 16 (and, perhaps, seek parental consent for processing of data relating to children younger than that age), so that processing in Dublin complies with Irish law on the digital age of consent. Or they can cease processing in Ireland, and process instead in a jurisdiction like Sweden where the digital age of consent is 13.

The latter option is not fanciful. Facebook process the data of its US and Canadian customers in the US, and until recently they processed the data of the rest of its customers worldwide in Dublin. However, they have decided to move all non-EU processing to the US. They have a large, and expanding, data centre in Luleå, Sweden, and it would not be unthinkable for them to move all EU processing there. Even if Facebook do not, other ISS providers may consolidate their EU processing in countries like Sweden where the digital age of consent is 13.

On the question of the digital age of consent, new politics have given us an interesting outcome, with unpredictable results for teenagers online and for the government’s engagement with US technology companies. It will be interesting, to say the least, to see how this all plays out over the next three years. And the review of the digital age of consent that occurs in three years time will, indeed, be (you’ve guessed it) interesting.

On world IP day, a note of caution: the EU Copyright Directive is failing

Element of WIPday imageToday is World Intellectual Property Day. On a day to celebrate the role that intellectual property rights play in encouraging innovation and creativity, we should take care that IP law does not achieve the opposite result. I blogged yesterday about the press publishers’ right in Article 11 of the proposal for a Directive on Copyright in the Digital Single Market. Today, I’m staying with the proposed Directive, and with another open letter (pdf, via here) that I’ve signed articulating some of its shortcomings. In this letter, academics from 25 leading Intellectual Property research centres in Europe express grave concerns at the legislative direction of the proposed copyright Directive, and in particular with Articles 3, 11 and 13:

  • the proposed exception for text-and-data-mining in Article 3 will not achieve its goal to stimulate innovation and research if restricted to certain organisations,
  • the proposals for a new publishers’ right under Article 11 will favour incumbent press publishing interests rather than innovative quality journalism [I blogged about this yesterday], and
  • the proposals for Article 13 threaten the user participation benefits of the e-Commerce Directive (2000/31/EC) which shared the responsibility for enforcement between rightholders and service providers [I blogged about this at an earlier stage in the process].

Poetry Day Ireland logoToday is also Poetry Day Ireland; but poetry the proposed Directive certainly is not. But you govern in prose; and the prose of the proposed Directive could be improved by revisting Article 3, 11 and 13.

169 European academics warn against the press publishers’ right proposed by the EU Commission

Copyright?DSMIn a statement published this morning, 169 academics working in a variety of fields from all over Europe give a final warning against the EU Commission’s ill-conceived plans for the introduction of a new intellectual property right in news.

Here are some extracts from the statement:

Statement from EU Academics on Proposed Press Publishers’ Right

We, the undersigned 169 scholars working in the fields of intellectual property, internet law, human rights law and journalism studies at universities all over Europe write to oppose the proposed press publishers’ right.

Article 11 of the proposal for a Directive on Copyright in the Digital Single Market, as it currently stands following negotiations in the EU Council and Parliament, is a bad piece of legislation. … The proposal would likely impede the free flow of information that is of vital importance to democracy. This is because it would create very broad rights of ownership in news and other information. … This proliferation of different rights for established players would make it more expensive for other people to use news content. … The proposed right would provide no protection against ‘fake news’. … There is no sound economic case for the introduction of such a right.

The academic community is virtually unanimous in its opposition to the European Commission’s proposal for a press publishers right. … it is important to understand that press publishers already have very significant rights in their publications. … [Moreover], Rapporteur Voss’s proposed amendments will make matters even worse. …

We call on all MEPs to oppose the Commission proposal, and with yet more determination, Mr Voss’s amendments. It is time to reject, once and for all, this misguided legislative reform.

My colleague, Giuseppe Mazziotti, and I are among the signatories. Read the full statement here (pdf) or here (html). It joins an open letter earlier this month from 56 organisations encouraging the deletion of Article 11.

Can you get out of the purchase of a house, if you find out later that someone had been murdered in it?

Get directions 16 Stillwell Dr, Wakefield WF2 6RL, UKThe question in the title was provoked by Ciara Kenny‘s House Hunter column in today’s Irish Times, where she ask Would you buy a house someone had been murdered in? I don’t think I would. And if I did, I’d be stuck with it, since the answer to the question in the title to this post is that you can’tget out of the purchase of a house, if you find out later that someone had been murdered in it. Ciara’s column is a diary of her travails trying to purchase a house in Dublin in today’s crazy property market (as she put it on twitter: it’s an effing nightmare). From today’s column:

Every old house has its secrets. Last summer, a gorgeous house came up for sale which we spent weeks deliberating over. But we couldn’t shake a bad feeling we had about the surrounding streets. So when bidding climbed above what we were willing to pay, we were relieved for once. … [Later, my partner found] a decade-old RTÉ news report about a man stabbed to death by a burglar on the stairs. … I don’t think I would be able to shake the image of that poor man’s violent death every time I walked upstairs.

If Ciara had bought the house, and later discovered its gruesome past, she would not have been able to reverse the transaction. (more…)

Standardised tobacco packaging comes ever closer in Ireland

Pantone448C via their websiteThe Irish Independent this morning reports that the first of the plain cigarette packets have hit shelves around the country:

Tobacco products bearing the new standardised packaging are now available in some Irish retail outlets. From September, all cigarettes and all other tobacco products will have to be sold in plain or standardised packaging by law.

The Department of Health have issued a press release in which the Minister of State for Health Promotion and the National Drugs Strategy, Catherine Byrne, welcomed the news that products using the new plain packaging can now be found in some outlets:

Gone are the familiar colours and logos of the various brands and instead all cigarette boxes will be in the same plain neutral colour [pictured above left], bringing into sharp focus the health warnings on the packets. … Our aim is to decrease the appeal of tobacco products, to increase the effectiveness of health warnings and to reduce the chances of consumers being misled about the harmful effects of smoking. This packaging makes it plain that cigarettes are bad for your health. … Standardised packaging is just one of a number of measures outlined in Tobacco Free Ireland (pdf), the ultimate aim of which is to encourage and help smokers to quit and to prevent young people from starting to smoke.

On 10 March 2015, when the President signed the Public Health (Standardised Packaging of Tobacco) Act 2015 (also here) into law, Ireland became the second country in the world — after Australia — to enact legislation requiring standardised tobacco packaging. (more…)

From Mute to Dysaguria

Alexander Skarsgard in MutePictured left is Alexander Skarsgård (imdb | wikipedia) in the new Duncan Jones (imdb | wikipedia | blog) movie Mute (imdb | Netflix).

Skarsgård plays Leo, a mute bartender searching for girlfriend who has inexplicably disappeared in Berlin in 2052. In an interview in last Sunday’s Observer, he takes up the story:

… [Leo’s] search takes him deep into a neon-saturated underworld, populated by gangsters and a pair of anarchic American field surgeons (Paul Rudd and Justin Theroux) … “It’s very dystopian, but not that far-fetched unfortunately, because it’s a society run by corporations,” says Skarsgård. “You subscribe to a corporation and then they will provide everything for you – housing, healthcare, food – but they basically own you. …”. …

So we could be looking at the future then? Skarsgård looks a little traumatised and then sighs: “Hopefully not.”

I’m looking forward to the movie; but I’m not sure I agree that the best adjective to describe it is “dystopian”. It is entirely appropriate when a state goes bad; but it is not a good adjective to describe “a society run by corporations”. In fact, we don’t have a word for when a corporate society goes bad, so I’ve suggested “dysaguria”, as a noun meaning “frightening company”, and “dysagurian” as the adjective to describe that frightening company and the associated society run by frightening companies (see here | here | here). We can’t easily discuss a phenomenon until we have the proper words to describe it:

In his speech on leaving the US Presidency in January 1961, Eisenhower warned against the growing power of the military-industrial complex. In modern surveillance terms, we might term this the security-corporate complex. And we already have a word for when the military/security state goes bad, … That word is “dystopia”.

However, we don’t have a word for when the industrial/corporate society goes bad, … I think it’s beyond time we had one … I suggest that we need a word for “frightening company”, and that we can devise one by following the lead provided by More and Mill [in coining “dystopia” as a counterpoint to “utopia”] provides a guide. … Let’s keep “dys” [meaning “bad”] as the prefix, and look for a suitable word to which to add it. Greek provides “aguris”, which means “crowd” or “group” … Hence, from “dys” meaning “bad”, and “aguris” meaning “crowd” or “group”, I suggest “dysaguria”, as a noun meaning “frightening company”, and “dysagurian” as the adjective…

In my view, therefore, “dysagurian” is the perfect word to describe the society in Mute‘s Berlin in 2052.

Update: Mute did not find favour with Donald Clarke in the Irish Times.

Legal reforms and practical responses are necessary to protect freedom of speech

Sunday Independent front page 12 NovYesterday’s Sunday Independent (front page pictured left) was something of a bumper issue for freedom of speech. The Editorial argued that it’s time to level the media playing field, and called on the Joint Oireachtas Committee on Communications, Climate Action and Environment to take into account the challenges facing all of the media, not just radio and tv stations, in its deliberations on the future of the television licence fee. And there were three other interesting columns in the print edition that were published online last night. Fergal Quinn argued that, with a referendum looming, the media should champion free speech, and we must learn to tolerate open debate. Eilish O’Hanlon argued that no-one should need to beg the Government’s permission to express an unpopular opinion. And Ruth Dudley Edwards praised Conor Cruise O’Brien as a revisionist who cared about truth and as a patriot who kept free speech alive.

Last week, the Long Room Hub in Trinity College Dublin and the Heyman Center for the Humanities in Columbia University, New York co-hosted a series of events in Dublin and New York on the challenges fake news poses to modern society. In yesterday’s Sunday Independent, Breda Heffernan reported on one of the Dublin events that fake news is a dark menace to truth, democracy and discourse.

Me, Andrea Martin, Todd Gitlin, Jane Ohlmeyer (Director, Long Room Hub), Fionnán Sheahan (click through for larger image)
The previous night, the Hub had hosted a (slightly controversial) Behind the Headlines event on freedom of speech: Where Journalism and the Law Collide at the Boundary of 21st Century Debate, featuring Fionnán Sheehan (Editor of the Irish Independent), Professor Todd Gitlin (of Columbia Journalism School), Andrea Martin (a media lawyer in practice in Dublin), and myself. Ryan Nugent reported in the Irish Independent the following day that traditional and social media are ‘not on a level defamation playing field’. Our four talks have been podcast on SoundCloud by the Hub; Todd’s talk is here; and, yesterday, the Sunday Independent published Andrea’s and mine. (more…)

Consultation on the Status, Treatment and Use of the National Anthem

Public Consultation Committee Seanad EireannThe Seanad Public Consultation Committee was established “to facilitate direct engagement and consultation between members of the public and Seanad Éireann” (pdf).

It has just undertaken a Consultation on the Status, Treatment and Use of the National Anthem (pdf):

The purpose of this consultation is to invite submissions from interested parties or citizens to consider the most appropriate way the State should treat the National Anthem. This consultation process is being considered in the context of the music and English and Irish lyrics of the National Anthem no longer being in copyright. Legislative proposals have been made to address this issue. Seanad Éireann would like to consult with citizens on their views on this issue.

I have already commented at length on this blog about the issue, so I made a short submission to the Committee in which I referred to those posts, and answered some of the questions posed in the Consultation. In my view, the anthem should be treated with respect and dignity, and there is a good case to be made for legislation to protect it from inappropriate commercialisation. However, I do not think that copyright is a suitable means to this end. Instead, I think that it is a matter for a specialist piece of legislation, specifically directed to the issue. I have drafted a possible Bill (doc), and I attached it to my submission to the Committee, and my answers to the Committee’s questions reflect the drafting choices in the attached Bill.