New politics certainly make for interesting times. Minority governments are no strangers to defeats, even to two defeats in one day, but yesterday marked another milestone, when the government lost not merely two votes, but votes on two successive legislative amendments. They both related to the protection of children in the Data Protection Bill, 2018. The first will make it an offence to process the personal data of a child for the purposes of direct marketing, profiling or micro-targeting; the second will set the digital age of consent at 16. In fact, seeing the writing on the wall, rather than suffer the indignity – surely unique, even in this era of new politics – of four defeats in one evening, the Minister accepted a third amendment and declined to press a fourth of his own. The third amendment that he accepted will permit not-for-profit bodies to seek damages on behalf of data subjects; and the amendment that he withdrew would have undercut the effect of the third successful amendment. (The three successful amendments are amendments 14, 15 and 115 here (pdf), amending this version (pdf) of the Bill, and debated here). Earlier versions of all three successful amendments had been defeated by the government at every previous stage of the Bill. Time will tell if any of them proves significant, but the one that has generated the most coverage so far is the amendment to the digital age of consent.
The aim of the Bill is to incorporate the General Data Protection Regulation (Regulation (EU) 2016/679) into Irish law. Article 6(1) GDPR sets out six bases for lawful processing of personal data, the first of which, specified in Article 6(1)(a), is that “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” [on consent, see ICO | WP29]. A child can, in principle, provide such consent; but a minimum age at which children as data subjects can consent to having their personal data processed is not specified in the GDPR. Article 7 GDPR provides that the controller must be able to demonstrate this consent, and the younger the child is, the more difficult it will be for the controller to do so. To these flexible general rules relating to the consent of children, Article 8 GDPR provides a bright-line exception, which has become known as the digital age of consent. It provides:
1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
For the purposes of sub-section (1), a provider of “information society services” [an ISS provider] is “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. Hence, Article 8 GDPR articulates a minimum age at which children may consent to the processing of their data by ISS providers. This is the digital age of consent. It is intended to augment the protections for children online. The EU Commission’s initial proposal (pdf) simply provided for a common digital age of consent of 13, but political consensus could not be reached. So, the first sentence of Article 6(1) GDPR sets the standard digital age of consent at 16, and the second sentence allows Member States to provide for a lower age, provided that it is no lower than 13. Reflecting ongoing political dissensus, the 28 Member States of the EU have not legislated with one voice on this issue.
In Ireland, when the Government published the draft General Scheme of a Data Protection Bill 2017 in May 2017, Head 16 provided that “[ ] years shall be the age” for the purposes of Article 8 GDPR; and the explanatory notes clarified that a “separate Government decision [would] … be sought on ‘the digital age of consent’ for the purposes of this Head”. The Government duly opened a consultation on the issue (here | here); there were many responses; and the overwhelming majority of them supported a digital age of consent of 13. The Government decided to set the digital age of consent at 13. The Joint Oireachtas Committee on Justice and Equality undertook pre-legislative scrutiny of the Scheme, and, in their Report, they recommended that the digital age of consent be set at 13. Not long after, the Taoiseach reaffirmed the Government’s commitment that the digital age of consent would be set at 13. Hence, when the Data Protection Bill, 2018 (pdf) as initiated was published on 30 January 2018, section 29(1) provided that the “age of a child specified for the purposes of Article 8 is 13 years of age”.
The Bill was taken first in the Seanad, where amendments to change the age to 16 were not accepted by the Minister for Justice. Instead, he proposed that the issue would be reviewed 3 years after the coming into operation of the Act, and this amendment was agreed to. The Bill passed all stages in the Seanad by the end of March; due to amendments elsewhere, the section concerning the digital age of consent was renumbered section 30 in the version of the Bill (pdf) as passed by the Seanad; the text of sub-section (1) was unchanged; and a new sub-section (3) was added:
The Minister shall—
(a) not later than 3 years after the coming into operation of this section, commence a review of the operation of subsection (1), and
(b) complete that review not later than one year after its commencement.
Meanwhile, the Joint Committee on Children and Youth Affairs was considering the question of cybersecurity for children and young persons, and, in their Report (pdf), they recommended that the Joint Committee on Justice and Equality should look again at the matter in the context of its Committee Stage consideration of the Data Protection Bill 2018. At that stage in the Dáil, opposition parties put down amendments to set the digital age of consent at 16 (consolidated as Amendment 27 here (pdf)). However, the Minister was not for turning; children’s rights representatives and organisations re-iterated their support for 13; the amendment was defeated; and the outcome was warmly welcomed by children’s rights groups.
At Report Stage, the same forces arrayed themselves again. Once again, opposition parties put down amendments to set the digital age of consent at 16 (see Amendment 14 here (pdf)). Once again, the Minister was not for turning. And, once again, children’s rights representatives and organisations re-iterated their support for 13. But, this time, the amendment was successful; the digital age of consent was set at 16; and this outcome was met with dismay by children’s rights groups. The Bill has now passed all stages in the Dáil, and there were no other amendments to section 30. This means that subsection (3) remains, and there will be a review of the issue in 3 years time.
Ireland joins nine other countries [Croatia, Germany, Hungary, Lithuania, Luxembourg, Malta, Romania, Slovakia and the Netherlands] setting the digital age of consent at 16; four [The Czech Republic, France, Greece, and Slovenia] have chosen 15; four [Austria, Bulgaria, Cyprus, and Italy] have opted for 14; and ten [Belgium, Denmark, Estonia, Finland, Latvia, Poland, Portugal, Spain, Sweden, and the UK] have gone for 13.
One consequence of this differential incorporation of Article 8 GDPR is that the fragmentation of ages in national legislation in the EU’s members states may, in practice, lead to convergence at 16. For example, WhatsApp (but not Facebook) will raise the minimum age of its users from 13 to 16 in Europe to comply with the GDPR. Periscope (but not Twitter) is doing the same thing. Less drastically, Snapchat will stop retaining location data on under-16s in Europe. Other ISS providers could also draw lines at 16. If they do so in sufficient numbers, then 16 could become the de facto norm, even in Member States that have adopted lower ages.
Another consequence of the differential incorporation of Article 8 GDPR may spell bad news for Ireland. Ireland has chosen to set the digital age of consent at 16. It means that processing of data of children under 16 in Ireland, in the words of Article 8 GDPR, “shall not be lawful” without parental consent. However, whilst Ireland is one of ten countries which has chosen to set that age at 16, in eighteen other countries, the digital age of consent is less than 16. For example, in Sweden, it is 13. In the case of a Swedish teenager aged between 13 and 16 who is a member of an ISS provider, that provider will be able to process that teenager’s data in Sweden on the basis of that teenager’s consent. However, if the ISS provider has its European data headquarters in Ireland, it will not be able to process the Swedish teenager’s data in Ireland without parental consent. This means, in practice, that ISS providers processing EU data in Ireland will have two choices. They can raise the minimum age for their users throughout Europe to 16 (and, perhaps, seek parental consent for processing of data relating to children younger than that age), so that processing in Dublin complies with Irish law on the digital age of consent. Or they can cease processing in Ireland, and process instead in a jurisdiction like Sweden where the digital age of consent is 13.
The latter option is not fanciful. Facebook process the data of its US and Canadian customers in the US, and until recently they processed the data of the rest of its customers worldwide in Dublin. However, they have decided to move all non-EU processing to the US. They have a large, and expanding, data centre in Luleå, Sweden, and it would not be unthinkable for them to move all EU processing there. Even if Facebook do not, other ISS providers may consolidate their EU processing in countries like Sweden where the digital age of consent is 13.
On the question of the digital age of consent, new politics have given us an interesting outcome, with unpredictable results for teenagers online and for the government’s engagement with US technology companies. It will be interesting, to say the least, to see how this all plays out over the next three years. And the review of the digital age of consent that occurs in three years time will, indeed, be (you’ve guessed it) interesting.