Following a consultation period, the Irish Government has decided that the digital age of consent for children to sign up to information society services without parental approval will be set at 13 years of age. The digital age of consent refers to the age at which children may legally sign up for services that process personal information, such as social media sites like Twitter or Facebook, without needing the explicit approval of their parent or guardian.
The decision follows a consultation process run in conjunction with the legislative drafting of Ireland’s new Data Protection Bill 2017. While the General Scheme of the Data Protection Bill released in May 2017 contains language in Head 16 referring to a “child’s consent in relation to information society services”, it does not include an actual age limit instead clarifying that “a separate government decision will be sought”. While the General Scheme is currently undergoing legislative scrutiny and considerable revisions are likely to be made before a final version is enacted, the Government’s 26 July decision as to the age of consent being 13 is not expected to change.
Article 8 of the General Data Protection Regulation (the “GDPR”), which comes into effect across the EU next May, introduces specific protections for children by limiting their ability to consent without specific parental permission. While initial drafts of Article 8 set the age of consent at 13, negotiations saw the final draft adopt 16 as the threshold, with an option to allow member states to set a lower age not below 13. In addition to the age limits, Article 8 also provides that data controllers must obtain and use “reasonable efforts” to verify the consent of a parent or guardian when processing a child’s personal data.
Speaking following the decision, a Government spokesman acknowledged that while the GDPR allowed member states to set a digital age of consent between 13 to 16, Ireland had “gone for the lower end”. The decision was positively received by the Children’s Rights Alliance who had recommended setting the limit at “the lowest age possible” as well as the Special Rapporteur for Child Protection, Dr Geoffrey Shannon, who had warned that Ireland should take steps to not restrict children’s rights.
However, while the decision in Ireland has been welcomed, it is likely that the differing rules on the age of consent in EU member states, as well as between the EU standard and other countries such as the United States, will create significant challenges for companies that offer international services. While both Ireland and UK look set to adopt 13, which is in line with the United States’ Children’s Online Privacy Protection Rule, it remains to be seen whether other member states will act together on adopting a uniform age of consent before the GDPR comes into effect in May 2018.
For further information, visit William Fry’s dedicated website to the GDPR, PrivacySource, which includes in-depth analysis and practical tips on preparing for the GDPR. For further information about the General Scheme of the Data Protection Bill 2017, see Part 1, Part 2 and Part 3 of our series.
Contributed by John Magee