Law student argues that recent European Union privacy regulation does not fully protect children.
Children growing up in the digital age face an experience that other generations did not: having their digital footprint made for them before they can make it themselves. On social media platforms—like Facebook, Twitter, and Instagram—expectant parents share photos of prenatal scans, and mothers and fathers share photos chronicling their child’s life from birth. Although the effects of this continuous sharing are yet unknown, lawmakers and regulators around the world have enacted, and continue to update, data protection laws and regulations that could protect the lives and privacy of individuals across the world, including children.
In 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR) to protect the interests of natural persons when their personal data is processed. In a recent paper, Ciara Hurley, a student at the University of Oxford Faculty of Law, argues that the GDPR does not fully protect a child’s right to privacy because children are being exposed on the Internet when parents share their images on social media. Hurley grounds the discussion in the need to protect children and argues that allowing parents to consent for their child restricts the potential value of the GDPR.
The EU published the GDPR as a response to the advances in technology that have occurred since the enactment of the Data Protection Directive in 1995. GDPR’s stated purpose is to protect “natural persons in relation to the processing of personal data,” which the GDPR defines as “any information relating to an identified or identifiable natural person.” In addition, the GDPR defines an identifiable natural person as “one who can be identified, directly or indirectly,” by name, location, or factors specific to the natural person. Hurley suggests that “photographs of children…constitute personal data if the child is identifiable.”
Hurley notes, however, that the GDPR concerns itself with the processing of personal data, rather than just the existence of personal data. The GDPR identifies processing as any operation “performed on personal data,” automated or not, including collection, storage, making available, and erasure. Hurley concludes that photographs of identifiable children uploaded to Facebook involve the processing of “personal data” because Facebook stores the image and makes the image available. Therefore, according to Hurley, Facebook is subject to the requirements in the GDPR.
Although the GDPR does not apply to data processing by natural persons for household activities, the regulation does apply to the entity that facilitates the processing, regardless of whether the processing occurs in the EU. Thus, parents responsible for uploading photographs to Facebook are not subject to this regulation, but Facebook itself is, even though the processing takes place in the United States.
The GDPR outlines specific principles for the way in which the processing of personal data takes place. The regulation requires that data be collected for legitimate purposes and processed transparently—so the individual knows that data is being collected and understands the extent of the processing. Most importantly, Hurley contends, the processing counts as “legal” only after the data subject—in this case, the individual in a photograph—has consented to processing. The GDPR defines consent as “freely given, specific, informed and unambiguous indication” of the individual’s wishes—in this case, agreeing to Facebook’s terms of service. So, how could a fetus or a newborn baby consent to having his or her photograph on Facebook?
The regulation grants consenting authority to the “holder of parental responsibility” of a child under the age of 16. Specifically, the GDPR states the holder of parental responsibility needs to “give” or “authorize” the consent. Hurley, however, notes that no guidance exists for this requirement. Hurley suggests two interpretations: The parent can either give consent without involving the child or allow the child to give his or her consent.
Although the parent may authorize the consent, many of these individuals still agree to terms of service and privacy policies without reading the “ambiguous lexical phrases” and “complex language” found in them. Hurley notes that this impacts children because parents agree to subject their child’s image “to the terms of this agreement without a sufficient understanding of what it encompasses.” Hurley argues that because the GDPR puts control over the child’s right to data protection in the hands of the child’s parent, the regulation does not protect the child’s right to privacy when the interests of the parent clash with those of the child.
Hurley recommends that EU member states consider the optional constraints available within the GDPR to further the protection of a child’s right to privacy. The GDPR allows parents to consent on behalf of their child when the processing involves identification of the child. An exception available to the member states would allow legislation to prevent the data subject—in this case, the child—from giving consent. This would, Hurley suggests, “negate the ability of a parent” to consent to processing used to identify their child. Hurley notes, however, that unless all member states adopt similar legislation, a “disparate level of protection” would occur throughout the EU.
Although society cannot predict the long-term effects of a child growing up with a digital footprint he or she did not create, Hurley argues that this subject deserves more legal and academic attention.