Data Processing Consent Age Unclear in EU Regulation

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Jan. 13 — Social media companies offering services in the European Union may have to wait for more than two years for full clarification of the age at which consent for data processing becomes valid without parental authorization under the new General Data Protection Regulation.

(Click image to enlarge.)

EUimage

The regulation states that a child below the age of 16 can't consent to the processing of his or her data in the context of “information society services,” and that companies that offer such services must make “reasonable efforts to verify” that a child has the approval of a parent or guardian.

However, the regulation permits EU member states to opt-out of the requirement, as long as they provide for a minimum consent age of 13, in line with rules under the Children's Online Privacy Protection Act in the U.S.

The European Commission, the EU's executive arm, proposed the data protection regulation in 2012 to replace the now over twenty-year-old EU Data Protection Directive (95/46/EC) (11 PVLR 178, 1/30/12). The regulation was informally agreed by negotiators from the European Parliament and the Council of the EU, which represents member states, Dec. 15 (14 PVLR 2289, 12/21/15). The agreed upon text is still subject to formal ratification by both institutions, which is expected soon.

The commission proposed to harmonize at 13, the age at which a child can consent to data processing. The European Parliament also voted in favor of 13 as the cut-off age when it adopted its position on the regulation in March 2014 (13 PVLR 444, 3/17/14).

However, late in the negotiations to finalize the regulation, council negotiators inserted provisions raising the minimum consent age to 16, with the possibility for EU countries to adopt an age no lower than 13.

No Notification Deadline

Representatives of EU institutions told Bloomberg BNA that the regulation contains no specific deadline by when EU countries must announce the minimum consent age they will adopt.

Council of the EU spokesman Joaquín Nogueroles-Garcia told Bloomberg BNA Jan. 12 that the issue of the consent age “just came up at the end of the negotiations.”

An EU official who asked not to be identified said EU countries would individually decide minimum consent ages, and there was “no mention of notification deadlines” in the regulation by when countries would have to provide information on the issue to the future European Data Protection Board (EDPB).

The EDPB will replace the Article 29 Working Party of EU member state data protection commissioners, and will be responsible for coordinating the implementation of the regulation.

Once it has been formally ratified by the parliament and council, the regulation will come into effect after a two-year transition period, in mid-2018.

Because the only timing requirement in the regulation is the two-year transition deadline, it might not become clear until that point which EU countries have opted out of the requirement for the minimum consent age to be set at 16.

French Push

It is also unclear which EU countries pushed in the final negotiations for the consent age to be set at 16, and therefore are likely to also adopt 16 as the minimum age in their national laws.

Bloomberg BNA spoke to three EU officials, none of whom would be identified, that said France pushed for the higher age threshold.

The EU's existing data protection directive doesn't specify a minimum consent age for data processing, meaning that in many countries the minimum age is by default the age of majority. In Belgium, Luxembourg and France, for example, social media companies are technically required to ensure parental approval for anyone under the age of 18, prior to any data processing.

Valid Consent

Peter Van Dyck, a senior associate with Allen & Overy LLP in Brussels, told Bloomberg BNA Jan. 12 that in implementing the regulation “my feeling is that most countries will simply accept the default position, which is 16.”

The variable minimum consent age “goes against the core aim of harmonization” of EU data protection law, and was “clearly one of the shortcomings of the regulation,” Van Dyck said.

He added that the regulation requires companies to make “reasonable efforts” to ensure parental approval, rather than laying down a “hardcore obligation,” but that companies should ensure they can demonstrate valid consent in case of legal disputes.

One company likely to be effected by variable minimum consent ages in different EU countries, Facebook Inc., declined to comment on the issue of minimum consent ages.

Facebook told Bloomberg BNA Jan. 13 that “the implementation of the regulations will take place over the next two years, and we look forward to being part of this discussion.”

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com