Child Protection is best served by setting the Age of Digital Consent at 13
Three organisations working to protect children and young people online have today called on all Oireachtas members to retain the age of Digital Consent at 13 to avoid significant risks to child safety.
The Age of Digital Consent relates to when a person can grant permission for an information society service to process their personal data. Under the Data Protection Bill 2018 as published, a child will be able to consent to their data being processed at the age of 13. This means that a young person will be able to input their email address and register for various services, including social media platforms; homework support, downloadables, etc. by giving their consent to these services to process their personal data, without their parents’ consent.
Setting the age of digital consent at 16 could have some unintended consequences leaving children exposed to child protection risks. For example, in the US where the age of digital consent was set at 13 in 1998, there have been significant issues with age verification. Some organisations/companies developed very robust approaches while others relied on very weak mechanisms. The effect of this was that children lied about their online behaviour. They didn’t always get to benefit from the age filters that are designed to protect them from inappropriate content. This point was echoed at the recent meeting of the Joint Committee on Children and Youth Affairs looking at The Cybersecurity of Children and Young Adults. Setting the age of digital consent at 16 in Ireland without robust age verification measures could create unnecessary risks for children, including impeding the prosecution of perpetrators of online grooming.
While there has been a number of calls recently proposing to raise the Age of Digital Consent to 16, and a proposed Seanad amendment, the Children’s Rights Alliance, ISPCC and SpunOut.ie highlighted the dangers inherent in such an amendment. The organisations outlined how raising the age to 16 would not be practical or in any way help to enhance the online safety of children and young people in Ireland.
While the internet mirrors the offline world in that it is not always a safe place, changing the Age of Digital Consent to 16 could result in technology platforms using it as justification to not take action to make their sites and services safer places for children and young people and more compatible to their needs. Service providers would not face any additional obligations in relation to how they process young people’s data. Retaining the age at 13, in contrast, would maintain a focus on creating safer online spaces, including more child-friendly Terms and Conditions written in an easily understandable manner with clearly-defined opt-in and opt-out mechanisms. The younger the age of digital consent, the more child-friendly these will have to be.
The other serious issue relates to the prosecution of sexual offences. It is currently a crime to groom a child for sexual exploitation under Irish law. The three organisations are concerned that setting the age of digital consent at 16 could negatively impact on the prosecution of these offences. For example, if a child or young person manages to bypass verification or lie when signing up and they are groomed by an individual, the individual could claim they thought that they were older. It is paramount that we develop robust age verification methods to ensure that this does not happen. However, neither the regulation nor directive specifies how verification is to happen. Providers have to make reasonable efforts to seek parental verification. However, the Data Protection Bill 2018 does not specify how that will happen, and in fact, it is likely that we will have to rely on the European Data Protection Supervisor to eventually develop guidelines in this regard to bring certainty. This issue was previously highlighted by the European NGO Alliance for Child Safety who wrote an open letter to the European Data Protection Supervisor and the Working Party on the Directive in May 2017. They argued that “any alternative to 13 must be able to demonstrate that it can meet the challenge posed by grooming laws”.
Protecting Children’s Access to Support Services
The GDPR contains an exemption from the need to seek consent or age verification for organisations providing preventative and counselling services*. However, ‘preventative’ and ‘counselling’ is not defined in either EU law or the Data Protection Bill. We will have to wait until complaints are made to the Data Protection Commissioners to understand their scope. Unless the legislation defines this more clearly, there is a real risk that organisations who provide advice and support services that fall outside, or may fall outside the scope of that exemption law may withdraw services that children and young people use, leaving young people without important services.
The Children’s Rights Alliance, ISPCC and SpunOut.ie clearly outlined, with examples, how amending the Age of Digital Consent to 16 would have the effect of removing access to services for young people:
- A 15 year-old who is unsure of their sexuality would no longer have the ability to register for an e-newsletter from a teenager-focussed LGBT support group without first seeking their parents’ permission.
- A Junior Certificate student seeking to access revision notes online as part of their studies could not do so without first attaining parental consent.
The three organisations which work directly with children and young people highlighted the importance of the passing of the Data Protection Bill 2018 with the Digital Age of Consent set at 13 and said that such progress, as part of a series of measures which need to be taken, will demonstrate that Ireland is taking child protection seriously. Children and young people will continue to have direct access to important information and the support services that they need and they will be empowered to continue to enjoy the range of opportunities the internet presents in the safest and most supportive environment possible.
*Please note that the first sentence under the heading 'Protecting Children's Access to Support Services' should read: 'The GDPR contains an exemption from the need to seek the consent of the holder of parental responsibility for organisations providing preventative and counselling services.' We apologise for the error.