Authors: Judith Rauhofer and Burkhard Schafer

1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

2.The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

3.Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

I. General overview

Art. 8 concretises the concept of voluntary consent in Art. 4 no. 11 for information society services as defined in Art. 4 no. 25, when the data subject is a minor. This makes Art. 8 one of the few provisions of the GDPR that explicitly addresses the Internet.

Giving valid consent to the processing of personal data requires at least a general understanding of the consequences and risks associated with this permission and the rights that are available. Data subjects whose cognitive capabilities do not permit them to form a sufficiently accurate understanding of the content and consequences of their consent do not consent freely. Making a determination whether the data subject is able to sufficiently understand the meaning and consequences of their consent can be highly fact- and context- specific; and this is why the GDPR in general requires an assessment of the individual case and the individual data subject, allowing for a nuanced and gradual evaluation of the validity of consent. Art. 8 creates an exception to this general case-by-case approach for one group of data subjects and one context of data processing: children targeted by online services.

Art. 8 creates a fixed age limit below which consent is not valid, independent of the actual intellectual maturity of the child. This is however limited to situations, where the child is using information society services that are offered directly to children. Excluded from the scope of Art. 8 is also the processing of special categories of data, to which Art. 9 applies. While Art.8 para. 1 introduces an age limit of 16 years as the typical point at which children become able to consent to the processing of their data, it allows Member States to reduce this threshold by up to 3 years, provided this deviation from the standard is in turn proscribed as a fixed limit in national law. Conversely, once a child reaches the age of 16, the validity of her/his consent has to be evaluated in the same way in which it would be assessed for an adult; and cannot be denied merely because of lack of maturity (that may be typical for teenagers below the age of full legal capacity). Therefore, Art. 8 also leads to a limited[1] harmonisation of age-related requirements across the EU and, in addition to the protection of children, creates a degree of legal certainty for information society service providers, even though a fully harmonised approach remains elusive.[2]

If a child is below the age of 16 (or the relevant national threshold where different), the holder(s) of parental responsibility can give or authorise consent on behalf of the minor. In this case, Art. 8 para. 2 imposes a duty on the controller to take reasonable efforts to ascertain that the holder of parental responsibility consented to the processing. A violation of this self-standing duty can lead to fines under Art. 83 para. 4 lit. a, even when that failure did not result in unlawful data processing under Art 6.

 

II. Legislative history

DPD did not contain any age-specific rules. With the release of the Internet Explorer, as the first browser designed for a general audience in the very same year the DPD came into effect, the EU legislator could not have anticipated how quickly and comprehensively children and young adults would embrace the technology.[3]

 

 

 

[…]

 

 

 

 

* The authors would like to thank Ayça Atabey for her assistance in conducting the research for this chapter.

[1] Buitelaar p. 301.

[2] Macenaite/Kosta p. 148; Kosta, ‘Art. 8’ in Kuner/Bygrave/Docksey, p. 361.

[3] See e.g., Hasebrink/Livingstone/Haddon/Olafsson, K. (2009), ‘Comparing children’s online opportunities and risks across Europe: Cross-national comparisons for EU Kids Online’.