Processing Children’s Data

January 27, 2012

I was delighted to hear about {‘The i in online:}’ survey and workshop which aims to teach 31,000 children, aged 8 to 18, how to protect their personal information online, particularly in games and social networking sites, via an interactive microsite. The charity’s survey will ask the children about their attitudes to privacy settings and online safety, and also ask them to choose the visual icons they believe best represent how much personal information they divulge online and the value of data protection. These icons, which have been created by children working with The i in online, will be refined and used to create a ‘highway code’ for Internet privacy, which it is hoped will be adopted by web sites to help inform users.

I was even more delighted to note that Speechly Bircham partner Robert Bond is the main driver behind this move. It’s nice to see instances of IT lawyers doing something positive about a social problem rather than just pointing it out, often with ill-concealed relish. (Although I suppose the man who puts the danger sign in front of the hole is doing something positive.)

The idea seems sound – I suspect that there are many adults who would benefit from a simplified grading system with simple icons too, and I suspect that I may be one of them. Apparently, a similar survey of 4,000 children by the charity last year revealed that 60% of UK children had not read the privacy policies of web sites, with many finding visual icons easier to understand than wordy terms. I suspect that most of the remaining 40% were big fibbers – if they were in fact telling the truth then about three times as many children read the privacy policies as adults.

This move chimes well with all data protection rules, including the new draft Regulation. That includes a number of references to the special protection needed for children: ‘Given that children deserve specific protection, any information and communication, where processing is addressed specifically to a child, should be in such a clear and plain language that the child can easily understand’ and, in Article 11, ‘The controller shall provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child’.

I can imagine the icons becoming compulsory, although they may have to be culturally bland if they are to apply across the EU; at the very least, you will have to sharpen your drafting skills if you are to take account of the average comprehension ability of a 12-year-old child. (Anything directed at slightly older children will have to have the word ‘like’ inserted randomly three times in every sentence.)

Robert Bond’s initiative and a great article from David Gourlay and David Gallagher which was posted last month and which looks at the conflicting requirements of US and UK law on data collection from children both brought me back to a long-lasting dilemma. The new draft Regulation seems to do nothing to resolve this. Article 8 (processing personal data of a child) provides as follows:
{i}1 For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.
2. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.{/i}

I suspect that there is a PhD thesis in Article 8 alone. Note that it is the ‘verifiable consent’ that they must make reasonable efforts to obtain, not the authorisation, and that ‘available technology’ has to be taken into consideration (which raises the question ‘available to whom?’). But I just want to mention an old hobby-horse: what about when Article 8(1) and 8(2) conflict?

If 14-year-old Laurence consents to the terms and conditions etc of Facebook, he is not contracting for ‘necessaries’, no matter how necessary it may seem to him to have such an account. What is that consent worth if, on attaining the age of 18, he realises that the numerous embarrassing pictures he posted and many inappropriate status updates are a drag on his future career? If he repudiates that contract, all consents surely fall away. The newly proposed right (whether we are calling it the right to be forgotten or the right of erasure), with its admirable aims and limited exceptions, does not apply because the contract is voidable and I think that means that the consent never existed.

That doesn’t seem very sensible, does it? No doubt it is more complicated than I think.

And the cherry on this cake is that ‘the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child’ vary from Member State to Member State. They are not even the same throughout the UK Member State.