The consent of minors and the GDPR

And when the data subjects are minors? This text provides some insights on this issue. This is an opinion article that has been revised from the text published in the October issue of the magazine Actualidade Economia Ibérica, which had been written prior to the publication of Law 58/2019 of 8 August.

According to Article 6(1)(a) of the General Data Protection Regulation (GDPR), when there is no other source of lawfulness for the processing of personal data, the data subject must give his consent.

The GDPR has reinforced the preconditions for consent by requiring that it be given “by a clear positive act indicating a free, specific, informed and unequivocal expression of will that the data subject consents to the processing of him/her data ” (cf. Recital 32).

As far as data subjects are minors, the verification of the conditions for consent faces more complex problems. According to Article 122 of the Civil Code, minors are all those who have not yet reached the age of 18. Due to the fact that they are minors, there are restrictions on the ability of data subjects to exercise their rights directly.

Combined with the GDPR, minors under 18 years of age are not able to give their consent to the processing of their personal data. The power to exercise this right is, under the terms of Article 124 of the Civil Code, is given to the parents or guardians.

The Community legislator’s concern for children is supported by recital (38) of the GDPR, which states that they “deserve special protection with regard to their data, since they may be less aware of the risks, consequences and guarantees in question and of their rights related to the processing of personal data. Such specific protection should apply in particular to the use of personal data relating to children for the purpose of marketing or creating personality or user profiles and to the collection of personal data relating to children when using services made available directly to children”.

However, in contradiction, the GDPR has established special conditions for the consent of children in relation to (and only to) information society services, which are less protective of minors. Article 8(1) of the Regulation provides that where the consent of the data subject is required in relation to the direct provision of Information Society services to children, the processing of children’s personal data is lawful if they are at least 16 years old. The Community legislator allows Member States to set a lower age for these purposes, provided that this age is not lower than 13 years.

Within the meaning of Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services, an ‘Information Society Service’ is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.

In other words, if the Community legislator, on the one hand, accepts that children do not have full discretion to understand the risks, consequences and guarantees that the processing of their data may involve, it allows a child under the age of 16 or 13, depending on the choice of each Member State, to give his or her consent to the processing of data and to request the provision of a service, remunerated, at a distance, by electronic means.

Law 58/2019 of 8 August, which ensures the implementation, in the national legal system, of the GDPR with regard to the processing of personal data of children, raises interpretative questions. Thus, Article 16(1) states that “in the terms of Article 8 of the GDPR, personal data relating to children may only be processed on the basis of the consent provided for in Article 6(1)(a) of the GDPR and relating to the direct provision of information society services when they are already thirteen years old”.

This wording cannot be understood in the sense that consent is the only source of lawfulness for the processing of personal data of children. Thus, the processing of children’s personal data will be lawful whenever one of the situations foreseen in articles 6 and 9 of the RGPD occurs, among which consent is only one of the grounds listed, along with the fulfilment of legal obligations, defence of vital interests, public interest functions, among others.

Article 8 of the GDPR is only applicable in the context of the direct provision of information society services to children, and where the basis for processing the personal data of children is consent. In these situations and only in these situations, children from the age of 13 years may consent to the processing of their data. National law can only be interpreted in the light of this legal framework provided by the GDPR, under penalty of manifest violation of EU law.

In the case of children capable of giving their consent as referred to above, the controller shall take particular care to provide the data subjects with the required information in a concise, transparent, intelligible and easily accessible form, using clear and simple language appropriate to the age of the recipients.

Where the processing of data of minors under the age of 18, or of minors under the age of 16 or 13, is concerned, depending on the choice of each Member State, in the latter case in the context of the direct provision of information society services, consent, where compulsory, should be given by the holders of parental responsibility

In addition, the controller should make all appropriate efforts to verify that consent has been given or authorised by the holder of the child’s parental responsibilities, taking into account the available technology (cf. Article 8.2 of the GDPR). The above-mentioned GDPR implementing law gives preference to secure means of authentication (cf. Article 16(2) of Law 58/2019) such as the Citizen’s Card or the Digital Mobile Key. The controller should determine the appropriate measures in each case and “avoid verification solutions which themselves involve excessive collection of personal data (cf. “Guidelines on consent within the meaning of Regulation (EU) 2016/679”, 17/EN, WP259 rev.01, adopted on November 28, 2017, last revised and adopted on April 10, 2018, Article 29 Data Protection Working Group).The legal representative’s statute does not, however, have any absolute or unconditional priority over the child and may, in certain situations, be removed, in general terms, in accordance with the provisions of Article 1918 of the Civil Code, such as when the best interests of the child overlap or when it is found that the child is mature enough to at least be consulted on matters concerning him/her.

As concluded by the Article 29 Working Party in its Opinion No 2/2009 on the protection of children’s personal data (General guidelines and the special case of schools) ‘Children should be made aware, in particular, that they themselves must be the primary protectors of their personal data. According to this criterion, the gradual participation of children in the protection of their personal data (from consultation to decision) should be made effective. This is an area where the effectiveness of empowerment can be demonstrated.’

Jane Kirkby, lawyer and partner at BAS

More in Communication