The EU, children under 13 years, and parental consent: a human rights analysis of a new, age-based bright-line for the protection of children on the Internet

Abstract

Empirical data show that increasingly younger children are engaging in online activities. Many children lack experience and knowledge of the implications and practices related to personal data management. However, under the current European data protection regime, children become data subjects on the same legal basis as adults, with consent being the most popular method of obtaining personal data. The proposed EU Data Protection Regulation tackles this problem by introducing a requirement for data controllers providing information society services directed at children: the controllers should obtain parental consent in cases where the personal data of a child under the age of 13 are being processed in the online environment. In the view of the European Commission, this requirement will reduce online risks for children and prevent them from making ‘youthful’ indiscretions. While debates on the proposed Regulation have mostly focused on provisions with prominent business relevance (eg one-stop shop mechanism, the right to be forgotten, etc.), this article reflects on the substance of the proposed parental consent rule. In particular, the article questions whether the ‘bright-line rule’ of parental consent for children under 13 years can adequately protect their personal data, and, whether such a rule is compatible with the European and international legal frameworks.