After the entry into force of the GDPR, young people under the age of 16 in Germany need the consent of their parents to use services such as WhatsApp or Facebook. This is explicitly regulated in Article 8 of the GDPR.
Scope of Article 8 GDPR and definition of the term “information society service”.
Article 8 GDPR is only applicable if an offer of information society services is made by companies (Article 8(1) GDPR). Unfortunately, this concept is not further defined in the GDPR. In Article 4 No. 25 GDPR, reference is made to Directive (EU) 2015/1535 for the further definition of the term “information society service”.
The term “service” means an information society service. That is, any service normally provided for remuneration, at a distance, electronically and at the individual request of a recipient.
For purposes of this definition, the term means:
(i) ‘service provided at a distance’ means a service provided without the simultaneous physical presence of the parties to the contract;
(ii) “electronically supplied service” means a service that is sent at the origin and received at the destination by means of equipment for the electronic processing (including digital compression) and storage of data, and that is transmitted, conveyed and received entirely by wire, by radio, by optical means or by other electromagnetic means;
(iii) ‘service provided at the individual request of a recipient’ means a service provided by the transmission of data on individual request.
This Directive also has in its Annex an example list of services that are not covered by this definition. If a company is unsure about the classification, a look at the Annex to the Directive may provide clarification.
Similarly, the publication of political views or religious affiliation within a Facebook profile is subject to consent.
Since May 25, Internet services are only allowed to process personal data of young people if you have parental consent for under-16s. Personal data includes, for example, name, IP address and e-mail address. More precisely, consent is only effective if it has been given by the parents themselves, or at least with their consent.
How are Internet services supposed to enforce this control in a meaningful way?
This question inevitably suggests itself to the attentive reader. It is well known that it is easy to cheat when entering the age. Although clear age limits are defined here by the GDPR, the following questions arise in practice: How should a company check the age of your users? In what form should parents give their consent for under 16-year-olds?
All these topics have not been conclusively regulated so far. This means that there is a need for even more detailed interpretation on the part of national data protection authorities. The idea of linking the children’s profiles with those of their parents on Facebook would lead to further processing of personal data. If necessary, this would again increase the risk of additional advertising purposes. This cannot be in the spirit of the inventor of more consumer data protection.
Scope of Article 8 GDPR
For parents, it is important to know that Article 8 GDPR only applies when the offer of information society services is made directly to the child. This excludes services such as dating portals or social networks, which exist specifically for adults. Conversely, however, services that address both target groups equally should fall within the scope of Article 8 GDPR. The aim of Article 8 GDPR is ultimately to provide effective protection for children and young people.
What options are there to monitor my children’s Internet use?
There are now a number of software providers that can be used to block certain websites for children, such as JUSPROG. There are also age-specific offers tailored to the needs of certain age groups. For slightly older children/teens, for example, there are filters for violence/erotica or file sharing. In addition, it is possible to set the daily use of the Internet with WinTimer to prevent excessive Internet use. Parents can block specific keywords by using such software. Websites such as video or game sites can be specifically excluded or provided with a time limit.
Art. 8 GDPR Conditions for a child’s consent in relation to information society services.
1. If Article 6(1)(a) applies in the case of an offer of information society services made directly to a child, the processing of the child’s personal data shall be lawful if the child has reached the age of sixteen. 2If the child has not reached the age of sixteen, such processing shall be lawful only if and to the extent that such consent is given by or with the consent of the holder of parental responsibility over the child.
3 Member States may, by law, provide for a lower age limit for these purposes, but it shall not be lower than the age of thirteen years.
2. The controller shall make reasonable efforts, taking into account available technology, to ascertain in such cases that consent has been given by or with the consent of the holder of parental responsibility over the child.
Paragraph 1 is without prejudice to the general contract law of the Member States, such as the rules on the validity, formation or legal consequences of a contract in relation to a child.