The much discussed General Data Protection Regulation (“GDPR”) is expected to be enacted by the end of January 2016. Article 8 of the GDPR addresses the collection of information from minors by businesses online much as COPPA does in the United States. The drafters of the GDPR sent shockwaves through the online community by designating the age of a minor for consent purposes at 16 instead of 13 as found with COPPA. Media reports suggest the 16 number is now being backed off of. As is often the case with the media, these reports are wrong.
Not So Sweet 16?
Let’s cut to the chase and look at the key language of Article 8. You might want to sit down first:
(1) the processing of personal data of a child below the age of 16 years shall only be lawful if and to the extent that such consent is given or authorized by the holder of parental responsibility over the child.
In a typical bureaucratic move, the drafters fail to note what exactly will constitute proper consent. If the methodology mirrors COPPA regulations, the financial burden on large companies such as Facebook will be huge while smaller app providers and online businesses will likely be unable to comply at all given the cost.
As one might surmise, the 16 age limit produced a sudden burst of objections from small and large businesses alike. And the drafters of the regulations reportedly backed down, which was reported gleefully in the media.
But did the GDPR drafters really back down? Technically – yes. Practically – no.
The 16 year age threshold will remain in the language of the new GDPR. Individual member states of the EU, however, will be allowed to pick their own limit with 13 being the lowest option.
Think about that last statement.
Each country can set its own age.
Does this simplify privacy compliance for your company?
Following is a likely scenario:
- UK – sets age limit at under 13.
- Bulgaria – takes no action, resulting in 16 being the default designation.
- France – sets age limit at 14.
- Slovenia – takes no action, leaving default 16 age in place.
- Netherlands – sets the age at 15.
Let the compliance nightmare begin.
The burden associated with complying with each different age group is massive. Anyone other than the largest web businesses will face two options – don’t collect from kids or use 16 as the default age for all EU traffic. In this way, 16 is likely to become the dominant compliance age for most companies under the new GDPR.
Come And Get Me!
You might be thinking EU regulations don’t apply to your business. After all, how is the EU going to track you down in the United States? We already got rid of a European king not too long ago, so how difficult could it be to fend off some socialist regulators in old Europe?
Potentially very difficult.
The new GDPR applies to any business collecting information from a citizen of the EU regardless of where the business is located. To make matters worse, the mob…err, your elected officials in Washington, D.C., are in the process of issuing laws providing the EU with more options to enforce the GDPR in U.S. courts.
Ah, your tax dollars at work.
Article 8 is incredibly short – less than three small sections – but it will create a significant number of practical problems for businesses small and large. Consider your email list. Do you have any idea as to which individuals are from Europe much less their ages? Probably not. Will you then be required to delete those individuals from your database? What if you collected information from a person who was 15 at the time, but is now 17?
Bang head on desk?
These issues will need to be flushed out over the next few years in what will undoubtedly be protracted and expensive litigation.
Save Me Obi Wan Ken…Safe Harbor
Once upon a time, in a galaxy far, far away, there was a safe harbor agreement between the United States and the European Union that harmonized the differences in privacy law. Sadly, the Imperial Army [“NSA”] decided to hack the systems and email accounts of “terrorists” to protect the homeland. Apparently, the NSA thought the Presidents and Prime Ministers of various countries in Europe were potential terrorists. Individuals such as Angela Merkel were not amused, and compared the practice to the techniques used by the Stasi secret police of East Germany back in the bad old days.
Given the NSA efforts, an anti-US view on privacy issues developed over the last few years. Large American companies such as Google and Facebook have since taken a pounding in European courts over privacy issues. Matters recently came to a head when plucky rebel Max Schrems challenged the safe harbor agreement between the US and EU in formal litigation…and won. The European High Court invalidated the safe harbor agreement in belief the arrangement is a sham as long as the NSA is allowed to vacuum up data including private information of Europeans from companies without sufficient legal checks.
The EU and U.S. have subsequently been attempting to negotiate a new safe harbor agreement. Many legal authorities, including yours truly, have been holding out hope the agreement will eviscerate much of the burdensome requirements of the new GDPR. Initial reports suggest this is not the case, so American companies should be moving to comply with the requirements of the GDPR including the new de facto 16 age limit for the collection of data from minors.
What It All Means
The time has come for companies to wake up and smell the ink on the new EU regulations. Unless 28 member countries all pass legislation to lower the default age of children detailed in Article 8, the new age limit for collecting information from children will be 16 for European traffic.
Unlike in the U.S. where the FTC takes a nihil video approach to COPPA enforcement, the EU goes with more of a Fabricati Diem, Punc attitude [very roughly – “Make my day, punk”.] The EU is, after all, the jurisdiction where Google was forced to provide Europeans with a tool to erase certain information from the search engine’s database. Given the utter failure of COPPA, it is not difficult to see the enforcement of Article 8 as a priority for regulatory agencies in the EU member states.
Richard A. Chapo, Esq.