Minors, social media and sharenting (Article 1/3)

Introduction

The term "sharenting," derived from "share" and "parenting," defines the practice in which parents share details about their children's lives on social media (1). This becomes more complicated as children develop their ability to gain insight and make independent judgments about the content shared.

Sharenting poses risks for children. Children may develop a digital footprint before they are able to make informed decisions about their online identity, which may affect their future. Moreover, generative AI enables the creation of images and videos based on available visual data (2). For example, identity fraud related to sharenting may reach 7.4 million incidents by 2030 (3). Moreover, innocent photos of children, originally shared on social media and family blogs, constitute up to 50% of the content discovered on pedophile websites (4). Finally, sharenting exposes children to security risks such as stalking and abduction (5).

The practice of sharenting is paradoxical. Parents bear responsibility for the protection of their child, and at the same time share personal information, violating their child's privacy online (6). In this series of articles, the definition of sharenting is defined as, "The disclosure of information by parents to an indeterminate number of people, containing personal information about their identified or identifiable children in the form of photos, videos and posts via social media (7).

If you are interested in the methodological justification and further explanation of the scope of the articles, I refer you to the heading "methodological justification.

Rights of parents as processing controller and child as data subject

By engaging in sharenting, parents act as data controllers as they determine the purposes and means of processing their child's personal data (8). The child, being the identifiable or identified natural person, is the data subject (9). Although social media platforms may also act as data controllers in some cases (10), this article focuses on sharenting based on parental consent, where parents are identified as the initial data controller.

The AVG and the UAVG define the child as a data subject, but do not define what a child is (11). The UNCRC defines a child as someone under 18 years of age (12). However, under the AVG, consent-based processing of children's data requires parental consent if the child is under 16 (13). Therefore, in this article, "child" refers to persons under 16 years of age.

Parental consent as the legal basis

Consent of the data subject to the controller is one of the legal bases required for processing personal data. This also applies to special categories of personal data, which require explicit consent (14). Children, who are less aware of the risks involved in processing personal data, are entitled to specific protection (15). The UAVG provides specific rules regarding consent for the processing of children's personal data, which are applicable to the practice of sharenting: a child under the age of 16 requires the consent of a legal representative for the processing of their personal data (16). In this document, the legal representative is assumed to be the parent.

This mechanism of representation, where parents give their own consent, generally provides minors with protection from third parties (17). However, this is negated when parents give themselves permission to process the child's personal data by engaging in sharenting. In this scenario, the parents are united in the same capacity as the supposed protector of the minor, mar also the potential infringer (18). This is referred to as the sharenting paradox (19).

Revoke consent

Withdrawal of consent can terminate the processing of children's data. Although not explicitly mentioned in the AVG, however, it seems impossible for children in the Netherlands to invoke withdrawal of consent as a legal basis.

On the face of it, Article 7(3) AVG states that any data subject has the right to withdraw consent at any time. Upon closer inspection, more specific articles provide guidance only for consent given on behalf of the child and not for withdrawal. Parental consent for the child as a data subject is mentioned in Art. 8(1) AVG. However, this article does not apply in the case of sharenting, as sharenting is not a direct offer of information society services to a child, but to a parent (20).

Art. 5(1) UAVG fills this gap by stating that, in scenarios where Art. 8(1) AVG does not apply, the consent of a legal representative is still required if the child has not yet reached the age of 16. This article, read in conjunction with Art. 5 paragraph 3 UAVG provides that consent can be withdrawn at any time by the legal representative of the data subject. The possibility for a child to withdraw consent is not explicitly mentioned. Here, therefore, the law falls short.

The guidelines on consent issued by the European Data Protection Board (EDPB) fill this gap, stating that after reaching the age of digital consent, which is 16 years, the child has the opportunity to withdraw his or her own consent (21). If the child is under the age of digital consent, the withdrawal of consent is limited to the child's parent (22).

In the literature, the withdrawal of parental consent would be based on Article 5(4) UAVG (23), which explicitly states that the legal representative exercises the rights set forth in Chapter III of the AVG on behalf of the data subject who is under 16 years of age. However, withdrawal of consent is not described in Chapter III, but in Chapter II of the AVG (24). Chapter III focuses on the data subject's rights, such as the right to be forgotten.

Right to be forgotten

According to the AVG, every data subject has the right to be forgotten (25), which gives them control over their personal data (26). When data subjects withdraw their consent to processing and the processing becomes unlawful, data subjects can invoke the right to be forgotten (27). In the Netherlands, however, the parent exercises the rights set forth in Chapter III of the AVG, such as invoking the right to be forgotten based on the withdrawal of consent, on behalf of the data subject who is under 16 years of age and to the extent that the data subject is unauthorized or incompetent (28).

The right to oblivion cannot be invoked by the data subject under Article 17(1)(b) AVG, whereby the data subject withdraws his consent. As previously mentioned, parental consent can only be withdrawn by the data subject after he or she has reached the age of 16. In the case of a conflict where the child disagrees with the processing and wants to withdraw consent, he or she has no legal remedies to enforce being part of the decision-making process. Withdrawal of consent is exclusively reserved for the parents. Consequently, the child cannot invoke the right to be forgotten.

Alternative ways of invoking the right to be forgotten are only possible insofar as the person concerned is competent or capable. Whether someone is competent or competent is determined on a case-by-case basis. Persons in the 12 to 16 age group cannot be lumped together in terms of competence and capability, as this must be determined on an individual level.

Filing a complaint with the AP

Children under 16 may not file a complaint independently with the Personal Data Authority (AP). The AP explicitly states on its website that if you are under 16, you cannot file a complaint directly, but rather one of your parents or guardians must give parental consent or do so on your behalf through the procedure for filing a complaint (29). This restriction on children's ability to file a complaint independently is consistent with the paternalistic approach to minors mentioned earlier, which may overshadow children's privacy rights (30). This leads to the paradox that the parent who invades the child's privacy bears the right to file a complaint on behalf of the child as his protector.

Interim conclusion

In summary, the AVG's reliance on parental consent becomes problematic when parents give their own consent, creating the sharenting paradox. Children lack autonomy when parents give sharenting consent themselves, as parental consent is required for processing personal data of a child under 16. This also applies to withdrawal of consent and the right to be forgotten, which is only accessible to children after the child turns 16. In addition, the restrictions on children under 16 to file independent complaints with the AP raise concerns about effective protection.

Methodological justification
This series examines how children between 12 and 16 in the Netherlands can be given the opportunity to participate in sharenting decisions based on parental consent, without court intervention. The choice of this age category is explained in the second article in this series. This series of articles is based on an analysis of the General Data Protection Regulation (31), the UN Convention on the Rights of the Child (32), the General Data Protection Regulation Implementation Act (33), European and national privacy authority guidelines, and literature review. In this article, the definition of sharenting includes disclosure to an indeterminate group of persons, so the household exception does not apply and the AVG applies. If you would like to read more about this, I refer you to the following footnote (34).

The focus of this article is on children's participation in sharenting decisions based on parental consent under the above legislation. Therefore, it has limitations. Besides consent, no alternative bases from the AVG are explored. Also, this article is limited to children who are identifiable on the content their parents upload of them (35). In addition, portrait rights remain out of scope, given the aforementioned focus on the AVG, UAVG and UNCRC. Finally, this series only works toward the options that children should have on paper as a matter of law when "sharding" occurs. Actual enforcement of the rights advocated for in this series of articles can be accomplished by filing a complaint with the AP. For this, see the last article in the series. Going to court by children will not be discussed in this article.

1. Autenrieth U. (2018). Family photography in a networked age: Anti-sharenting as a reaction to risk assessment and behavior adaptation. In Mascheroni G., Ponte C., Jorge A. (Eds.), Digital parenting: The challenges for families in the digital age (pp. 219-232). The International Clearinghouse on Children, Youth and Media; Damkjaer M. S. (2018). Sharenting=good parenting? Four parental approaches to sharenting on Facebook. In Mascheroni G., Ponte C., Jorge A. (Eds.), Digital parenting: The challenges for families in the digital age (pp. 209-218). The International Clearinghouse on Children, Youth and Media; Steinberg Stacey B. (2017), "Sharenting: Children's Privacy in the Age of Social Media," Emory Law Journal, 66, 839-83.

2. Chadha, A., Kumar, V., Kashyap, S., & Gupta, M. (2021). Deepfake: an overview. In Proceedings of Second International Conference on Computing, Communications, and Cyber-Security: IC4S 2020 (pp. 557-566). Springer Singapore.

3. Coughlan, S. (2018). "'Sharenting' puts young at risk of online fraud," BBC News, May 21, 2018.

4. Battersby, L. (2015). Millions of social media photos found on child exploitation sharing sites. The Sydney Morning Herald.

5. Barnes, R., & Potter, A. (2021). Sharenting and parents' digital literacy: an agenda for future research. Communication Research and Practice, 7(1), 6-20.

6. Blum-Ross, A., & Livingstone, S. (2020). "Sharenting," parent blogging, and the boundaries of the digital self, Popular Communication, 15/2, pp. 110-125.

7. Brosch, A. (2018). Sharenting-Why do parents violate their children's privacy? The New Educational Review, 54, pp. 78-85.

8. Art. 4(7) AVG.

9. Art. 4(1) AVG.

10. Art. 4(7) AVG.

11. Milkaite, I., Verdoodt, V., Martens, H., & Lievens, E. (2017). The General Data Protection Regulation and children's rights: questions and answers for legislators, DPAs, industry, education, stakeholders, and civil society. Roundtable Report.

12. Art. 1 CRC.

13. Art. 8(1) AVG.

14. Art. 6(1)(a), Art. 9(2)(a) AVG.

15. Recital 38 AVG.

16. Art. 5(1) UAVG.

17. Steinberg Stacey B. (2017), "Sharenting: Children's Privacy in the Age of Social
    Media," Emory Law Journal, 66, 839-83.

18. Ní Bhroin, N., Dinh, T., Thiel, K., Lampert, C., Staksrud, E., & Ólafsson, K. (2022). The privacy paradox by proxy: Considering predictors of sharenting. Media and Communication, 10(1), 371-383.

19. Blum-Ross, A., & Livingstone, S. (2020). "Sharenting," parent blogging, and the boundaries of the digital self, Popular Communication, 15/2, pp. 110-125.

20. EDPB, 'Guidelines 05/2020 on consent under Regulation 2016/679, 4 May 2020 (Version 1.1), p. 27.

21. EDPB, "Guidelines 05/2020 on consent under Regulation 2016/679," 4 May 2020 (Version 1.1), p. 29

22. Zwenne, T. (2022). T&C Privacy and data protection law, comments on Art. 5 UAVG: Consent of legal representative.

23. De Klein, M. (2023). "Sharenting and a child's digital footprint - The legal options for the child to have the parent-created online identity erased." Media Forum 2023/3.

24. Art. 7(3) AVG.

25. Recital 65 and Article 17 AVG.

26. Ausloos, J. (2020) The right to erasure in EU data protection law Oxford, United Kingdom: Oxford University Press 2020.

27. Art. 17(1)(b) AVG.

28. Art. 5(4) UAVG.

29. AP, This is how you file your complaint with the AP.

    Link: https://www.autoriteitpersoonsgegevens.nl/jij-en-jouw-online-gegevens/zo-dien-jij- your-complaint-in-at-the-ap.

30. Hannema, T., "Children who complain ... are skipped, P&I 2020/113, Issue 3, pp. 98 - 102.

31. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJEU 2016, L 119/1) (AVG).

32. United Nations. (1989). Convention on the Rights of the Child. Treaty Series, 1577, 3. (CRC).

33. Rules implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJEU 2016, L 119) (General Data Protection Regulation Implementation Act) (UAVG).

34. What falls under a purely personal or household activity according to the preamble of the AVG is, for example, keeping an address book, conducting correspondence, as well as social networking. Does sharing content about the child, without a commercial purpose, then fall under social networking and thus under the exception of "household and personal activity"? The CJEU stated in the Lindqvist judgment that there is no question of a purely domestic and personal activity if personal data are made public on the Internet and these data are then accessible to an indefinite number of people. Where the exact boundary lies in applying the AVG and the purely domestic or personal activity exception to the scope of application is difficult to determine. Thus, on a case-by-case basis, we will need to determine whether a parent falls within the scope of the AVG or whether the parent's content sharing exception applies. For more information, please refer to https://www.mediaforum.nl/scripts/download.php?id=5696.

35. Art. 4(1) AVG.

Erdos, D. (2018). Intermediary publishers and European data protection: Delimiting the ambit of responsibility for third-party rights through a synthetic interpretation of the EU acquis. International Journal of Law and Information Technology, Volume 26, Issue 3, Autumn 2018, pp. 189-225.