This article is part of three articles, which will be published weekly. Last week's article briefly mentioned what rights children and parents have in the Netherlands when a parent engages in sharenting based on parental consent. This week's article discusses whether children from 12 to 16 should have a say in the processing of their personal data. The choice of this age group will be explained and the current regulation will be criticized. The current regulation aims to protect the child, but does not do this adequately and ignores the importance of involving children from 12 to 16 in decisions about their digital identity. Finally, the third and final article in this series will discuss what measures can be proposed to allow children from 12 to 16 to participate in decisions regarding sharenting based on parental consent in the Netherlands, without court intervention.
Protection
The AVG emphasizes the need for specific protection for children because of their vulnerability and highlights the potential risks associated with processing their personal data (1). The Article 29 Data Protection Working Party (WP29) believes that children are unable to consciously and deliberately oppose or consent to data processing activities (2). Therefore, the AVG provides that the "parental consent mechanism" (3) applies to children under the age of 16 (4). Despite the fact that the AVG aims to protect and safeguard children's privacy and personal identity (5) , it fails to safeguard children's right to privacy and personal identity if they are subjected to sharenting (6). Moreover, vulnerable data subjects include those who face an imbalance in the relationship between the controller and the data subject (7). This is a characterization that applies to the relationship between a parent and a child in the case of sharenting, due to the child's dependence on the parent, regardless of whether the parent is sympathetic to the child in terms of processing the child's personal data (8).
Participation
WP29 recognizes that the best interests of the child may conflict with the requirement of consent of their legal representatives (9). In cases of conflicting interests, the general principles of the UNCRC, particularly focusing on the best interests of the child, may provide a solution (10). The CRC states in Article 18, among others, that the best interests of the child are paramount. However, it is difficult for a child to enforce this.
Children have a right to privacy, as stipulated in Art. 16 CRC (11). This article, in conjunction with Art. 12 CRC, emphasizes the need to include children's perspective in decisions that affect them. Moreover, Article 18 CRC states that the child is the very first concern of parents. Member States are urged to bring their legislation in line with the interpretation of the UNCRC by implementing the necessary measures (12). On the one hand, WP29 recognizes that the exercise of rights by children should be in accordance with their physical and mental stage of development (13). On the other hand, WP29 considers that children are not in a position to consciously and deliberately oppose or consent to data processing.
In the Netherlands, the age of 16 was chosen as the age at which a child no longer needs parental consent for data processing (14). During the consultation on the UAVG proposal, several parties noted that the age limit of 16 may not be in line with societal views on giving consent to children, but opted for a neutral implementation of the AVG at the time (15).
Children typically exhibit an increasing degree of autonomy from high school age, engaging in numerous services involving data processing (16). In several areas of Dutch law, the age of 12 is appropriate for children to make certain personal choices independently, while they can fully do so at 16 (17). This age limit is consistent with recent scientific research (18). In addition, research by Ofcom, the UK's independent media and communications regulator, suggests that children's commercial media literacy gradually increases between the ages of 12 and 15 (19).
Parents should consider a child's developmental stage, especially when creating a digital identity because of the associated risks (20). Children must play a crucial role in protecting their personal data (21). Their increasing involvement in data protection, from consultation to decision-making by having them give or withdraw consent and invoke the right to be forgotten, should be actively implemented. Therefore, this article chooses the age limit of 12 years for withdrawing consent and invoking the right to be forgotten. For this reason, a child as young as 12 should then be presumed competent to exercise these rights with respect to invoking them. These rights allow children to change perspective over time (22) and not be bound by choices made by their representatives in the past (23). In this article, the age limit chosen for giving consent is 13, not 12. Member States may legislate a lower age than 16 for this purpose, provided it is not lower than 13 (24).
The AP indicated that in 2019, only up to 1% of complaints concerned children (25). The AP even classified complaints about the processing of children's personal data under "various categories" in 2020 (26). Thus, it is not possible to find out how many complaints concerned children. This could be a positive sign, as there may be no reason to complain about violations of children's privacy. However, literature claims that the opposite is true (27). Children made up one-third of all Internet users in 2016 (28). It is understandable that the AP prioritizes resources based on the prevalence of problems, given the large number of other complaints (29). This ignores the fact that the AP should be accessible to privacy violations involving children. Because complaints do not reach them, the importance of this issue goes unnoticed. The AP maintains this paradox (30). Moreover, given the earlier conclusion about children's need for participation, the AP should not exclude persons under 16 from filing complaints.
It is recommended that children ages 12-16 participate in decisions about the processing of their personal data. The AVG and the UNCRC emphasize the need for specific protection for children and recognize their vulnerability. The current regime aims to protect children but fails to do so, and ignores the importance of involving children in decisions about their digital identity. Considering the best interests of the child and allowing children aged 12 and 13 to participate in decisions would improve this protection. Given children's increasing autonomy from the age of 12 and social perspectives, the Netherlands should legislate a lower age limit for participation in this area. Moreover, exclusion of persons under 16 from filing complaints by the AP may hinder the recognition and resolution of privacy violations involving children, ignoring the importance of their participation in such processes.
This series examines how children between 12 and 16 in the Netherlands can be given the opportunity to participate in sharenting decisions based on parental consent, without court intervention. The choice of this age category is explained in the second article in this series. This series of articles is based on an analysis of the General Data Protection Regulation (31) , the UN Convention on the Rights of the Child (32) , the General Data Protection Regulation Implementation Act (33) , European and national privacy authority guidelines, and literature review. In this article, the definition of sharenting includes disclosure to an indeterminate group of persons, so the household exception does not apply and the AVG applies. If you would like to read more about this, I refer you to the following footnote (34).
The focus of this article is on children's participation in sharenting decisions based on parental consent under the above legislation. Therefore, it has limitations. Besides consent, no alternative bases from the AVG are explored. Also, this article is limited to children who are identifiable on the content their parents upload of them (35). In addition, portrait rights remain out of scope, given the aforementioned focus on the AVG, UAVG and UNCRC. Finally, this series only works toward the options that children should have on paper as a matter of law when "sharding" occurs. Actual enforcement of the rights advocated for in this series of articles can be accomplished by filing a complaint with the AP. For this, see the last article in the series. Going to court by children will not be discussed.
(1) Recital 38, Recital 58, Recital 65, Recital 71, Recital 75, Art. 6(1)(f), Art. 8, Art. 12, Art. 40(2)(g) and Art. 57(1)(b) AVG.
(2) Art 29 Working Party, "Guidelines on Data Protection Impact Assessment (DPIA) and Determining Whether Processing Is "Likely to Result in a High Risk" for the Purposes of Regulation 2016/679" (WP 248, October 4, 2017).
(3) Piasecki, S., Chen, J., Complying with the GDPR when vulnerable people use smart devices, International Data Privacy Law, Volume 12, Issue 2, May 2022, Pages 113-131.
(4) Art. 8 AVG;
Tikkinen-Piri, C., Rohunen, A., & Markkula, J. (2018). EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law & Security Review, 34(1), 134-153.
(5) Donovan, S. (2020). 'Sharenting': The forgotten children of the GDPR. Peace Human Rights Governance, 4(Peace Human Rights Governance 4/1), 35-59
(6) Van der Hof, S. (2016). I agree, or do I: a rights-based analysis of the law on children's consent in the digital world. Wis. Int'l LJ, 34, 409.
(7) Art. 29 Working Party, 'Guidelines on Data Protection Impact Assessment (DPIA)' (n 9), p.10.
(8) Ibid 42.
(9) Art 29 Working Party, 'Opinion 2/2009 on the protection of children's personal data (General Guidelines and the special case of schools) (WP 160, 11 February 2009), p. 4.
(10) WP 160, February 11, 2009, p. 19.
(11) Verdoodt, V., & Lievens, E. (2017). The AVG viewed from a children's rights perspective: pluses, sticking points & issues. Computer Law 2017/155, Issue 4, pp. 230-236.
(12) WP 160, February 11, 2009, p. 19.
(13) WP 160, Feb. 11, 2009, p. 3.
(14) Art. 5(1) UAVG.
(15) Parliamentary Papers II 2017/18, 34851, 3, pp. 93 - 94.
(16) Zwenne, T. (2022). T&C Privacy and data protection law, comment on Art. 5 UAVG: Consent of legal representative.
(17) Council for Health and Society (2018). Summary Age limits: Better opportunities for vulnerable young people, p. 12.
(18) Bruning, M. R., Smeets, D. J. H., Bolscher, K. G. A., Peper, J. S., & De Boer, R. (2020). Child in process: from communication to effective participation-the hearing rights and litigation position of minors in family and juvenile cases. Meijers series.
(19) OfCom, U. K. (2016). Children and parents: media use and attitudes report. London: Office of Communications London.
(20) De Klein, M. (2023). "Sharenting and a child's digital footprint - The legal options for the child to have the parent-created online identity erased." Media Forum 2023/3.
(21) WP 160, Feb. 11, 2009, p. 20.
(22) Recital 65 AVG.
(23) Buitelaar, J.C., Child's best interest and informational self-determination: what the GDPR can learn from children's rights, International Data Privacy Law, Volume 8, Issue 4, November 2018, Pages 293-308.
(24) Art. 8(1) AVG.
(25) AP (2020), 'Complaint reporting: facts & figures. Overview 2019,' p. 4
(26) AP (2020), 'Complaint reporting: facts & figures. Overview 2019,' p. 8
(27) Hannema, T., 'Children who complain ... are skipped, P&I 2020/113, Issue 3, pp. 98 - 102.
(28) Lievens, E. (2016). Wanted: evidence base to underpin a children's rights-based implementation of the GDPR. LSE Media Policy Project Blog.
(29) Hannema, T., 'Children who complain ... are skipped, P&I 2020/113, Issue 3, pp. 98 - 102.
(30) Hannema, T., 'Children who complain ... are skipped, P&I 2020/113, Issue 3, pp. 98 - 102.
(31) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJEU 2016, L 119/1) (AVG).
(32) United Nations. (1989). Convention on the Rights of the Child. Treaty Series, 1577, 3. (CRC).
(33) Rules implementing Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJEU 2016, L 119) (General Data Protection Regulation Implementing Act) (UAVG).
(34) What falls under a purely personal or household activity according to the preamble of the AVG is, for example, keeping an address book, conducting correspondence, but also social networking. Does sharing content about the child, without a commercial purpose, then fall under social networking and thus under the exception of "household and personal activity"? The CJEU stated in the Lindqvist judgment that there is no question of a purely domestic and personal activity if personal data are made public on the Internet and these data are then accessible to an indefinite number of people. Where the exact boundary lies in applying the AVG and the purely domestic or personal activity exception to the scope of application is difficult to determine. Thus, on a case-by-case basis, we will need to determine whether a parent falls within the scope of the AVG or whether the parent's content sharing exception applies. For more information, please refer to https://www.mediaforum.nl/scripts/download.php?id=5696.
(35) Art. 4(1) AVG.
