The fundamental right to the protection of personal data as enshrined in Art. 8 (1) of the Charter of Fundamental Rights of the European Union (PDF) as well as the right to informational self-determination, derived from Art. 2 (1) and 1(1) of the German Constitution are not exclusive right of adults. Also children’s personal data are protected by these fundamental rights and consequently by the European Data Protection Directive (Directive 95/46/EC) or the respective national laws.
But if it comes to the practical compliance for companies, for example if you want to develop an app for children, European data protection laws currently will leave providers alone with an answer to the question, when a consent by minors might serve as the legal basis for the processing of their data.
German Data Protection Laws
Different from the Children’s Online Privacy Protection Act (COPPA) in the United States (setting forth the relevant rules for Website operators that are collecting information from children under the age of thirteen), neither the European Data Protection Directive nor German data protection laws contain specific provisions for the use of personal data by minors. In Germany, according to the prevalent opinion, the data controller, the entity in charge of the data processing operations, will instead have to assess, if the child possesses the capability to consent to the respective processing of personal data. This requirement will only be fulfilled, if the minor fully understands and overseas the consequences arising from the data processing operations. In the end, this might lead to a case-by-case assessment of each data processing operation.
In a recent decision by the Higher Administrative Court of Lüneburg (Germany, Case No. 11 LC 114/13), the judges held that the consent by a child might in general be invalid, if the child had not yet reached at least the age of 14 years. Even more severe, in the year 2012, the Higher Regional Court of Hamm (Germany, Case No. I-4 U 85/12) decided that one can’t assume that children between the age of 15 and 18 years would always possess the required capability to oversee the consequences of the respective data processing operations. The latter case concerned the processing of personal data for a sweepstake. Already these two decisions show that the respective data controller will not be able to rely on certain age limit as a secure legal ground for consent.
For the examination of the legitimacy of a consent by a child, one will have to consider finding its appropriate legal classification in order to apply, in a second step, the relevant legal requirements for its validity. With respect to German data protection laws, there exists a discussion on the general nature of consent, not only with respect to children. Whether it has to be considered as a declaration of intent (in the sense of German contract law) or if it only can be classified as a ‘real act’ or a ‘factual act’. Depending on the result, the rules for legal transactions of the German Civil Code (Devision 3) might apply or not.
(Future) European Data Protection Laws
The Article 29 Working Party (Art. 29 WP), an independent European advisory body on data protection and privacy, formed by representatives of the national data protection authorities, examined the protection of children’s personal data in its Opinion 2/2009 (PDF). With regard to the question if children can give valid consent to the processing of their own data, the Art. 29 WP didn’t take a clear position but referred to applicable local regulations, where consent might be considered valid in specific situations, like in cases of marriage, employment or religious matters. Just like in Germany, the Art. 29 WP additionally referred to the children’s “level of physical and psychological maturity” which must be taken into account.
If we take a look ahead, the proposal for a General Data Protection Regulation (COM(2012) 11, PDF; presented by the European Commission in January 2012 and currently debated in the European Council), which, when finally enacted, will replace the existing Data Protection Directive, specifically refers to the protection of personal data of children. Recital 29 of the proposal states that “Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data”. Furthermore, Article 8 of the proposal defines a specific age as the legal boundary for data processing operations. According to Article 8 (1) “the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian”. But, according to Article 8 (2) of the proposal, this provision shall not affect the general contract law of Member States.
Current European data protection laws will leave data controllers alone if they search for a definite statement, when the consent of a child will be considered valid. Companies should therefore not necessarily base their data processing operations solely on such a consent but try using other legal grounds, like a contract or obtain the consent of the parents. Under future data protection laws, we might see the introduction of definitive age limits, which might bring some clarity for data controllers, but also raise the question, if strict age limits seem appropriate in a digitized world, where children by the age of 6, 7 or 8 perfectly know how to browse the Internet, use social networks or handle apps on smartphones?