“There can be no keener revelation of a society’s soul than the way in which it treats its children.”
— Nelson Mandela, Former President of South Africa
The above quote speaks volumes about a society which thinks about children. It is proved over the passage of time that children are the hope of tomorrow and if they are not cared for today then we are not only ruining the child’s future but also of the entire society as a whole.
The GDPR has special provisions keeping the above in mind. It has laid emphasis on a children’s consent since children are not capable of voicing their opinions or understanding the seriousness of ticking a box in an organization which could have serious repercussions at a future date.
Article 8 of the GDPR has enumerated the applicable conditions to children’s consent which are as follows:
- “Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. - The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
- Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.”
The heading mentions information society services. What does this term mean? As per Directive (EU) 2015/1535 of the European Parliament and the Council it means any service provided in exchange for a remuneration. The service is provided at a distance through electronic means and at the request of an individual.
The above conditions place the onus on the data controller i.e. an organisation offering services to check the age of the child who is accepting the services. It shall be the organisation who ensures that the child is of the age limit prescribed as per the GDPR and as per the law. Not just the GDPR but also the local laws should be interpreted to formulate guidelines while dealing with children.
If the conditions mentioned above are not complied with then the processing of the personal data shall not be lawful.
References:
– GDPR Articles with Commentary and EU Case Laws, Adv. Prashant Mali