81. Deputy Gino Kenny asked the Minister for Justice and Equality his views on whether it is insufficient to rely on digital consent as a means to protect children’s data in view of the fact it places an excessive burden on parents to be active in the digital world; his further views on whether restrictions should be imposed on the data controllers forbidding them to use children’s data for marketing or commercial purposes; his plans to ensure that data controllers take responsibility in data breaches or undue commercial targeting of children’s data while using their platform; and if he will make a statement on the matter. (Question 9023/18 asked on 17 Apr 2018)

Minister for Justice and Equality (Deputy Charles Flanagan): The position is that while the data protection rights and protections that generally apply to adults under the General Data Protection Regulation (GDPR) also apply to children, the GDPR acknowledges that the personal data of children merit specific protection and it includes a number of specific measures for the protection of children in addition to the “digital age of consent”. 

For example, Article 6.1(f), which generally permits processing of personal data where necessary for the purposes of the “legitimate interests” of a controller that is not a public authority, may not be relied upon where such interests are overridden by the interests or fundamental rights and freedoms of a data subject, in particular where the data subject is a child.  Recital 38 states that specific protections “should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services”.

In addition, Article 12, which obliges controllers to provide information to data subjects on the processing of their personal data in a “concise, transparent, intelligible and easily accessible form”, states that its provisions shall apply “in particular for any information addressed specifically to a child.”

Recital 65 states that the right to erasure (set out Article 17) is relevant “in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet.

Article 57, which requires data protection authorities to promote public awareness and understanding of the risks, rules, safeguards and rights in relation to data processing, states that activities addressed specifically to children must receive specific attention. 

Arising from recent discussions in the Seanad on the protection of children in the context of the Data Protection Bill 2018, I brought forward two new sections for inclusion in the Bill, namely sections 31 and 32. Section 31 makes provision for the drawing up and implementation of codes of conduct intended to contribute to the proper application of the GDPR with regard to the protection of children, as permitted under Article 40 of the GDPR. Subsection (2) provides for consultations with relevant stakeholders, including children and bodies representing their interests, during that process. Section 32 goes on to make specific provision for an enhanced “right to be forgotten” in the case of children in accordance with Article 17 of the GDPR.  

I am engaged with my colleagues, Ministers Naughten, Zappone and Bruton to bring forward proposals to enhance protections for children online.