The EU General Data Protection Regulation (GDPR) strengthens and expands data subjects’ rights, and brings significant changes to both consent requirements and the rights of children.
Consent must be given with a “clear affirmative action”, which nullifies opt-out options such as pre-ticked boxes. Consent requests also need to cover the specific processing details, the type of information requested, the purposes of the processing and any special aspects that may affect the individual, such as disclosures.
Additionally, requests need to be written simply and in a way that’s appropriate for their target audience.
Age of consent
Individuals will only be able to give consent if they are over a certain age. Under the GDPR, the default age at which this happens is 16, but the Regulation allows member states to adjust that limit to anywhere between 13 and 16. For example, the UK, the Republic of Ireland and Spain are expected to set the age at 13, Germany and the Netherlands will stick with 16 and Austria is opting for 14.
If an organisation is trying to collect the data of a person younger than this, consent needs to be given by someone with “parental responsibility”. The organisation must also make “reasonable efforts” to verify that the person providing that consent is indeed a parental figure.
There is an exception to this. Minors have autonomy over any data that’s collected “in the context of preventative or counselling services offered directly to a child”. This means that, for example, if a child tells a teacher that they are being abused, the school doesn’t need to get consent from the parental figure to report the incident to the authorities.
Stopping organisations from processing your personal data
Under the GDPR, individuals can request that an organisation stops processing their personal data if it was collected using consent. If an individual is under the set age threshold, they will need to speak to their parents or guardians to withdraw consent.
However, consent is only one of six lawful grounds for processing data, and it’s generally the least preferable option. Therefore, organisations will probably adopt an alternative ground wherever possible:
- A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract.
- Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
- Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
- A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals and the police.
- Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.
Organisations need to stipulate which ground they are using when they collect the data, and, as long as this basis remains valid, they will probably be allowed to continue processing even if an individual doesn’t want them to.
For example, a child (whether below the age threshold or not) would have no recourse if they wanted to stop their school from sharing legitimately collected personal data with their parents.
However, there is a very large caveat to this. Anyone, including children, would be able to stop an organisation processing and sharing personal data if consent is withdrawn (where it was relying on consent) or if the individual or parental figure successfully argues that one of their data subject rights applies.
There’s much more to learn
The GDPR is a complex law, and consent and data subject rights are just one part. Those who want to learn more about how the Regulation will affect them should read EU General Data Protection Regulation – A Compliance Guide.
This free green paper provides an overview of the key changes introduced by the GDPR and how you can prepare for them.