Article 8*
Article 8 – Processing of personal data of a child
Commission Proposal
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.
2. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child. 3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises. 4. The Commission may lay down standard forms for specific methods to obtain verifiable consent referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2). |
Go to related Recital 11 – Go to related Recital 25 – Go to related Recital 29
EDRi’s proposed amendment
1. For the purposes of this Regulation, in relation to the offering of 2. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child. 3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. 4. The Commission may lay down standard forms for specific methods to obtain verifiable consent referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2). |
Justification
The increased protection of children below the age of 13 should not be restricted to information society service; it should rather be extended to all services offered directly to them.
Additionally, rules for the processing of personal data of children, including methods to obtain verifiable consent, must apply alike for enterprises of all sizes. Relieving smaller enterprises will lead to a gap in the protection of minors given the fact that company size does not relate to the number of records of data subjects (including minors). Furthermore, the size of a business in the digital environment often has little or no relationship to its financial power – the sale of Instagram – which had only ten employees – at the time for a sum of one billion dollars being an example of this.