EUROPEAN law is a key foundation of data protection law.
The 1995 Data Protection Directive provides a comprehensive system of protection of the right to control the use of our personal data. The Lisbon Treaty further enhanced the status of the right to data protection by making it a treaty obligation.
The treaty also gave enhanced status to the EU’s Charter of Fundamental Rights. Article 8 guarantees everyone the right to protection of personal data, fair processing based on consent, and access to data concerning him or her. It also states that these rights should be subject to the control of an independent authority.
The EU Commission has proposed a strengthening of EU law on data protection, in the form of a directly-applicable regulation applying uniformity across the union. This would ensure that European residents would have rights to control the collection and use of their personal data wherever they are and whoever has collected it. It also provides that these European protections would apply to any organisation.
Providing services to EU residents irrespective of whether they are based in the EU or not is particularly important in the internet age, when a service can be provided from any part of the globe. Many services used by children are of this nature.
What is particularly significant in the proposed new law is the explicit recognition of the need to give special attention to the data protection rights of children. There is a separate article — Article 8 — dealing specifically with the protection of the personal data of children. This provides that the personal data of a child under 13 cannot be processed without the consent of a parent or guardian.
It also provides that companies must take reasonable steps to verify such consent — easier said than done in view of the reports of the number of under-13s that are operating on social networks.
The regulation also provides that, where services are targeted at children, there is a particular obligation to convey information in a way that is intelligible to the child. It imposes an obligation on companies to carry out a privacy impact assessment when a proposed service involves large-scale processing of the personal data of children.
The so-called “right to be forgotten” is given particular emphasis in relation to personal data made available. Finally data protection authorities are required to give specific attention to children when discharging their duty to promote awareness of data protection and the risks to it.
As a national data protection authority, we have been doing our best to get across the data protection message to young people.
In particular, we developed and distributed to all schools in the country a guide to data protection when using electronic media. It is particularly targeted at teachers delivering the CSPE syllabus but is also relevant to other subject areas.
Indeed, we have been happy to see questions asking about data protection in the Leaving Certificate exams.
We have also addressed the data protection rights of children in our guidance notes dealing with the issues of CCTV and biometric attendance systems in schools and on the age of consent. Our data protection law does not set a minimum age for exercising the rights that it grants to each individual. Under our law, a person under 18 is entitled to assert their data protection rights, including the right to demand a copy of information held about them by organisations that they deal with.
But the challenge in trying to ensure that children know how to protect themselves and their data — especially when online — is quite significant. Sharing often very personal information on social networks is now the norm among children — often of a very young age — as a seamless extension to their real-life interactions with their friends.
Educating children on how to protect themselves online must now be seen as no less important than other forms of protection.
And especially getting across the message that, once personal data is “out there” on the internet it is very difficult — in practice, often impossible — to delete it.
Equally, that there is a huge difference between having a face-to-face conversation between friends, leaving no trace, and the permanent record of an equivalent conversation on-line.
We must also recognise that data protection must sometimes be reconciled with the need to respect the best interests of the child. So, for example, the law permits sharing of personal data where this is necessary for child protection purposes.
Balance and proportionality are the key issues in this area.
* Billy Hawkes is the Data Protection Commissioner and keynote speaker at the recent Children’s Rights Alliance conference on EU law
© Irish Examiner Ltd. All rights reserved