![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
ABSTRACT
This article considers some complexities surrounding the determination of child competency in matters of data protection. Focusing on the Information Commissioner's Office (ICO) guidelines, the article highlights the apparently pivotal role competency plays in granting children the ability to exercise their data protection rights and interests. The article critically examines the inherent challenges arising from the ICO's approach, emphasising the reliance on data controllers to independently assess the competency of child data subjects. The inherent problematic nature of this approach is scrutinised, shedding light on potential shortcomings and raising questions about the effectiveness and fairness of such assessments.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1 For example, a key driver behind the recent enactment of the Online Safety Act 2023 was the desire to protect children from harms arising from uses of digital technologies and participation in digital environments.
2 S Livingstone, M Stoilova and R Nandagiri, ‘Children’s data and privacy online: Growing up in a digital age. An evidence review.’ [2019] London School of Economics and Political Science.
3 (Retained EU Legislation) Regulation (EU) 2016/679 (United Kingdom General Data Protection Regulation) (UK GDPR). Available at: https://www.legislation.gov.uk/eur/2016/679/contents
4 ICO (2018) Children and the GDPR. Available at: https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-gdpr-1-0.pdf
5 For example, the United Nations Convention on the Rights of the Child, specifically requires that the evolving capacities of children, including their ability to exercise autonomy and make decisions, is respected where appropriate.
6 See, for example: E Lievens and V Verdoodt, ‘Looking for needles in a haystack: Key issues affecting children’s rights in the General Data Protection Regulation’ [2018] 34(2) Computer Law & Security Review 269–78; J C Buitelaar, ‘Child’s best interests and informational self-determination: what the GDPR can learn from children’s rights’ [2018] 8(4) International Data Privacy Law 293–308; K La Fors, ‘Legal Remedies for a Forgiving Society: Children’s rights, data protection rights and the value of forgiveness in AI-mediated risk profiling of children by Dutch authorities’ [2020] 38 Computer Law & Security Review 105430; E Nottingham, C Stockman and M Burke. ‘Education in a datafied world: Balancing children’s rights and school’s responsibilities in the age of Covid 19’ [2022] 45 Computer Law & Security Review 105664.
7 See, for example: M Taylor et al, ‘When can the Child Speak for Herself? The Limits of Parental Consent in Data Protection Law for Health Research’ [2018] 26(3) Medical Law Review 369–91.
8 Article 4(1) UK GDPR defines personal data as “any information relating to an identified or identifiable natural person”.
9 Information society services are defined by Article 1(1)(b) Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (codification) as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” See also: Section 9 Data Protection Act 2018.
10 Article 15 UK GDPR.
11 Article 16 UK GDPR.
12 Article 17 UK GDPR.
13 See; Recital 65 UK GDPR and ICO (n3) 42.
14 Ibid.
15 Ibid, 16.
16 Article 4(11) UK GDPR specifies that a data subject’s consent will only be valid where it is freely given, specific, informed and unambiguous. Article 7 of the UK GDPR sets out further requirements that must be satisfied for a data subject’s consent to be valid.
17 ICO (n 4) 17.
18 Ibid, 41.
19 Ibid.
20 Ibid, 16.
21 Ibid, 17.
22 A Kolber, ‘Smoothing Vague Laws’ in G Keil and R Poscher (eds), Vagueness and Law: Philosophical and Legal Perspectives (OUP 2016).
23 For example, Essex County Council and Barnet London Borough Council have both adopted guidelines which establish Gillick competence as a threshold for children exercising their data protection rights and interests. See: Essex County Council [2023] Subject Access: A Parent’s Guide (available at: https://www.essex.gov.uk/sites/default/files/migration_data/files/assets.ctfassets.net/knkzaf64jx5x/7yENkAuTZlNvUmizglaiD9/3e1b8e1f7df3dc6ffd837e8591abffa5/Parental-Guardian_Guide_to_Service_access_request.pdf); Barnet London Borough Council [2015] Barnet Partnership Information Sharing Protocol (available at: https://www.barnet.gov.uk/sites/default/files/assets/citizenportal/documents/councilanddemocracy/2015JulyInformationSharingProtocol.PDF).
24 Health Service Notice (H.N. (80) 46).
25 Gillick v. West Norfolk and Wisbech Area Health Authority and Another [1982 G. No. 2278] [1984] Q.B. 581 at 588
26 Health Services Management. Family planning services for young people. Advance copy LASSL(81)2. Later issued as HN(81)5. WHN(81)5 Department of Health and Social Security, 1980.
27 Gillick v West Norfolk and Wisbech Area Health Authority [1985] 3 All ER 402 at 421.
28 Ibid, 409.
29 Ibid, 410.
30 Ibid, 423–24.
31 Despite having become widely used in medical and other contexts, the application of Gillick competence has not been without controversy. Due to various ethical challenges associated with the concept some observers, for example, have described it as having endured a “tortured history”. See: N Lennings, ‘Forward, Gillick: Are competent children autonomous medical decision makers? New developments in Australia’ [2015] 2(2) Journal of Law and the Biosciences 459–68.
32 Re C (Adult: Refusal of Treatment) [1993] 1 FLR 31.
33 P Boddington and M Gregory, ‘Adolescent Carrier Testing in Practice: The Impact of Legal Rulings and Problems with “Gillick Competence”’ [2008] 17 Journal of Genetic Counselling 509–21.
34 Re R (A minor) (Wardship: Consent to treatment) [1991] 3 WLR 592.
35 A Hanlon and K Jones, ‘Ethical concerns about social media privacy policies: do users have the ability to comprehend their consent actions?’ [2023] Journal of Strategic Marketing.
36 See: J Zhao et al, ‘’I make up a silly name’: Understanding Children’s Perception of Privacy Risks Online’ [2019] 106 CHI’19: Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems 1–13; S Livingstone, L Haddon and A Görzig, Children, Risk and Safety on the Internet: Research and Policy Challenges in Comparative Perspective (Policy Press 2012).
37 V Mayer-Schonberger and K Cukier, Big Data: A Revolution That Will Transform How We Live, Work and Think (John Murray 2013).
38 Gillick v West Norfolk and Wisbech Area Health Authority [1985] 3 All ER 402 at 424.
39 P Boddington and M Gregory (n 33).
40 Ibid. See also: E Cave, ‘Goodbye Gillick? Identifying and resolving problems with the concept of child competence’ [2014] 34(1) Legal Studies 103–22.
41 For an overview of some notable data protection and privacy-related risks arising in the biobanking context, see: T Kasperbauer et al, ‘Communicating Identifiability Risks to Biobank Donors [2018] 27(1) Cambridge Quarterly of Healthcare Ethics 123-136; M Morrison et al, ‘The European General Data Protection Regulation: challenges and considerations for iPSC researchers and biobanks [2017] 12(6) Regenerative Medicine 693–703.
42 S Jurgens et al, ‘Analysis of rare genetic variation underlying cardiometabolic diseases and traits among 200,000 individuals in the UK Biobank’ [2022] 54(3) Nature Genetics 240–50.
43 Research has shown that revelations of this sort, following the analysis of genetic data, can in some instances have negative psychological impacts on affected persons. See: S Sanderson et al, ‘Psychological and behavioural impact of returning personal results from whole-genome sequencing: the HealthSeq project’ [2017] 25(3) European Journal of Human Genetics 280–92.
44 See, for example: J van Dijk, The Digital Divide (Polity 2020).
45 See, for example: UNICEF, Closing the Digital Divide for Good: An end to the digital exclusion of children and young people in the UK (UNICEF 2021), available at: https://www.unicef.org.uk/wp-content/uploads/2021/06/Closing-the-Digital-Divide-for-Good_FINAL.pdf
46 See, for example: G Watts, ‘COVID-19 and the digital divide in the UK’ [2020] 2(8) The Lancet.
47 UNICEF (n 45).
48 See: M Albers, Realizing the Complexity of Data Protection. in Gutwirth and others (eds), Reloading Data Protection (Springer 2013) 213–35; L Pleger, K Guirguis and A Mertes, ‘Making public concerns tangible: An empirical study of German and UK citizens’ perception of data protection and data security’ [2021] 122 Computers in Human Behaviour 106830.
49 M Duplaga, ‘Digital divide among people with disabilities: Analysis of data from a nationwide study for determinants of Internet use and activities performed online’ [2017] 12(6) PLoS ONE; T Wu et al, ‘Is digital divide an issue for students with learning disabilities?’ [2014] 39 Computers in Human Behaviour 112–17.
50 J Brierley and V Larcher, ‘Adolescent autonomy revisited: clinicians need clearer guidance’ [2016] 42(8) Journal of Medical Ethics 482–85; C Fenton, ‘Is consent causing confusion for clinicians? A survey of child and adolescent Mental Health professional’s confidence in using Parental Consent, Gillick Competence and the Mental Capacity Act’ [2020] 25(4) Clinical Child Psychology and Psychiatry 922–31; D Hunter and B Pierscionek. ‘Children, Gillick competency and consent for involvement in research’ [2007] 33(11) Journal of Medical Ethics 569–662.
51 R Griffith, ‘What is Gillick competence?’ [2016] 12(1) Human Vaccines and Immunotherapeutics 244–47.
52 H Pearce. ‘A proposal for a new risk-based licensing approach to disclosing anonymised data under the (UK) Freedom of Information Act 2000 [2021] 30(2) Information & Communications Technology Law 108–39.
53 N Zimmerman, ‘Gillick Competence: An Unnecessary Burden’ [2019] 25(1) A Multidisciplinary Journal of Biotechnology and the Body.
54 C Jensen and C Potts, ‘Privacy policies as decision-making tools: an evaluation of online privacy notices’ [2004] Proceedings of the SIGCHI Conference on Human Factors in Computing Systems 471–78.
55 Recital 58 UK GDPR.
56 See: C Ciochetti, ‘E-Commerce and Information Privacy: Privacy Policies and Personal Information Protectors’ [2007] 44(55) American Business Law Journal 110–26.
57 Y Meier, J Schäwel and N Krämer, ‘The Shorter the Better? Effects of Privacy Policy Length on Online Privacy Decision-Making’ [2020] 8(2) The Politics of Privacy: Communication and Media Perspectives in Privacy Research.
58 L Desimpelaere, L Hudders and D Van de Sompel, ‘Knowledge as a strategy for privacy protection: How a privacy literacy training affects children’s online disclosure behaviour’ [2020] 110 Computers in Human Behaviour 106382; E Vanderhoven, T Schellens and M Valcke, ‘Changing Unsafe Behaviour on Social Network Sites. Collaborative Learning vs. Individual Reflection’ in Walrave and others (eds), Youth 2.0: Social Media and Adolescence (Springer 2016) 211–26.
59 To this end, a tiered competency model would bear resemblance to models of tiered consent that have been proposed for use in other settings involving collections and uses of personal data. See: H Kim et al, ‘iCONCUR: informed consent for clinical data and bio-sample use for research’ [2017] 24(2) Journal of the American Medical Informatics Association 380-387; E Bunnik et al, ‘A tiered-layered-staged model for informed consent in personal genome testing’ [2013] 21 European Journal of Human Genetics 596–601.
60 J Piaget, ‘Intellectual Evolution from Adolescence to Adulthood’ [1972] 15(1) Human Development 1–12; K W Fischer and L Silvern, ‘Stages and Individual Differences in Cognitive Development’ [1985] 36 Annual Review of Psychology 613–48.
61 See, for example: H Pearce, ‘Brexit and Data Protection Law: A Missed Opportunity for Innovative Reform?’ in E Celeste et al (eds), Data Protection and Digital Sovereignty Post-Brexit (Hart 2023) 35–58.
62 For example, Digital Compass by Common Sense Education is an online game that is designed to teach children about fundamental aspects of digital citizenship through interactive choose-your-own-path activities. Common sense, 'Ready to play Digital Compass?' (Digital Compass) <https://www.digitalcompass.org/> accessed 15 December 2023.
63 L Bioglio et al, ‘A Social Network Simulation Game to Raise Awareness of Privacy Among School Children’ [2019] 12(4) IEEE Transactions on Learning Technologies 456–69.
64 L Zhang-Kennedy, Y Abdelaziz and S Chiasson, ‘Cyberheroes: The design and evaluation of an interactive ebook to educate children about online privacy’ [2017] 13 International Journal of Child-Computer Interaction 10–18; P Kumar et al, ‘Co-designing online privacy-related games and stories with children’ [2018] Proceedings of the 17th ACM Conference on Interaction Design and Children 67–79.
65 On this issue, see: Y Liu et al, ‘The Effect of Privacy Fatigue on Privacy Decision-Making Behavior’ [2023] Proceedings of the Human Factors and Ergonomics Society Annual Meeting.
66 D Reinhardt, J Borchard and J Hurtienne, ‘Visual Interactive Privacy Policy: The Better Choice?’ [2021] Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems 1–12.