Inside the French law requiring parental approval for children to join Facebook

France is about to pass legislation requiring parental approval for children under the age of 16 years who want to join Facebook and other social platforms (and thus share their personal data). What that means and what the fact that it is global news means.

December 13, 2017. Big news about draft legislation in France that would force children in the country under the age of 16 to get parental approval before they can sign up to Facebook (and other social networks).

What if France requires children under 16 years to get parental approval before joining Facebook? A first challenge is of course how do you control such a thing (there are some technological ways but let’s not go there)? And can Facebook comply to such a demand, knowing that the social now stipulates that children must be 13 years before joining?

The news is bothering. Not the French draft regulation itself. But the fact that is global news and that even the most prominent news agencies and media cover it as something pretty significant. So, let’s put that ‘Facebook parental approval French bill news’ a bit in perspective.

Parental approval children Facebook social networks GDPR personal data

Facebook, social media/networks and money: the personal data playfield

On May 4th, 2016, a big piece of legislation in the form of a Regulation, was published in the Official Journal of the European Union or EU. Just to make sure: the country of France is part of that European Union.

That Regulation, that everyone has been able to see and study since before it was published, is officially called “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”.

Most people know it under a shorter name: the General Data Protection Regulation. Or even shorter: the GDPR.

The aim of that Regulation is to have a consistent legal framework for personal data protection for folks in the EU in this digital day and age where personal data are worth an awful lot and where some companies, which weren’t bound by too many rules regarding the usage of personal data, could pretty much do everything and become very very rich without anyone really knowing what they do with all this data. And everyone knows they do a lot with it, among others in partnership with more big online companies. These big companies are privately held and some, such as Facebook, claim they want to make the world a better place.

The controller shall make reasonable efforts to verify that consent is given or authorized by the holder of parental responsibility over the child, taking into consideration available technology (GDPR)

It’s always dangerous when privately held companies say such a thing, especially when they are known to be the favorite platforms for nice phenomena such as election interference, psychological manipulation, fake news and far more than that. Moreover, in the end the purpose of a social platform is to make money, right? And it’s in leveraging as much personal data as possible that an aweful lot of money is made.

So, among others in order to try to limit the power and a historic total lack of transparency of these companies, which tend to be located outside of the European Union where some people value personal data (in fact, Facebook should really pay you because you join but that’s another story), that famous GDPR came with extra-territorial applicability.

Not just to limit the some powers here and there of course but to protect personal data and boost the digital market with some rules levelling the playfield in which, well, some of these companies, don’t exactly play on the same level.

The territorial scope within which that GDPR applies goes beyond the EU and, in general, is applicable to all companies processing personal data (and certainly behaviorial data and whatever identifiers used for profiling) of people in that European Union. After all, it’s a global world and many people from across the globe and also from the EU use these services and get their personal data processed in whatever country for whatever purpose that in the end always spells m-o-n-e-y.

Who is really ready for the GDPR and its rules on the protection of personal data of children and profiling?

Most reasonable people who have used social networks and social media for a long time have seen how they have changed and what effect and power they can have. Just look  at everything that happened in 2017 and how Facebook and Twitter have been instrumental in many things most reasonable people didn’t want.

So, it does make sense to maybe, just maybe, protect those personal data a bit better and, you know, limit some things that have gone out of control.

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements (GDPR, Article 4, ‘Definitions)

The sad thing is that, despite all the warnings about heavy fines and penalties, the positive approach of saying “hey, you have an opportunity to better organize and even monetize what you do with data here” and the hundreds of hours people like us put in trying to make people a bit aware of why that personal data thing does matter, relatively few organizations have taken the trouble to really try to be compliant with that Regulation, let alone be aware of the GDPR and its impact. Or let’s put it another way: the board so far hasn’t cared that much although that personal data protection thing really concerns everyone in the company and there is somewhat of a disconnect between how GDPR-ready or GDPR-compliant companies think they are and the degree in which they are (if they truly started of course).

So, when we talk with some marketers we’re surprised when they say they don’t know that an email address or an IP address is considered an identifier and in that scope falls under the GDPR as it can make one identifiable. And when we talk with our friends who are active in IoT (Internet of Things) they look very strange when we say that (the data) derived from RFID tags are online identifiers and fall under the scope of personal data protection as well in applications where natural persons are involved.

And, so, now it seems that the fact that France is preparing legislation that requires parental approval to open a Facebook or other social network/media account is global news.

What you must know now about parental approval in the scope of children’s personal data, regardless of where you are based

What France does here is nothing else than following the GDPR which applies as from May 25th, 2018. That GDPR is based upon principles of lawful processing and transparency.

And as, everyone has been able to read for now close to two years, is that it contains special rules for children on top of the fact that it must be clear for everyone (in a clear language) in the EU why and for which purposes the personal data he/she agrees to share to use a service like Facebook or consent to anything whatsoever will be used.

Those rules regarding children are pretty simple. Heck, you can even find them on this silly site. Let’s “translate” them:

Recital 38 of the GDPR: children just might be less aware about the processing of their personal data or regarding the risks and consequences of sharing them. Moreover, they really don’t understand legalese and probably might even find it harder than the average digital-savvy adult to even find for what exactly they are signing up and why these data they share will be really used by these big companies. So, let’s have specific protection for them, certainly when it concerns marketing, profiling and all those services, including indeed Facebook.

Chapter 2 of the GDPR, Article 8: let’s make the processing of personal data lawful when the child is at least 16 years old. And, you know what, let’s only make it lawful when the consent by the child is given or authorized by the parent or ‘holder of parental responsibility’. Not that parents always know better of course but, well, you know, if we can’t at least provide a little protection to our children. OK, but wait a minute: aren’t kids ‘adult’ faster than they used to be? Who knows? Well, let’s allow Member States to lower that age. But not below 13 years, OK? OK, Regulation agreed.

Problem: it seems that so few people know, even very big companies, looking at all the attention for the French draft legislation. It isn’t THAT complicated if you really want.

The problem for anyone offering services to children in the EU and not knowing these basic things: it’s up to the organization (controller) to demonstrate consent was given. You might get away with some historic stuff. But you definitely won’t get away with new subscribers of whatever age and when it concerns children it will only be worse.

Fortunately for companies, consent is not the only lawful basis for personal data processing. 

There are several legitimate interests which often are seen as the better and more flexible options but they cannot used in all circumstances and must clearly be identified as a legitimate interest, prove that it requires personal data processing in the scope of the legitimate interest and be weighed against the freedoms, rights and even interests of the data subject. Do also note that the legitimate interest, which can take many forms and shapes, including commercial ones, needs to be in your privacy notice.

You know what children often hate? Homework. Well, it’s time that organizations start doing their GDPR homework by the looks of it. Date of the exams: May 25th, 2018 and, unless unforeseen circumstances all the days after that for several years to come. Those Europeans.

 

Top image: Shutterstock – Copyright: Twin Design