OCommICISSP 2019 Abstracts

Short Papers
Paper Nr: 1

Children as Vulnerable IoT Users and GDPR.


Denise Amram

Abstract: Article 8 of the General Data Protection Regulation Reg. EU 679/2016 states that in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. This means that where the child is below the age of 16 years, such processing shall be lawful only if that consent is given (or authorised) by the holder of parental responsibility over the child. In addition, the GDPR affirms that national legislations may provide by law for a lower age in Member States, but such lower age shall not be below 13 years. By now, the age for those purposes has been decreased to 13 yrs old in Belgium, Denmark, Portugal, Sweden, 14 yrs old in Austria, 15 yrs old in France and Greece, 16 yrs old in Ireland, Luxembourg, Lithuania, Latvia, Malta, and The Netherlands. Does a “legal” term really protect children from risks emerging in the IoT services like privacy and security concerning? How can we prove that a consent on a data processing achieved from a 13 yrs old child in Belgium is informed and lawful, and that it constitutes “a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject” (GDPR, Recital 32), while the same consent for the same IoT service achieved by the 13 yrs old “French cousin” is not? Is such a legal term suitable for all IoT services? This communication aims at opening an interdisciplinary debate on the necessity to identify technical and organizational measures to ensure children’s protection in the IoT services. These measures may include technical algorithms managing age-verification for digital consent to get access to Apps as well as legal bans to sell for example specific wearable devices to children. However, these measures might not be sufficient to avoid the lack of control for those who fulfils the age requirements, but who did not develop the discerning capacity and are still vulnerable (this concerning might be applied also for adults). In addition, these measures appear to be easily overcome where adults or older friends obtain an access for services used by underaged people. For these reasons, a different approach aimed at sensitizing users and societies on the cyber-risks should be adopted. Building a safer and child-friendly cyberspace means to involve schools, first of all, but also sport associations, and other communities together with ICT stakeholders in order to adopt targeted actions addressed to inform and training adults and children (i.e. society) on the IoT risks and how to deal with them.