Back to overview

Commercial Question

New EU data privacy legislation: curbing teenagers’ fun?

updated on 05 January 2016


What are the implications of updated EU data protection legislation for companies and individual citizens?


DVD, the announcement of the optical disc storage format, the release of Windows 95 and the launch of the online auction site eBay. Technologies that changed the world? Maybe so, but of real significance is that these events occurred the last time that EU data protection legislation was updated. The next update has been four years in the making, but after countless moving deadlines the European Parliament has finally agreed the text of the new General Data Protection Regulation (GDPR). It has been 25 years since the last overhaul of data protection law in Europe and considering how far the Internet – and technology generally – has come during that time, the update is well overdue. Some 25 years on and our lives are dominated by online commerce, we interact on social media, we date via the web and search engines are our main source of information. The legislators of the mid-90s could not have predicted that the world would evolve as it has and that the Internet would come to play such a major role in not only our personal lives, but in the world of business too.

As welcome as this update to data protection legislation is, there is a fair degree of panic in some quarters. One of the key changes that the GDPR will implement is the handling of the personal data of those under the age of 16. Member states will be able to determine at their discretion the minimum age between 13 and 15 where parental consent will be required for the capture and collection of certain personal data. Most US companies to which this will apply will likely already comply with The Children's Online Privacy Protection Act (COPPA) restricting the minimum age to 13. However, there is still concern in social media, online gaming and other sectors that the GDPR will restrict users under the age of 16 from using these platforms. It is unclear if these concerns will come to pass and what age most member states will decide on as being the age of ‘digital consent’, but it looks like we may just have to become accustomed to parental consent being needed for the collection of certain types of digital information.

With the landmark ruling last year on the ‘right to be forgotten’ and the recent invalidity of the US-EU Safe Harbour scheme in October, the European privacy landscape is changing rapidly and will possibly lead to a shift in global data protection views. Andrus Ansip, vice-president of the Digital Single Market called the new legislation a major step toward a true digital single market, removing barriers and unlocking opportunities, but with the highest data protection standards. The creation of a digital single market governed by shared data privacy legislation may lead other territories wishing to digitally trade with the European Union to bring their data protection laws up to the same standard as the GDPR; under the previous data privacy regime, there was no one standard throughout the 28 member states with which a company wishing to trade in the European Union had to comply. We are already seeing this pressure being exerted on the United States with the replacement Safe Harbour framework negotiations.

The key points of the new legislation are that:

  • there will only be one set of rules, making it simpler and cheaper for companies to comply and do business in the European Union;
  • businesses will deal with one single supervisory authority (rather than multiple regulators in the various jurisdictions), which is estimated to save €2.3 billion per year;
  • innovation is also one of the key aims, with the regulation guaranteeing that data protection safeguards are built into products and services from the earliest stage of development;
  • there will be more emphasis on pseudonyms and their use on data sets in big data (much like the new Japanese data protection law);
  • once a purpose for collecting and using data is stated, that’s it: the data cannot be used for any other purpose;
  • companies will also be required to publicly declare serious data breaches within 72 hours and notify individuals if the breach is likely to result in a high risk to their rights and freedoms in order to allow them to take the necessary precautions; and
  • increased sanctions: companies which fail to abide by the new rules could be fined up to 4% of their worldwide annual turnover or €20 million (whichever is larger). This could mean fines totalling billions for the bigger companies, although it has not yet been confirmed whether this will apply to the controlling undertaking or be confined to the entity in breach.

Just as the Internet does not respect international boundaries, the new rules will apply to companies which handle personal data of EU citizens even if that company isn’t based in the European Union, presenting quite some challenge. It is very possible that instead of the new legislation leading to global harmonisation of data privacy law, different approaches to privacy around the world will only get more complex. Non-EU companies with access to personal data of EU citizens will need to pay close attention not only to what the European Union is doing, but also how other countries react to the European Union’s changes. As for teenagers wanting to use social media or the community sides of online gaming, there may be a disconnect between the age restrictions that apply to the social media platform globally, or the game they are playing, and the age at which the EU member state acknowledges the individual can provide ‘digital consent’. We are yet to see how onerous this requirement for parental consent will be and how and if it will be policed. However, with fines of up to €20 million, this may be one rule that social media sites will wish to rigorously enforce.

Sekou Taylor is a second-year trainee solicitor and Jane Elphick is an associate in the technology transactions group at Cooley (UK) LLP.