Correspondences to:


“Tell me and I forget, Teach me and I remember, Involve me and I learn” (Benjamin Franklin)

Over the last 30 years, there has been progress in the promotion of the rights of the child, in particular the right to be heard. Since the adoption of the United Nations Convention on the Rights of the Child (UNCRC) 1989 considerable effort has been made at all levels to develop legislation, policies and methodologies to implement Article 12: the right of every child to freely express their views in matters pertaining to them. This paper considers the General Data Protection Regulation (GDPR, 2016) and argues that it fails to address the right of the child to be seen and heard regarding online safety. The relevant provisions of the GDPR, aimed at protecting the safety and privacy of the child, are compared with the rights of the child under Articles 5 (The evolving capacity of the child) and Article 12 (The right to be heard) of the UNCRC.

General Data Protection Regulation (2016)

The GDPR was intended to harmonise European data protection laws designed to give more protection to personal data. Recital 38 of the GDPR specifically recognised for the first time children’s need for additional protection to safeguard their privacy and private identity. With this provision in place, the advent of the GDPR and, in particular, Recital 38 were welcomed as a holistic effort to regulate data, which in consideration of its value, is regarded as the “new oil” of this age (Livingstone, 2018).

Recitals, as is commonplace, provide additional information and supporting context to Articles; the Articles being the requisite legal requirements to guarantee compliance. Article 8 establishes the legal basis for parents to consent to the processing of their children’s personal data. Recital 38, in supplementing this, specifies that “children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerning their rights in relation to the processing of personal data”. The controller is obliged to make reasonable efforts (taking into consideration available technology) to verify that consent is “given or authorised” by the “holder of parental responsibility”. Although Recital 38 of the GDPR represents a strong affirmation of the need to protect children’s private data, Article 8 of the GDPR, by bestowing the right to consent exclusively on the holders of parental authority, denies children of the right to have their own voices heard in matters pertaining to the processing of their personal data online.

Furthermore, the GDPR does not define what they mean by “child”, and Member States are obliged to set the age of consent anywhere between 13 and 16 years. Under the permitted age of consent, the holders of parental responsibility are required to consent to the processing of the child’s personal data. While the GDPR supports the view that the holders of parental authority provide a holistic protection of children’s personal data, this is subjective and does not allow for any oversight as to the extent to which parents are acting in the child’s best interest. Each Member State is furthermore obliged to set its own digital competency age. This has the potential to result in variability, as minors in neighbouring jurisdictions have different “digital competency” ages. It also has the potential to create difficulties for information service providers by, for example, increasing the potential for them to make mistakes when dealing with the data of those who are under the age of 16 from different jurisdictions.

Recital 18 of the GDPR exempts personal and household activities (social networking and online activities) from the constraints and protection offered by the GDPR. “Sharenting”, defined as the online posting of children’s personal data and images by parents with/without the consent of the child, is widespread (Steinberg, 2017, p.842). Sharenting places children on the “world’s media stage”(Donovan,2020,p.49). Arguably “surveillance appears to be woven into every element of an online and digital society”, and parents, unwittingly, are subjecting their children to exposure and “dataveillance” through their casual sharing of photos and personal information on social media (Leaver, 2017, p.3). Even in the absence of personal information, the metadata behind photographs and technologies which facilitate user tagging, automated facial recognition and the accumulation of discrete pieces of information provides significant amounts of personal information. All photographs of children have the potential to be fodder for bullying and ridicule (Bessant, 2017). Photographs may be altered and re-used without permission, and may be used on illegal websites, including those related to child pornography or child exploitation.

The GDPR refers to the relationship between individuals and organisations, whereas, interpersonal relationships, including familial and household activities are excluded from the constraints of the GDPR by virtue of Recital 18. Furthermore, given that the European Commission Working Party 29 (an independent advisory group on protection and data privacy) (2007) advocated a broad application to the concept of personal data, this has resulted in a broad range of data being excluded from the constraints of the GDPR.

United Nations Convention on the Rights of the Child (1989)

The right of all children to be heard and their view taken seriously constitutes one of the fundamental values of the UNCRC. The Committee on the Rights of the Child (2009) identified Article 12 as one of the core principles of the Convention, the other core principles being the right to non-discrimination, the right to life and development and the primary consideration of the child’s best interests. Article 12 of the UNCRC stipulates that: “State Parties shall assure to the child who is capable of forming his or her own views the right to express those views freely in all matters affecting the child, the views of the child being given due weight in accordance with the age and maturity of the child”.

Despite Article 12 emphasising children’s right and capacity to express their views, Article 8 of the GDPR stipulates that children requesting permission to use online services are required to seek the prior agreement from those who hold “parental authority”. There is no reference to the “voice of the child” or their “evolving capacities”. Is Article 8 effectively turning the clock back and perpetuating an image of a vulnerable child whose choices, preferences and decisions cannot be trusted?

Article 12 of the UNCRC implies that all children capable of expressing a view are entitled to do so. Although, it makes no explicit provision for the right to information, it could be argued that information is necessary to “assure...the right to express...views freely”. In other words, Article 12 asserts the child’s right to participate in all matters affecting him or her, but adults retain responsibility for the final decision. However, Article 8 of the GDPR does not provide any opportunity for minors’ input, the right to consent to the processing of the child’s personal data remains the responsibility of the holder of parental responsibility if the child is under the age of 16.

The child’s best interests is one of the core principles of the UNCRC, and should be considered in the interpretation and implementation of other rights and protection. The constraint imposed by Article 8 of the GDPR raises questions about the measures, if any, that are in place to enable children to develop into responsible digital citizens who are capable of critical thinking and independent online action. The best interests of the child depends on the enjoyment of human rights such as the right to express one’s view and the right to participate, these rights are no different to those of the adult except for the fact that they are now overseen and monitored by parents/guardians under the GDPR to guarantee the child’s protection. Member States have been given without any guiding principles, apart from ad hoc measures, the ‘green light’ to determine age capacity of minors’ ability to engage with online activities. This represents a disregard for the evolving capacities of minors, particularly those established by the UNCRC.

The GDPR, although creating a legal basis for the online posting of personal data of identifiable children, does not fully protect the child’s best interests as it does not allow for instances where it is inappropriate to delegate the power of consent to particular parents. This results in the continued vulnerability of children in situations where their interests may be outweighed by their parents’ desire to reap the benefits of sharing or in instances of parental lack of awareness of the associated risks. The regulation of consent under Article 8 of the GDPR gives holders of parental responsibility the exclusive right to consent to the processing of children’s data. The best interest of the child appears to be tied into welfare concerns.


The GDPR, in its imposition of the parental obligation under Article 8 to consent to the processing of data of children under the age of 16, may, by doing so, restrict the child’s right to privacy and, freedom of expression. Article 12 of the UNCRC supports the child, who is capable of forming his or her own views, the right to “express those views freely” in matters pertaining to them. Article 5 of the UNCRC acknowledges the evolving capacities of the child, and the right of the duties of parents to appropriately guide children in the exercise of their rights. Parents may need education and instruction to provide them with the tools and skills to enable them to incorporate the views of their children into their decision making. In recognition of these provisions, the implementation of Article 12 has been accompanied by “participation”, which is described as information-sharing and dialogue between children and adults based on mutual respect, and in which children can learn how their views and those of adults are taken into account and shape outcomes.

The GDPR, despite its well-intentioned efforts to safeguard minors, represents a challenge to children’s participation. Therefore, the GDPR would benefit from a more collaborative approach underpinned by Articles 5 and 12 of the UNCRC, which would allow children to take ownership and responsibility for online activities, and with the parental role being that of a facilitator and enabler, rather than gatekeeper.