European negotiators have agreed on a new rule that requires teens under the age of 16 years to gain their parents' consent to use Facebook, Snapchat, and Instagram.
Child-protection groups and tech companies alike are up in arms over a last-minute amendment to Europe's General Data Protection Regulation, which proposes raising the legal age of digital consent from 13 to 16 years.
In other words, it will be illegal for any company, including Google, Snapchat, and Facebook, to process a teenager's data without the consent of a legal guardian.
"The processing of personal data of a child below the age of 16 years shall only be lawful if and to the extent that such consent is given or authorised by the holder of parental responsibility over the child," the draft stated.
The amendment was agreed by European negotiators at the so-called trilogue negotiations on Tuesday night, involving the European Commission, European Parliament, and European Council of member states.
The new age of consent forms part of sweeping reforms to the EU's 1995 data-protection directive, including new fines of up to four percent of global revenue for firms that violate the law and new rules for data protection in the criminal justice sector.
Raising the age of consent to 16 years puts European rules at odds with the US Children's Online Privacy Protection Act, which sets the age at 13 years and forms the basis of Facebook's age policy.
Janice Richardson, adviser to the ITU and the Council of Europe, and a former coordinator of European Safer Internet network, warned that the amendment will make it much harder for teens to access help and, besides, will probably just lead to them lying about their age.
"The internet can represent a lifeline for children to get the help they need when they are suffering from abuse, living with relatives who are addicted to drugs or alcohol, or seeking confidential LGBT support services, to name a few," she noted.
The ICT coalition, which includes Facebook among its members, said the age adjustment had been rushed in without any consultation with stakeholders or child-safety organizations.
However, the new age rule has been watered down by opponents to the proposal, which was put forward by the European Parliament.
Green MEP and European Parliament rapporteur on the data-protection regulation Jan Philipp Albrecht noted that it will be up to EU nations to implement the age requirement.
"The matter will be left to member states, which can set the age between 13 and 16 years at the maximum," he said.
The text of the agreement, published by Statewatch, now reads: "On the conditions applicable to consent given by a child, the co-legislators converged on keeping 'below the age of 16 years' as a common ceiling, while allowing Member States to foresee lower age limits."
Despite opposition to the new minimum age, Albrecht and others have hailed the agreement a major breakthrough to Europe's long-awaited update to data-protection rules.
"The legislation will create an EU-wide data-protection regime for the first time, replacing the outdated patchwork of national data-protection rules. This would be a major step forward for consumer protection and competition and ensure Europe has data protection rules that are fit for purpose in the digital age," Albrecht said.
Other major changes stipulate that businesses handling large amounts of personal data will need to appoint a data-protection officer. It also outlaws the practice of transferring data to third-parties without explicit consent from the user when the data is being used for other purposes.