Others have spoken to the question of the age of consent. I note that there will be a review of it. The Minister mentioned that this would be within three years. Perhaps the Minister can outline in his response what the process is likely to be around that review. Different ages have been set across different EU states. I believe we will be in a position to look at best practice and what the consequences may have been, whether direct or inadvertent, of setting the age differently in different EU states. Perhaps the Minister could indicate the process of that review here and how we plan to draw on the experience elsewhere.
I want to address one thing that for me is far more significant than the question of the age of consent. The issue was originally highlighted by myself and Senator Ruane. It relates to the profiling of children and micro-targeting of children. I commend those in the Dáil who worked to ensure that amendments were inserted to address this issue. The phrasing proposed by Deputy Donnchadh Ó Laoghaire is reflected in amendment No. 24 and it is important. Amendment No. 24 states:
It shall be an offence under this Act for any company or corporate body to process the personal data of a child as defined by section 29 for the purposes of direct marketing, profiling or micro-targeting. Such an offence shall be punishable by an administrative fine under section 139.”.
I note amendment No. 28 is similar and reflects this view as well.
I was a little concerned when the Minister mentioned that there may be a delay in the commencement of certain provisions in the Act. I am keen to ensure we do not overly delay the commencement of the important amendments around micro-targeting and profiling of children. I believe they are positive amendments. They strengthen the Bill and represent good practice. They are compatible with the GDPR.
Article 22 of the GDPR addresses the question of automated decision making, that is, decision making that may be facilitated by profiling and micro-targeting. Article 6 also has relevance here. Crucially, the intention of the GDPR is made clear in the recitals. Recital 71 specifically says that automated decision making, including profiling that has significant effects, should not apply to children. Recital 38 states:
Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
The definition of a child in all these provisions is set out in section 29 and applies to a child of 18 years or under. None of the protections under the GDPR is in any way diluted by the age of consent or by the fact that a child may have given consent with regard to a service or participating online.
I believe these are excellent amendments. I believe they are absolutely in tune with the letter and interpretive recitals of the GDPR. I call on the Minister to assure me that there will be no undue delay in the commencement of these sections. I heard that and I want the matter clarified because I would be very concerned if that was the case.
This will make a real difference at a concrete level. This is the difference between a young person, whether 17 years or 13 years of age, being online and being subject to aggressive marketing. Examples include lip fillers being sent to 17 year olds or young people having messages targeted at them that may play on the particular vulnerabilities or insecurities of young people. The same applies to exploitative marketing. I call on the Minister to outline the plan for commencing the provisions.
My final point on the section relates to the code of conduct. I welcome and recognise the importance of the code of conduct that the Minister has indicated will be introduced in respect of the protection of children. Will the Minister indicate specifically with regard to the question of age verification that arises in these situations, whether for those aged 13 years or those aged 16 years, if there are proper guidelines around the age verification process? The idea is to avoid a situation whereby national identification papers, data that is effectively or potentially linked to the public service identity set or biometric data are not inappropriately sought, kept or stored by private companies. I am not asking the Minister to tease out all of this today. However, he might indicate if he believes that within the code of conduct there will be scope to ensure we have process to ensure we do not have inappropriate leakage of public or State data. The same applies to data of individuals that is shared with the State. It should not be overly captured by private company actors.