Professor Barry O'Sullivan:

We are grateful for the committee's invitation to speak on the implications of cybersecurity for children and young adults. The protection of children online is an extremely important matter. One might argue, as we do, that the challenges, threats and dangers presented by the Internet, social media and wider cyberspace to our children and young teenagers necessitate that they are given our utmost careful attention. It is important that this problem space is not considered in separate Government silos, for example, the Departments of Education and Skills, Health, Justice and Equality and Communications, Climate Action and Environment, since in terms of the child's or young person's experience of technology each has a very important contribution to make.

A key concept underpinning the security of our children and young teenagers online is age appropriate interaction with technology and, more specifically, age appropriate interaction with the Internet. The Digital Childhood report of 2017 highlights that the Internet was conceived as an environment for adult users and no design concessions were made for children.

The utopian vision of the Internet was that all users would be equal. If all users are equal, then a child user is treated the same as an adult user and this is why, arguably, the Internet, by default, is not fit for children. The Children's Online Privacy Protection Act, COPPA, passed in the United States has been one of the sole mechanisms to define restrictions on the collection and processing of personal data from children under the age of 13 years, unless verifiable consent has been granted by a parent or guardian. It is because of COPPA that many social media platforms require that their users are at least 13 years old. However, it has not been vigorously enforced in a regulatory context and studies consistently provide evidence of underage usage of mainstream social media platforms. We believe that robust age verification online is one of the most critical requirements to deliver on child and youth security in cyber contexts .

The forthcoming European general data protection regulation, GDPR, which comes into effect on 25 May 2018, will formalise age protective measures online. The EU has set the digital age of consent at 16 years but permits each state to decide a national age of consent that can be as low as 13 years. For clarification, the digital age of consent is not about when a child can access the Internet, it is merely the age at which a child can consent to a profiling of their personal data and that is it. It is not about access, it is just the age at which a child can say he or she is happy to be profiled by a social media company or by a game. Notably, Ireland has opted for 13, the lowest age of digital consent allowed under the GDPR. The Data Protection Bill 2018, which enshrines an Irish digital age of consent of 13, was submitted to the Seanad on 8 February 2018 and is currently under consideration.

On launching the Bill, the Minister for Justice and Equality stated:

The Government considers that a digital age of consent of 13 years represents an appropriate balancing of children's rights, namely, a child's right to participation in the online environment and a child's right to safety and protection, rights that are enshrined in the UN Convention on the Rights of the Child. Provision is made for that in section 29.

It is important to point out that section 29, or rather Article 29, does not actually say this. We are not criticising the Minister at all - this is actually a widely held belief - but the convention does not say that. This claim has been made by a number of respondents to the Department of Justice and Equality's consultation on the digital age of consent, which was held in 2016.

The UN Convention on the Rights of the Child was ratified in 1989 and came into effect in 1990, thereby pre-dating the Internet, online services and social media. The assertion that “a child’s right to participation in the online environment ... rights that are enshrined in the UN Convention on the Rights of the Child” is not quite an accurate statement. If one wishes to bring this convention into play, attention should be given to Article 17, which states “States Parties recognize the important function performed by the mass media and shall ensure that the child has access to information and material from a diversity of national and international sources, especially those aimed at the promotion of his or her social, spiritual and moral well-being and physical and mental health.” That is an access issue that is not what the age of consent is all about. Article 19 states “States Parties shall take all appropriate legislative, administrative, social and educational measures to protect the child from all forms of physical or mental violence, injury or abuse, neglect or negligent treatment, maltreatment or exploitation, including sexual abuse, while in the care of parent(s), legal guardian(s) or any other person who has the care of the child.” Probably most importantly, Article 27 states “States Parties recognize the right of every child to a standard of living adequate for the child's physical, mental, spiritual, moral and social development.” It also states “The parent(s) or others responsible for the child have the primary responsibility to secure, within their abilities and financial capacities, the conditions of living necessary for the child's development.” The important point here is that parents should have authority over when and when not a young child can give consent. Notably, Article 1 takes a very age-protective stance regarding the definition of a child, stating that for the purposes of the convention, a child is defined as someone below the age of eighteen years. We will outline in the remainder of our submission, which Dr. Mary Aiken will present to the committee, some of the many reasons Ireland, by setting the digital age of consent at 13 years, is not honouring the spirit of the UN Convention on the Rights of the Child in terms of the risks to a child's security, well-being, physical and mental health. The digital age of consent is intended to provide robust protection for children from those who might seek to target and commercially exploit them. In our opinion, the digital age of consent will also have protective merit in terms of the psychological and social well-being of the child, which in turn will help to deliver on child safety and security.

It is therefore very important, before we move on to Dr. Aiken's contribution, to understand that the digital age of consent is simply about the age at which a child can enter into a contract with a social media company; it is not about access to the Internet.