Minors as vulnerable participants in social research activities

Minors are a vital part of every society and in line with the UN Convention on the Rights of the Child, should be able to express their views on all matters affecting them. This overarching principle is why many researchers working on matters directly affecting minors are eager to include them in their research activities. This blog post will focus on the legal questions surrounding their involvement in social research.

One common element in legal orders around the world is that minors are entitled to increased protection as their incomplete physical and mental development makes them more exposed to harms and less aware of how to best protect themselves. Their significant familiarization with technology or other advanced activities does not substitute for their difficulty to easily recognize pitfalls even in seemingly harmless contexts, e.g. when being interviewed by social researchers. This is a reality related to biological factors and justifies the explicit inclusion of minors in the category of vulnerable individuals [e.g. the General Data Protection Regulation (GDPR), or the newly adopted Digital Services Act (DSA)]When these pitfalls touch upon core elements of human personality, such as that of privacy and data protection, then the impact of the harm is significantly higher and the need for special protection becomes an imperative mandate.

The present blog post explores the different approaches to the notion of vulnerability,  with specific emphasis on the provisions in the GDPR that set the protection of  minors as a cornerstone, and delineates the concept of consent under the GDPR as opposed to research consent, required as an ethical condition in the context of research projects. 

a)    The theoretical debate on vulnerability

Vulnerability stems from the Latin word “vulnus” which can be translated as “wound”, “fragility”, “damage” or “harm”. Under EU law in general, there is not a unanimous definition of vulnerability and vulnerable individuals.In theory, there are two clashing lines of understanding of the notion.

According to the universalistic approach, vulnerability is a feature inherent to human nature. If not perceived like that, then vulnerability would be a stigmatizing label. On the contrary, the particularistic approach builds upon the idea that some subjects are more vulnerable than others, based on factors such as their sex, origin, education etc.

These approaches have some considerable constraints. To follow the universalistic approach means that we may undermine the protection of individuals in an already disadvantaged position, such as  minors from marginalized social groups. Also, the particularistic approach tends to categorize ex ante individuals, based on criteria that generally affirm vulnerability but may not be sufficient to come to this conclusion in every context.

A solution to this debate seems to be the layered theory of vulnerability. According to this theory, all individuals are potentially vulnerable but at different levels and contexts influenced by factors such as time, status and location. Every level of vulnerability requires different mitigation measures. This excludes categorizations by default and allows for legal protection to be proportional to the quantity and quality of layers of vulnerability. Hence, vulnerability is not a static attribute, but is influenced by analyzing its origins and the severity of its effects.

In fact, this approach seems to be in line with the risk-based nature of the GDPR. As WP29 (the predecessor of the European Protection Board, which constitutes the independent European body in charge of the consistent application of the GDPR) has clarified in its statement on the role of a risk-based approach in data protection legal frameworks “strengthened obligations result from processing which is considered risky for the persons concerned [and] additional measures [apply] when specific risks are identified” . Moreover, “the risk-based approach goes beyond a narrow “harm-based-approach” that concentrates only on damage and should take into consideration every potential as well as actual adverse effect, assessed on a very wide scale ranging from an impact on the person concerned by the processing in question to a general societal impact”. For example, conducting a Data Protection Impact Assessment (DPIA) when a processing operation is likely to result in a high risk to the rights and freedoms of natural persons, e.g. when conducting large-scale processing of special categories of data under Article 9(1) GDPR), implies a layered assessment of the risks and a subsequent adjustment of the protective safeguards put in place. Hence, layered vulnerability, similarly to the risk-based approach, is a proactiveness mechanism. Following this, it can be further deduced that GDPR follows a vulnerability-centred approach.  

b)    Vulnerability  as power imbalance

Some useful guidance is provided by WP29 when it comes to decoding the essence of vulnerability.

WP29 in its guidelines on DPIAs has argued that vulnerability is understood as an “increased power imbalance between the data subjects and the data controller, meaning the individuals may be unable to easily consent to, or oppose, the processing of their data, or exercise their rights”. In another Opinion on the notion of legitimate interests of the data controller, it has clarified that in the context of the balancing test required when legitimate interest is used as the legal basis for the processing of personal data (Art. 6(1)(f)GDPR), data controllers should consider “the status of the data controller and data subject, including the balance of power between the data subject and the data controller, or whether the data subject is a child or otherwise belongs to a more vulnerable segment of the population”.

 Consequently, vulnerability is  perceived as a contextual form of power imbalance with potentially harmful effects to data subjects. It is also a dynamic and flexible concept that takes new forms under the influence of circumstances, e.g. digital vulnerability caused by the emergence of disrupting phenomena, such as AI. However, even in the occasion of AI a specific assessment needs to take place to discern harmful (e.g. profiling) form beneficial (e.g. receiving better healthcare) uses. Vulnerability has been further described as a “heuristic tool” that monitors the possible threats – not the specific instances – that individuals may face under the prism of principles, such as freedom, equality and dignity. Put differently, vulnerability is used to prevent the shift from the condition of vulnerability to the  actual occurrence of the “vulnus” in a specific situation.

c)     Minors as vulnerable individuals in the GDPR

The GDPR, being the most relevant legislative text in the context of this analysis, contains a series of provisions that ensure specific guarantees for  minors, either as a separate category or as part of vulnerable data subjects in general.

Recital 38 GDPR explains that  minors merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. This protection is particularly important in the context of the use of minors’ personal data for the purposes of marketing and profiling. Recital 71 and Article 22 GDPR add in this respect that minors shall not be subject to any decision based solely on automated processing that generates significant legal effects. Moreover, vulnerability of  minors is explicitly recognized in recital 75 GDPR, which urges data controllers to conduct a Data Protection Impact Assessment (DPIA) whenever they process  minors data (see also Articles 35, 36). Furthermore, recital 58 and Articles 5(1)(a) and 12 GDPR set high transparency requirements as an expression of the special protection they must receive. All the information addressed to minors about the processing of their data shall be in clear and plain language, adjusted to the age of the recipient, and accompanied by visualizations, where appropriate. Another interesting parameter is the right of any data subject to have their personal data rectified (Article 16 GDPR) and a “right to be forgotten” (Article 17 GDPR) where the data subject has givenhis or her consent as a  minor and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the Internet. Lastly, Article 40(2)(g) GDPR, on codes of conduct, provides that associations and other bodies representing categories of controllers or processors may prepare codes of conduct or amend or extend such codes, for specifying the application of the GDPR with regard to the information provided to, and the protection of minors, and the manner in which the consent of the holder of parental responsibility is to be obtained. Overall, the above provisions aim to eliminate instances where  minors are manipulated because of their decisional vulnerability.

Besides the above, the GDPR reserves a specific role to DPAs in this context, given that they are required to target awareness-raising activities to  minors and provide guidance on how to achieve their special protection (Article 57(1)(b) GDPR).

To achieve the above aspects, data controllers are required to implement appropriate technical and organizational measures, depending on the nature, scope, context and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons (Art. 24 GDPR). Moreover, the aforementioned protection aspects support the underpinning GDPR principles of data processing by design and default (Article 25 GDPR), data minimization (Article 5(1)(c) GDPR), fairness (Article 5(1)(a) GDPR), and purpose limitation (Article 5(1)(b) GDPR).

Furthermore, it is essential to stress that these considerations reflect the “best interest of the child” principle enshrined in Article 3 of the UN Convention on the Rights of the Child, which mandates that for all actions concerning  minors their best interest prevails. This fundamental principle is also reflected in Article 24(2) of the EU Charter of Fundamental Rights.

 d)    GDPR consent vs. research consent

Consent is a rather challenging condition when it comes to research activities. In the context of the GDPR, Article 4(11) defines “consent” as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Consent is one of the legal bases that allows for the lawful processing of personal data under Article 6 GDPR. Article 7 GDPR specifies that the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data and the latter shall be able to withdraw consent at any time.

 Minors are not adults, thus, when providing their consent, specific restrictions concerning their legal capacity apply. Questions relevant to legal competence based on age fall generally under national laws of Member States. The GDPR does not set a specific age limit for consent, except for Article 8. This leads to the observation that two consent regimes exist, one under Article 8 GDPR and another one under Article 6 GDPR.

Article 8 GDPR is a specific form of application of Article 6(1)(a) GDPR used in the context of information society services. Such services are defined in Article 1(b) of Directive 2015/1535 as “normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. This definition relies on a set of cumulative criteria that are rather restrictive and exclude from its scope online research activities (e.g. an online questionnaire), due to the absence of remuneration Hence, online research activities, not to mention traditional ones, do not constitute information society services.

The regime of Article 8 GDPR seems highly convenient, as it provides a sufficient legal certainty as to the age limit for consent. Children above 16 or 13 years old minimum can, based on the applicable national law, provide directly their consent without the involvement of the holder of parental responsibility). Despite this three years variation, it is at least clear that all Member States fall within this ambit and information on the age limit in each country is easily accessible through a simple research on online repositories. Furthermore, this facilitates the reasonable efforts that controllers are required to make to verify that consent is given or authorised by the holder of parental responsibility. Additionally, this regime seems compatible with the autonomy of adolescents, being at a more advanced stage of their development that entitles them to have a stronger say of their will.

Notwithstanding the aforementioned advantages, it is legally unfounded and problematic to extend the use  of Article 8 GDPR in contexts where the restrictive conditions of the provision are not met. When Article 8 GDPR is not applicable, as in the case of research activities, then Article 6 GDPR will apply. This Article is closely interlinked with national laws to observe the age of legal capacity to provide consent for the processing of personal data. Most European countries have not specified a separate age limit for the participation of  minors in social research activities. In that case, someone has to look at national civil law on legal capacity and observe whether there are specific exceptions to the rule of legal capacity at 18, stemming either from specific legislative provisions or national case law. Especially with case law exceptions, a case-by-case assessment is needed to examine whether the particularities of the research activity at issue fit jurisprudence conditions. Hence, in the absence of such specifications parental consent is required for those under 18 years old.

In the context of research projects at pan-European level such discrepancies combined with limited access to relevant information due to linguistic obstacles, create a challenging framework for compliance with national rules and attainment of the envisaged research objectives, especially when not involving local partners. Even if researchers manage to adhere to the different legal regimes at EU level, different rules can still lead to unbalanced datasets and underrepresentation of participants from certain countries.

Apart from parental consent, assent is essential as a guarantee of ethics in research and a concrete expression of autonomy. It is a form of research consent, as opposed to the legal basis of consent under Article 6 GDPR. Assent means that minors, even though unable to provide legally binding consent on their behalf, receive information adapted to their age and level of understanding and based on that can express their willingness to participate or not in the research. Although it is not an explicit obligation under the GDPR, it is explicitly required under Article 3 of the UN Convention of the Rights of the Child and Article 24 of the EU Charter of Fundamental Rights and implicitly linked to the obligation to provide information to the child, which is obligatory under Article 12 GDPR, even when parental consent is obtained, as WP29 observes in its guidelines on transparency. In addition, assent is typically a condition for obtaining approval by ethics committees and a requirement for funders.

Especially as regards adolescents, when researchers lack clear information as to the age for consent in Member States, they are obliged to treat them as unable to provide legally valid consent for themselves. This may be dysfunctional in cases where an adolescent wishes to participate in a research activity while the holder of parental responsibility disagrees or does not respond. Such a situation tends to be observed in families from disadvantaged social environments, where parents find it difficult to understand what is expected from their side due to cultural and linguistic barriers or even religious considerations. It is reiterated that under Article 6 GDPR requires an active opt-in consent to be considered valid. Thus, the researcher faces the questions of how to serve the self-determination of minor participants while being legally compliant.

In such a context, an alternative solution is the concept of passive parental consent, otherwise known as opt-out.^- It is a form of research consent, as opposed to the legal basis of consent under Article 6 GDPR. Under the regime of the parental consent, after being properly informed, parents’ consent is assumed if they do not explicitly object to the participation of their minors in the study. Especially in the context of educational institutions teachers usually give their consent instead of parents.

However, while this may be in certain circumstances a justifiable option for research consent, opt-out parental consent is not a lawful legal basis under the GDPR. In such circumstances, relying on legitimate interest (Article 6(1)(f) GDPR) seems to be the most appropriate solution. In either case, potential participants should be informed about the processing of their personal data in order to obtain their research consent, even though this is not the legal basis deployed under the GDPR. This information can be included in the information notice attached to the informed consent. Therefore, in this context we talk about research consent as an ethical safeguard and procedural obligation. While Article 6(1)(a) GDPR legitimizes the processing of personal data according to the GDPR requirements, the research consent has an ethical value (this is often a funder requirement and a condition for approval by ethics committees)  and is still mandatory even when the processing of personal data is based on another legal basis of Article 6 GDPR, besides consent.

e)     Application in the LET’S CARE project

Timelex is acting as the legal and ethical partner in the LET’S CARE project. LET’S CARE aims to comprehensively understand and improve the caring dimension of educational inclusion and school success and address the causes of educational underachievement, disengagement, and school dropout by identifying key relational variables between various actors of the education process. LET’S CARE will create a theoretical and practical framework to foster Safe Learning, Safe Teaching, Safe Schools and Safe Education in each level as an approach to break the chain of transgenerational transmission of educational and social exclusion. This approach will generate lower rates of school failure, poor learning outcomes and early school leaving.

Achieving such goals requires extensive research with the involvement of schools, teachers, policymakers, students, and other relevant stakeholders. Given that research activities address disadvantaged or vulnerable populations (in this case  minors and their families, among other actors), the consortium applies specific strategies to ensure compliance with ethics and legal rules from the very beginning of the project, compliance being an integral element of any EU funded project aiming to achieve research excellence.

LET’S CARE partners in Poland, Lithuania, Bulgaria, Italy, Spain and Portugal are involved in a number of qualitative (interviews with teachers, policymakers, disadvantaged families, and  minors, school ethnographies) and quantitative (large, scale survey involving thousands of students and their families as well as teachers) based on an optimal combination of consent and legitimate interest as legal bases under the GDPR, while ensuring research consent. Timelex provides continuous support to research partners by providing targeted workshops, drafting consent forms tailored to the age of research participants, legal guidelines for the participation of minors in research, conducting Legitimate Impact Assessments (whenever legitimate interest is the appropriate legal basis) and assisting in the setting up of data collection protocols in an ethical and GDPR-compliant way.  Consequently, the choice of the right legal basis plays a primordial role as it affects applicable data subject rights and other considerations.

Moreover, in the context of quantitative data protection LET’S CARE is committed to conducting a DPIA in order to evaluate the implications on minors’ privacy. This choice is in line with the risk-based approach of the GDPR, as analyzed before, and the layered analysis of vulnerability, which recognizes that everyone is potentially vulnerable, but at different levels and in different contexts, requiring variated mitigation measures. In this regard, the DPIA assesses all aspects of the processing operations (e.g. data recipients, administration and storage of datasets per category of participants, applicable security measures) to ensure that the high risk of the activity is mitigated in a tailored way. The DPIA serves as a roadmap to determine a proportionate approach based on specific compliance steps.

Overall, research activities involving minors raise important legal and ethical issues. The proper way to address them relies on understanding that they are vulnerable individuals entitled to specific protection. However, this vulnerability shall be assessed on a contextual basis, which allows to identify the appropriate legal basis for the processing of personal data under the GDPR and to combine this with appropriately gathered research consent in a way adjusted to the needs and interests of participants and with full respect to their autonomy and self-determination.

LET’S CARE is funded by the European Union under grant agreement of the project 101059425. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union. Neither the European Union nor the granting authority can be held responsible for them.