Civil liability of parents or legal guardians for the actions of their children in data protection matters
The civil liability of parents for the actions of their minor children is an important issue in the legal field. According to Spanish law, parents or legal guardians can be held civilly liable for unlawful acts or damage caused by their minor children under certain circumstances.
Recommendation of the Spanish Data Protection Agency (AEPD)
Recently, and due to the increase in offences committed by minors in recent months with the irruption of artificial intelligence in our lives, we have seen legally reprehensible behaviour by minors that not only has a judicial impact on their lives, but also on those of their parents.
For this reason, the AEPD has been obliged to issue a circular in which it establishes the implications that the dissemination of sensitive content or information may entail for those who do so without the consent of the legitimate owner.
Although there are numerous cases, by way of example, the AEPD highlights a decision in which it penalises a minor to pay 5,000 Euros to another minor (and consequently jointly and severally to his parents), for violating data protection regulations.
Although in this case there was no transfer of data to third parties, the AEPD reminds us that “at no time does it establish that, in order for the GDPR to apply, it is necessary for the data controller to have transferred the personal data to a third party.
For the GDPR to be fully applicable, it is therefore necessary that the processing of personal data carried out by the data controller be, apart from communication by transmission, dissemination or any other form of enabling access, collation or interconnection, any other operation or set of operations carried out on the data, whether it be the collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, restriction, erasure or destruction of the data.
Therefore, in the case at hand, the mere collection, recording and storage of the images of the child, a minor, by the defendant (data controller) are sufficient grounds for the application of the GDPR. “
As we indicated above, this is not an isolated case as the Real Madrid youth players who have allegedly disseminated a video of the sexual act of a 16-year-old girl with one of them (the four involved are between 19 and 20) via WhatsApp to other friends or colleagues have recently been involved in a case of similar characteristics.
The AEPD points out in a recent publication that “the AEPD is zero tolerance“, even if the perpetrators are minors. “We are applying fines of between 5,000 and 10,000 euros, because we believe that children and adults should avoid such behaviour and if they do not do so out of conviction, perhaps they will do so out of fear of sanctions“, he emphasised.
Recent cases of the use of Artificial Intelligence and the violation of data protection in the dissemination of content
That Artificial Intelligence is here to stay is a fact, but this does not mean that other regulations that relate to its use are exempt from compliance.
The AI Regulation provides, in Art. 3.1. 44e), a definition of deepfake as “manipulated or synthetic audio, image or video content that would appear to be falsely authentic or truthful, and which presents representations of people appearing to say or do things they did not say or do, produced by AI techniques, including machine learning and deep learning”.
In line with the above, the case of the fake nudes of the minors of Almendralejo, where a group of minors used artificial intelligence to convert images of their classmates into nudes and disseminate them in different WhatsApp groups, has been very popular in recent weeks.
Although the AEPD has opened an investigation, the acting Minister of Justice, Pilar Llop, has warned that the use of Artificial Intelligence to recreate the behaviour of minors with sexual content is a crime.
At Letslaw our team of data protection lawyers can advise you on everything you need.