The european project Training Activities to Implement the Data Protection Reform (TAtoDPR) has received funding from the European Union’s Rights, Equality and Citizenship (REC) Programme of the European Union under Grant Agreement No. 769191

The contents of this Journal represent the views of the author only and are his/her sole responsibility. The European Commission does not accept any responsibility for use that may be made of the information it contains.

Home / ISSUES / Issue / Minors and new technologies: From parental responsibility to parental control in balancing with the ..

back print content read pdf content

Minors and new technologies: From parental responsibility to parental control in balancing with the child's right to personality

Livia Aulino

This article deepens the relationship between minors and new technologies. The legislation of reference is preliminarily represented by the main international charts on the protection of minors, to which are added the most recent rules on the data protection as well as the rules of the civil code. In particular, it is examined the issue of parental control and whether this technological control falls within the broader concept of parental responsibility and in the parental supervision obligation sanctioned by article 2048 of the Civil Code. At the same time, it is examined the right to the online personality of the child, which emerges even more in the current historical context, in which the age of Internet access is always lower and lower. This is also seen in the light of the recent European regulation on the data protection which has recognized the consent given by a child of at least 16 years. Finally, it is dealt the system of negotiation deeds concluded by the child with through the use of the technological tool.


1. Legal aspects of parental control - 2. The balance between parental responsibility and the right to the personality of the child. - 3. The digital consent of children online - 4. Negotiation deeds concluded online by the chid - NOTE

1. Legal aspects of parental control

Currently the protection of the child manifests itself through an educational control of the parents towards their children, as an expression of parental responsibility[1]. Following the development of new technologies, it has been added a technological control[2], the so-called parental control, which parents can predefine on all operating systems of computer devices used by the child.

Parental control is the system that allows the parent to monitor or block access to certain computer activities to the child, which can be dangerous for him, and also to set the maximum duration of use of the IT device.

The parental control can be applied to any device on all common operating systems, such as Windows, Android[3], Apple[4] e Linux, on telephone lines[5], on videogames and up to the most used search engines[6].

All this is relevant also from the legal point of view, where currently, there is no specific regulatory provision, nor jurisprudential precedents that can regulate these issues[7]. Yet, it is believed that the obligation to control access to the internet may fall within the broader concept of parental responsibility. In fact, the obligation of parents to supervise their children in the use of technology, in particular on the Internet, can be inferred from the reading of Articles 147, 316 and 2048 of the Italian civil code, and the jurisprudential guidelines on the duty of supervision of minor children at the expense of parents.

The jurisprudential guidelines believe that the parent to be exempt from civil liability for not having fulfilled the supervision obligation of the minor child (pursuant to article 2048 of the Italian civil code) must demonstrate both that they have given a correct education to their child, but also that they have adequately supervised. Even it would be appropriate to impose on parents the use of parental filters that can contain the dangers related to the free movement of minors on the internet, in compliance with the obligation of supervision under art 2048 Italian civil code.

On this point, an important jurisprudential case of the Court of Teramo[8] reaffirmed the need for a monitoring activity on the part of parents on their children. More precisely it stated that the parents to be exempt from liability pursuant to article 2048 of the Italian civil code, must demonstrate that they have fulfilled the educational burden, as well as to have provided to give the indispensable tools for the construction of truly meaningful human relationships for the best realization of their personality. Also they must demonstrate to have effectively checked that the children have assimilated the education imparted to them, with the consequence that the gravity and the repetition of their behaviors  can then be index of  a work of verification.

Even more recently, the Court of Rieti[9] with judgement no. 312/2019 stated that, in the event of damage caused by the minor, the parents must prove that they have given their child an appropriate education to their social and family conditions, as well as having exercised an appropriate supervision, in compliance with article 147 of Italian civil code. If this release evidence is not provided, it would be applied the article 2048 of the Italian civil code.

2. The balance between parental responsibility and the right to the personality of the child.

At the same time the question aires if is legitimate for a parent to control the minor child in the use of the Internet by operating a stable interference in his privacy.

On the one hand, the parents have the obligation of parental responsibility and therefore to protect their children from phenomena such as pedophilia, grooming[10], cyberstalking[11]. On the other hand, parents should also respect the child's personality and the freedoms recognized to them, both at constitutional and international level.

In this regard, article 16 of the 1989 New York Convention protects the child's privacy. The same Convention, in article 17, recognizes the importance of the function exercised by the mass media and the States "toensure that the child has access to information and materials online, especially if aimed at promoting his social, spiritual and moral well-being and his physical and mental health".

Therefore, it is considered legitimate a power of control over one's child understood as the right to monitor the use of the technologies by the minor, but with a reasonable measure proportionally also at the age of the same; this in order to prevent the supervision of parents on online minors from becoming cyber-stalking.


3. The digital consent of children online

The need to guarantee the right to the child's online personality emerges even more in the current historical context, in which one is always connected, and in which the age of Internet access is always lower. The European regulation 2016/679[12] has introduced a specific discipline for the protection of the data of the minors, whose defense turns out to be strengthened and differentiated. This is a new law as the previous EC Directive 46/1995, on data protection, did not include any specific provision on the privacy of minors[13]. At the same time, Legislative Decree no. 196/2003 (so-called Italian privacy code) provided that the consent of a minor was to be delegated to the legal representative, being unable to act until he reached the age of majority[14].

The recent Regulation, in several points, draws attention to the protection of children's personal data, reversing the orientation of the previous legislative texts on the subject[15]. Indeed, the point 38 specifies that “children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child”. Also the point 58 specifies that: “given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand”, a rule that is also included in article 12 of the European Regulation which states that: “The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child […]”.

Furthermore in article 6[16] of GDPR, lett. f), which governs the conditions of lawfulness of the processing, the protection of minors acts as a limit to the owner's interest.

The main rule is contained in article 8 of the GDPR[17] which states that in the case of offering services aimed at minors, the processing of personal data is lawful if the child who consents is at least 16 years old, but the Member States may establish a younger age, provided it is not less than 13 years old. If, on the other hand, the minor is under the age of 16, the treatment is considered lawful only if the consent is given or authorized by the holder of parental responsibility[18].

The choice of the European legislator is dictated by the circumstance that the relationship that the minor user establishes with the information society is not limited to the registration but takes the form of a profiling. This implies that the information relating to the user is stored and combined together, giving rise to significant repercussions that can also affect the future life of the child. Therefore, the minors need greater protection since they are less aware of the risks and consequences of their behavior.

In this regard, the Italian legislator, with Legislative Decree n. 101/2018 of adaptation to the GDPR, set the limit of the "digital age" at 14 years. Other countries have also used the derogation, setting the limit at 14 years (Austria and Lithuania) or at 15 (Czech Republic, Slovenia, France) or at 13 years (Spain, Sweden, Denmark, Estonia, Latvia, Finland, Portugal).

The choice of the European legislator to prevent autonomous access to digital services to children under the age of 16 could appear to be too restrictive. This is because scientific research[19] has shown that, from the age of 13, the child forms his own capacity for discernment. This capacity is also referred to by the Convention on the rights of children and adolescents.

Therefore, the immediate consequence for under-16 Europeans (or under 14 Italians), where they have shared sensitive information online, is to choose whether to remove this information or to preserve its publication, with the necessary consent of the parents[20].

4. Negotiation deeds concluded online by the chid

Another problem that may emerge concerns the regime of the negotiating acts concluded by the child, through the use of the technological tool. He, although an easily suggestible subject, however, can make purchases in complete solitude, without the supervision and control of the parents, exposing them to the patrimonial responsibility. The parent, as the legal representative, could in fact be liable, both for the fulfillment of the contractual obligation of the represented person, and for being liable for damages caused by the child following a fraudulent conduct[21].

In the Italian legal system, the principle of non-binding and annulment of the contract (article 1425, 1 co., civil code) applies to the minor, as it is considered a weak consumer due to his or her incapacity subjectivity pursuant to the article 2 of Italian civil code. By way of exception, however, the contract concluded by the minor, which is useful for the same, is considered binding for both parties, as satisfying adequately his needs and his personal life conditions.

For other assets, the rule of annulment and binding effectiveness is in any case tempered by the exceptional rule provided by article 1426 of the Italian civil code, according to which the contract cannot be challenged if the incapable person has "concealed his minor age with deception". But if he limited himself to claiming to be of age, this is not in itself sufficient to supplement the fraudulent conduct required by the rule for the stability of the contract[22].

These general rules on the pathology of the contract are also applied in the case of the online contracts, since the cause, the object and the content of the contracts are identical.

It is instead necessary to clarify whether the specificity of telematic negotiation can have consequences on the rules of consensus building. In fact a problem arises in the bargaining system c.d. point and click, by pressing the "confirm order" button in which a declaration is missing, because it is not possible  identifying the subject to which the manifestation of the contract will must be attributed. This is because it is easy to trace back to the computer from which it was issued, while it is more difficult to know the real identity of the natural person who used that technology for bargaining.

It is also necessary to distinguish at least three hypotheses. The first one concerns the cases in which the child declares his real date of birth. In these cases the contract is void.

The second hypothesis is that in which the minor indicates a false date of birth in order to appear an adult. In this case the contract is valid (pursuant to article 1426, first part, of Italian civil code). The third hypothesis is that in which the minor says nothing about age because the e-commerce site does not require any registration. In this instance the contract is voidable.

Recently the case of a two-year-old girl who, playing with her mother's smartphone, unknowingly bought a three-seater sofa on Amazon costing almost $ 400[23].

In this context, there are article 8 of the European regulation n. 2016/679 and article 2 quinquies of the new privacy code[24], that oblige the online service seller to verify, or to have done everything possible to verify, that the consumer is over 14 years old (in Italy) or 16 years (in Europe). Furthermore, the article 8, paragraph 3, specifies that the GDPR does not prejudice the general provisions of the law of contracts of the Member States, such as the rules on the validity, formation or effectiveness of a contract with respect to a minor.  


[1] The notion of parental responsibility has replaced that of ‘parental authority’, and was introduced by Legislative Decree 154/2013 which rewrote the articles 315 and seq. of the civil code. On the one hand it has better identified the duties of parents towards their children, and on the other it has pointed out the duties of children towards their parents. Parental responsibility exists in all cases where there are children, regardless of whether they were born within or outside marriage.

Currently, therefore, the reciprocal rights and duties of children and parents are regulated in two different peers of the civil code, that is by articles 315 and 337 octies of the civil code, and by articles 143 to 148 of civil code, which sanction the rights and duties that arise from marriage, among which those towards children stand out. C.M. Bianca, Diritto civile, La famiglia, 2.1, (6th edn., Giuffrè, 2017), 377,380.

[2] Certainly communicating with children, helping them to understand what can happen using the web in a distorted way, giving them limitations and clear information, is the best way to prevent any risk. Often, however, a communicative prevention cannot suffice to defend the little ones from the web's pitfalls, and therefore the parents choose to resort to a digital control to monitor the online behavior of their children limiting their access

[3] In Android, an app has been designed that allows parents to approve and block their child's smartphone apps, as well as to block calls, sending messages or performing activities that could cost money. Among the Premium features (for a fee) there is the possibility of setting a timer to limit the daily use of the device and a timer to block the operation of the app after a specific period of time.

[4] In Windows, Mac OS X, Android, iOS, Kindle, Nook exists the free qustodio app that allows you to have a glance on your child's social and non-social activities. It can block unwanted sites, defend against cyber-predators and cyber-bullies, control phone calls and geolocate the child.

[5] Telecom, Tim, Wind and Vodafone Junior provide for the installation of the parental control.

[6] Search engines such as Google, Safe, Search include parental control installation.

[7] On the subject see F. D’Ambrogio, ‘Parental control: accorgimenti tecnici per escludere da parte dei minori la normale fruizione di contenuti classificati a visione non libera’ (2018) 1, Familia,25,34.

[8] The case of the Court of Teramo of 02/16/2012 is commented in: I. Famularo, ‘La responsabilità genitoriale per mancato controllo dei figli su Facebook’, in M. Bianca, A. Gambino, R. Messinetti, Libertà di manifestazione del pensiero e diritti fondamentali. Profili applicativi nei social network, (Giuffrè, 2016), 207 and seq.

[9] The case of the Court of Rieti of 04/12/2019 no. 312 is available at: https://www.diritto24.ilsole24ore.com/lex24/.

[10] In Italian law the "grooming" crime was introduced with Law n. 172/2012 and is governed by article 609 - undicies of the penal code; it punishes "any act aimed at obtaining the trust of the child through artifices, flattery or threats also put in place through the use of the Internet or other networks or media". Sul punto vedi: I. Salvadori, L' adescamento di minori. Il contrasto al child-grooming tra incriminazione di atti preparatori ed esigenze di garanzia, (Giappichelli, 2018); L. Aulino, ‘Sharenting: la tutela del minore online nell’era dei social network’, in L. Gatt, Il diritto di famiglia nell’era digitale, (Pacini, in course of publication).

[11] On the subject see P. Grimaldi, ‘Stalking e bullismo nell’era dei social network’ (2019) 6 Familia; G. Cassano, Stalking, atti persecutori, cyberbullismo e diritto all’oblio, (Wolters KKlower, 2017).

[12] The General Regulation 2016/679 of 24 May 2016, from now on GDPR (General Data Protection Regulation), is the European legislation on privacy and personal data protection. It was published in the European Official Journal on 4 May 2016, and entered into force on 24 May 2016, but its implementation took place from 25 May 2018. Its main purpose was to harmonize the regulation on the protection of personal data to within the European Union. 

[13] Directive 1995/46/EC and the privacy code were designed before the Internet transformed the way of life; currently, in fact, children's lives are always online.

[14] This provision was in contrast with the highly personal nature of the right to privacy; moreover, the internationalist conception of the child on an international level (see the New York Convention on the rights of children and that of Strasbourg on the exercise of the rights of children) was not of a subject incapable of acting outright, but of active participation in events of life that concerned him, without the necessary intermediation of the parents.

[15] On the point see IA Caggiano, Privacy e minori nell'era digitale. Il consenso al trattamento dei dati dei minori all'indomani del Regolamento UE 2016/679, tra diritto e tecno-regolazione’ (2018) 1 Familia, 3,23.

[16] Article 6 of the GDPR on the lawfulness of the processing, states that: “1. Processing shall be lawful only if and to the extent that at least one of the following applies: a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;  b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; c) processing is necessary for compliance with a legal obligation to which the controller is subject; d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks”.

[17] Article 8 on the conditions applicable to the consent of children in relation to information society services provides that:1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. 2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology. 3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child”.

[18] L. Aulino, ‘Il consenso digitale dei minori su facebook’, (2018) Data Protection Law, in http://www.dataprotectionlaw.it.

[19] A study conducted by the pediatric center Stanford Children's Health has shown that between 12 and 18 the adolescence manifests itself with the development of the cd. complex thinking (http://www.stanfordchildrens.org/en/topic/default?id=cognitive-development-90-P01594).

[20] Furthermore, since the entry into force of the GDPR, the main social networks, including Facebook, have envisaged that minors should identify, among their contacts or by indicating an e-mail, the adult who exercises parental responsibility, at order to validate their social profile. Consequently, the recipient of the request must comply with the consent to share sensitive data for their child. Yet the child under the age of 18 will be able to remedy the problem by indicating any e-mail address to which he will access and authorize the processing.

[21] On the subject see E. Andreola, ‘Il regime degli acquisti on line del minore quale consumatore debole’ (2017) 6, Familia, 683,701.

[22] On the point see F. Messineo, ‘Annullabilità e annullamento’, in Enc. dir., II, (1958) 476, according to which the scam must consist of an "efficient plot" similar to the provision of articles 1439, first paragraph, c.c.

[23] The case happened in California to Isabel McNeil, who discovered the purchase made by her daughter only a few days after the transaction, through a delivery notification by the courier. The mother both tried to cancel the order, which had already been sent, and to return the sofa, so she would have to pay about 150 euros for shipping costs. So he tried to resell it on an online trading platform. The matter was easily resolved, when Amazon, having learned of the incident, then offered her a full refund and gave her the opportunity to hold the sofa. https://www.ilfattoquotidiano.it/2019/10/12/da-il-cellulare-alla-figlia-di-due-anni-per-giocare-lei-compra-un-divano-su-amazon/5511361/ Dà il cellulare alla figlia di due anni per giocare: lei compra un divano su Amazon

[24] Legislative Decree no. 196/2003 updated to the Legislative Decree n. 101/2018.

  • Giappichelli Social