Digital technologies permeate every sector of modern society and children’s lives are no exception. Innovative platforms have reshaped children’s experience of the world, presenting new risks that substantially affect their human rights. ‘Sharenting’ is one such risk; as it creates a traceable digital footprint which is attached to children without their consent (Haley, 2020). This carries material risks both for the healthy development of a child and their physical safety.
Children’s personal data must be protected and, specifically, the right to have digital information about them erased. Noting their inherent vulnerability, the General Data Protection Regulation (GDPR) does provide specific protection for children in Europe (Lievens, 2018); however, children’s privacy in the digital age should be better protected across the globe.
What is the European Union’s General Data Protection Regulation?
The GDPR is a regulation in European Union (EU) law on data protection and privacy. It ensures that organizations are responsible for safeguarding the personal data of EU citizens and sanctions violations of the regulation to ensure compliance. In considering the rights of children, all legal provisions and regulations must balance out the competing interest between parental rights to express their views and parent their child, and the privacy rights held by children (Haley, 2020).
A balanced rights-based approach should be adopted to provide children with more control over their own privacy (Haley, 2020). Following the GDPR, the EU has renewed its interest in the importance of monitoring the processing of personal data (Council of Europe, 2015). As data is typically processed behind closed doors, it is vital that data subjects are informed that their data is being collected, have knowledge about and access to their data, and have the ability to object to unlawful or unwanted processing (Council of Europe, 2015). In the case of children – noting their specific vulnerability – the GDPR establishes a child-friendly procedure to obtain consent from children for usage of their data, as their capacities evolve (Council of Europe, 2015).
Article 17 GDPR – the Right to Erasure
Following the Court of Justice of the European Union (CJEU) landmark ruling in Google Spain v. Costeja, Article 17 of the GDPR codified the ‘right to erasure’. This provision seeks to balance competing interests by ensuring parents have the ability to disclose information about their children and family life; however, this right can be curtailed by children’s overriding ability to request that data controllers remove specified information (Haley, 2020).
The right allows for the deletion, amendment or limitation of past records at the request of the subject, providing children with control over their digital footprint and online persona. The innovative provision is not perfect, as younger children (who do not meet the minimum age threshold, 13) are unable to protect themselves against data privacy violations before they come of age (Haley, 2020). Notwithstanding this fact, it remains an effective remedy for ‘sharenting’ challenges that places decision-making power on the children who matter the most.
In effect since 2018, Article 17 of the GDPR forces data controllers to delete immediately personal information on request ‘if it seems likely that [the child] gave their personal data without fully understanding the implications of doing so’ (Bunn, 2019). This phrasing cleverly ensures that children’s requests to have information deleted are rarely rejected, as they can frequently cite a lack of understanding as a reason for allowing the data to be stored. The obligations in Article 17 apply to data controllers (e.g. social media companies such as Facebook) rather than parents – focusing on a child’s best interests rather than punishing parents for their actions and decisions (Bunn, 2019).
Global Trends in Children’s Data Protection
While the GDPR is only applicable to European citizens, Article 17 is emblematic of a wider global trend and is paving the way for more worldwide legislation which aims to protect children’s online data. In response to children’s growing online presence, national government bodies are adopting more aggressive measures to safeguard their data.
In the United States of America (U.S.A.) federal law enforcement officers have recently twice broken long-standing records for the harshest penalties available for children’s online privacy in the country (Choi, 2019). These decisions are just a few examples of the nation’s ongoing effort to update their Children’s Online Privacy Protection Act (COPPA), to both provide harsher sanctions for social media companies and simultaneously create a European style “Eraser Button” for subjects to have their personal information deleted (Choi, 2019). As expressed by one of the originators of the COPPA, “the path to privacy for America is through the EU” (Choi, 2019).
Beyond the U.S.A. other countries are reforming existing policy and legislation to better protect children online. In Brazil, a recent amendment to the data protection bill (August 2020) places greater responsibility on data controllers to ensure they acquire the consent of children’s parents for the use of their data and are clear on the ways in which that data can be used (Choi, 2019). In South Korea – a country which already has provisions in place requiring parental consent when processing children’s data – lawmakers have taken the next step and are attempting to verify this consent (Choi, 2019).
This response acknowledges children’s inability to comprehend online risks and the fact that “online service providers may be neglecting their legal duty, partly due to the lack of provisions in the law for verifying consent” (Choi, 2019). In Australia and India respectively, both countries are yet to enact child specific data protection law, but recent political campaigns and legal decisions indicate a strong willingness to follow the EU’s lead encompassed in the GDPR (Choi, 2019).
Specific Vulnerability of Children
Children merit specific protection of their data as they might be less aware of the risks and consequences of its processing (International Commissioners Office). Under international law, the right to data protection is part of children’s right to privacy is described in Article 16 of the Convention on the Rights of the Child (CRC) (Lievens, 2018).
This article protects children from unlawful and arbitrary interference with their privacy, family, home or correspondence, including protections against unlawful attacks to reputation (CRC, 1989). These and other statutes aim to strike a delicate balance between fundamental parental rights, child access to information and social interaction, as well as the vital importance of protecting children from harm.
It is crucial that these rights are understood as being connected rather than independent. The rights a child has to development (Article 6, CRC), privacy (Article16, CRC) and private and family life (Article 8, CRC) all need to be balanced against the overarching right to have their best interests protected (Article 3, CRC). Children’s specific vulnerability in regard to sharenting is multi-dimensional, but perhaps most concerning is the risk that children’s mental development is affected by increased social anxiety and discomfort (Lievens, 2018).
Ways Forward and Recommendations by the Committee on the Rights of the Child
The long-lasting and multi-dimensional challenges posed to children by ‘sharenting’ need to be addressed through an equally diverse response. The right to be forgotten protects parental rights to freedom of expression while simultaneously eliminating some of the long-term harms of this behavior on children (Haley, 2020). The digital environment is reshaping the world for children, generating a new potent need for children to have control over their own personal data (Lievens, 2018).
Whilst the right to be forgotten does not eliminate the original harm that a child might suffer due to ‘sharenting’, it enhances the possibility of restricting the level of harm in the long-term. Adults have the right to change their mind and remove information that they have posted about themselves if it affects them negatively, children should be afforded that same privilege.
The Committee on the Rights of the Child in its General Comment No. 25 proposes a few recommendations for States to adopt in order to better protect children:
- States should endeavor to ensure national policies and strategies relating to the digital space center children’s rights issues at the heart of all considerations. This recommendation will prevent the technological space from ignoring children in policy considerations; the fact that children are often too young to access technology, does not mean that adults’ use of modern tools and platforms cannot harm them.
- States should ensure judicial and non-judicial frameworks and mechanisms for children’s rights violations are accessible to all children. Due to their vulnerable position and lack of knowledge, children may not be able to identify perpetrators, gather evidence or register complaints. Additionally, adults acting on behalf of children may be reluctant to disclose information related to children’s rights online due to its sensitivity and fears on how it may be received by their peers. Dispute resolution mechanisms must consider this fact and sufficiently protect children.
- States should extend data protection laws and policies to non-traditional areas. As toys, clothes and other objects grow intrinsically linked with technology (especially through embedded sensors), States must ensure organizations and services which enable these developments are subject to non-traditional data protection provisions. This includes through private technological access or publicly where children may be affected by technology.
In all actions related to children and their interaction with technology, their best interests should be centered in all considerations. The Council of Europe further recommends that (Council of Europe, 2018):
- Legal frameworks in place for the digital environment should routinely consider the impact technology has on children to ensure data protection authorities are competent and able to address child complaints and prevent their harm in the first place. This will guard against the unlawful processing of personal child data and establish rectification mechanisms.
At Humanium, we seek to raise awareness on the importance of children’s rights to food, education and protection. Join us in making children’s rights to a safe environment and accessible education a reality by sponsoring a child, making a donation or becoming a volunteer!
Written by Vanessa Cezarita Cordeiro