Towards securing children’s decisional privacy online

Privacy lies at the heart of any interaction online and is often categorized into decisional privacy, informational privacy and communications privacy. Informational privacy guarantees an individual the right to have their personal data collected, stored and processed lawfully; communications privacy ensures individuals the freedom to communicate securely without any intrusion; and decisional privacy allows individuals to make autonomous decisions away from interference and influence. These forms of privacy are primarily guaranteed to individuals of all age groups through international humanitarian laws, and several national frameworks as well. However, children do not enjoy absolute decisional privacy, and parents or guardians are often called upon to make decisions concerning children online, on their behalf.

PROCESSING OF PERSONAL DATA OF CHILDREN IN THE GLOBAL SOUTH

Child privacy laws tend to involve parents to make decisions on behalf of their children, or restrict the processing of children’s personal data.  

●      Under South Africa’s Protection of Personal Information Act, 2013 (POPIA), children’s data is prohibited from processing unless a “competent person” consents to it. Under the law, a competent person is someone who is legally capable of consenting to any action or decision made regarding any matter concerning a child. 

●      India’s Personal Data Protection Bill, 2019 prescribes an age verification system and mandates obtaining consent from a parent/guardian before processing the personal data of children. Under the law, a child is an individual below the age of 18.

●      According to Article 37 of Indonesia’s MOCI Regulation on Personal Data Protection in Electronic Systems, personal data of children can only be processed after obtaining consent from parent/guardian. Although this law doesn’t define “child”, Indonesia’s Law on Child Protection defines them as individuals below the age of 18.

●      Ghana’s Data Protection Act classifies personal data relating to children as “special personal data” and Article 37 of the Act prohibits the processing of special personal data. The exceptions are where such processing is necessary, or where the data subject consents to the processing. It is unclear whether a child can consent to such processing, or parent’s consent is essential.

●      According to section 4 of Malaysia’s Personal Data Protection Act 2010, in case of processing data of persons below the age of 18, consent must be obtained from a “relevant person” who is a parent/guardian or an individual with parental responsibility for the data subject.

IMPEDING CHILDREN’S DECISIONAL AUTONOMY 

When countries prohibit processing the personal data of children, it threatens their right to access information that is beneficial to them online. The internet unquestionably provides children with endless opportunities in terms of education, especially for those in less developed countries. It allows them to express themselves more freely, thereby playing a vital role in their development. Children’s online engagement also grants them an opportunity to explore several identities and interests without serious interference from parents. Provisions for parental consent in data protection laws should be replaced with requirements to obtain consent from children on a case-to-case basis. The provision should give due consideration to a child’s capacity to understand the consequences of their actions and then obtain informed consent from them. Only if this is not possible should parents/guardians’ consent be obtained. 

Studies show that children generally consider themselves as having a right to privacy online, even from their parents and peers. One can easily argue that parents are given too much authority over their children’s privacy, since it has been surveyed and identified that children have as much knowledge about online privacy and its risks as their parents. To ensure that children become digitally literate, they should be taught concepts like online privacy and data protection as part of their curriculum at an early age. National human rights institutions should conduct age-appropriate awareness and training programs for children to ensure that they have all the necessary information to make safe and informed decisions. 

Private companies should be encouraged to adopt a voluntary code to make their terms and policies regarding the collection, processing and storage of children’s data as comprehensive and interactive as possible – for example, with the help of pictures and diagrams. Data Protection Authorities should have separate centres to ensure strict enforcement of provisions regarding children’s processing of data and their security. 

The pandemic has necessitated children’s use of technology on a massive scale. In the years to come, the digitization of children’s lives is only going to intensify. Allowing parents to make decisions for children concerning their data will only leave them unprepared and more vulnerable for the future. Instead, children should be trained about the implications of their actions in the digital world. Given their enthusiasm and fascination with the digital world, they will surely comprehend these concepts in no time.

THE UN CONVENTION ON THE RIGHTS OF THE CHILD

The United Nations Convention on the Rights of the Child 1989 (“Convention”), despite being adopted before mass digitization, is immensely relevant in today’s day and age. It sets in stone children’s rights to privacy and not to be subjected to arbitrary and unlawful interference with this. The Convention has also been instrumental in transforming the way children are perceived, not as passive observers but as independent rights holders. It advocates for empowering children to engage actively and participate in decision-making processes concerning their lives as they evolve.

As researchers observe, “Implementation of child rights in the digital age requires not only adherence to human rights and values but also empowerment and participation of child users that fosters their creativity, innovation and societal engagement.” 

This article is part of a series collaboration between Human Rights Pulse and robos of Tech Law and Policy (r-TLP) in December 2020 aiming to highlight issues pertaining to technology and human rights. r-TLP is an initiative based in India that promotes publishing articles/opinion pieces on the intersection of technology, law, and policy. r-TLP is positively biased towards women, trans and non-binary people with a goal of providing a platform to these marginalised identities.

20200605_162141_2 - Aqsa Hussain.jpg

Sindhu is a final year law student at Christ University, India. She has a keen interest in Technology laws and writes regularly on issues surrounding privacy, data protection and artificial intelligence. She is a Contributing Editor at robos of Tech Law and Policy (r-TLP).

LinkedIn