The UN Committee on the Rights of the Child has issued new recommendations on children’s rights in relation to the digital environment.
Key data protection takeaways:
- The rights of every child must be respected, protected and fulfilled in the digital environment.
- States parties should ensure that, in all actions regarding the provision, regulation, design, management and use of the digital environment, the best interests of every child is a primary consideration.
- Digital service providers should actively engage with children, applying appropriate safeguards, and give their views due consideration when developing products and services.
- The design of age-appropriate measures should be informed by the best and most up-to-date research available, from a range of disciplines.
- States should mandate the use of child rights impact assessments to embed children’s rights into legislation, budgetary allocations and other administrative decisions relating to the digital environment.
- Businesses should respect children’s rights and prevent and remedy abuse of their rights in relation to the digital environment
- States should make the best interests of the child a primary consideration when regulating advertising and marketing addressed to and accessible to children.
- Sponsorship, product placement and all other forms of commercially driven content should be clearly distinguished from all other content and should not perpetuate gender or racial stereotypes.
- States should prohibit by law the profiling or targeting of children of any age for commercial purposes on the basis of a digital record of their actual or inferred characteristics, including group or collective data, targeting by association or affinity profiling.
- Practices that rely on neuromarketing, emotional analytics, immersive advertising and advertising in virtual and augmented reality environments to promote products, applications and services should also be prohibited from engagement directly or indirectly with children.
- States parties should ensure that appropriate and effective remedial judicial and non-judicial mechanisms for the violations of children’s rights relating to the digital environment are widely known and readily available to all children and their representatives.
- Appropriate reparation includes restitution, compensation and satisfaction and may require apology, correction, removal of unlawful content, access to psychological recovery services or other measures.
- Interference with a child’s privacy is only permissible if it is neither arbitrary nor unlawful. Any such interference should therefore be provided for by law, intended to serve a legitimate purpose, uphold the principle of data minimization, be proportionate and designed to observe the best interests of the child and must not conflict with the provisions, aims or objectives of the Convention.
- States should take legislative, administrative and other measures to ensure that children’s privacy is respected and protected by all organizations and in all environments that process their data.
- Legislation should include strong safeguards, transparency, independent oversight and access to remedy. States parties should require the integration of privacy-by-design into digital products and services that affect children.
- Where consent is sought to process a child’s data, States parties should ensure that consent is informed and freely given by the child or, depending on the child’s age and evolving capacity, by the parent or caregiver, and obtained prior to processing those data.
- Where a child’s own consent is considered insufficient and parental consent is required to process a child’s personal data, States parties should require that organizations processing such data verify that consent is informed, meaningful and given by the child’s parent or caregiver.
- States should ensure that children and their parents or caregivers can easily access stored data, rectify data that are inaccurate or outdated and delete data unlawfully or unnecessarily stored by public authorities, private individuals or other bodies, subject to reasonable and lawful limitations. They should further ensure the right of children to withdraw their consent and object to personal data processing where the data controller does not demonstrate legitimate, overriding grounds for the processing. They should also provide information to children, parents and caregivers on such matters, in child-friendly language and accessible formats.
- Children’s personal data should be accessible only to the authorities, organizations and individuals designated under the law to process them in compliance with such due process guarantees as regular audits and accountability measures. Children’s data gathered for defined purposes, in any setting, including digitized criminal records, should be protected and exclusive to those purposes and should not be retained unlawfully or unnecessarily or used for other purposes.
- Any digital surveillance of children, together with any associated automated processing of personal data, should respect the child’s right to privacy and should not be conducted routinely, indiscriminately or without the child’s knowledge or, in the case of very young children, that of their parent or caregiver; nor should it take place without the right to object to such surveillance, in commercial settings and educational and care settings, and consideration should always be given to the least privacy-intrusive means available to fulfil the desired purpose.
- States parties should require an approach integrating safety-by-design and privacy-by-design to anonymity, while ensuring that anonymous practices are not routinely used to hide harmful or illegal behavior, such as cyberaggression, hate speech or sexual exploitation and abuse.