calendar tag arrow download print
Skip to content

eLaw professor: Protect kids online, but don’t deprive them of their rights and freedoms

13 February 2018
Blog Decent Digitisation Human rights Children

The General Data Protection Regulation (GDPR) decrees that parents must consent to their children’s data being collected, but we should be careful about putting children under constant observation. Let’s make sure that their rights and freedoms remain intact.

By Simone van der Hof, Professor of Law and Information Society at eLaw, Centre for Law and Digital Technologies, Leiden University

Reading time: 2-3 minutes | Be sure to read the other articles in the Decent Digitisation series.

Imagine that your five-year-old daughter is playing football with a friend at a local playground. They’re surrounded by a group of people who are writing down everything the two children do and don’t do – are they being nice to each other, are they talented players? These people are always there, but no one knows precisely who they are and what they’re doing with the information they’re collecting.

Would you go along with this situation, as a parent? Of course not. And yet, in the digital world, it’s become standard practice to continuously track, quantify and analyse children’s behaviour.

Fortunately, there is growing awareness that we have to put a stop to that. Rules are being drawn up and policies introduced to protect children’s privacy. But that is precisely why we must be especially vigilant now: in our eagerness to protect our children, we must not take away their freedom to develop.

Illustrations Max Kisman
Illustrations Max Kisman

Two documents asserting the rights of children

Two documents are critically important for safeguarding children’s rights. They are the EU’s new General Data Protection Regulation (GDPR) and the United Nations’ Convention on the Rights of the Child (UNCRC). But these two disagree on certain points.

Let’s begin with the GDPR, effective 25 May 2018, which aims to improve consumer data protection and which takes a special interest in children, who are often unaware of the risks that personal data processing poses. For example, under the GDPR online service providers must have parents’ consent before they can process the personal data of children under the age of 16. The overriding aim of the GDPR is to protect children.

The other document, the UNCRC, requires that in every decision by public and private parties concerning children, the best interests of the child must be a primary consideration. In other words, we must think of the children first. We must also consider children’s rights in their totality. All of their rights are relevant, and not just their right to have their privacy protected. It is precisely this principle that may clash with the GDPR.

Protection of privacy at the expense of privacy

Let’s take the GDPR's parental consent rule as an example. It could very well have a negative impact on the rights of children. Specifically, children will need a parent’s consent for many of their online activities. Teenagers understandably don’t always want their parents looking over their shoulder. That becomes problematical if service providers are strict about applying the rule, since parents will be obliged to monitor their teenager’s online activities.

Interestingly enough, this rule is at loggerheads with the notion that parents too must respect children’s right to privacy. After all, children have the right to discuss sensitive topics with other children away from prying eyes and ears. Privacy is enormously important for children of any age.

Other children’s rights are under pressure too

At the same time, some companies are excluding children from their platforms. Google services such as Gmail block users who turn out to be younger than 16. Many schoolchildren make use of Gmail and get into trouble when they suddenly can’t access their e-mail – and perhaps their homework.

Google services such as Gmail block users who turn out to be younger than 16
Simone van der Hof

Google is simply adhering to privacy law, but if the more stringent GDPR means that more companies will tighten the reins and exclude children from their services, then children’s right to certain freedoms and to development is impacted directly: the right to obtain information and to express themselves freely, the right to access media, the right to privacy and freedom of association, the right to engage in play, and the right to an education. Unilateral protection rules can therefore have negative consequences.

In addition, it is doubtful that parental consent will actually offer much protection. It’s an illusion to think that we as individuals control our personal data and that we can choose, or at least know, what happens to that data. We don’t have that control and it is entirely unclear how personal data is processed in the inner workings of the internet.

Choose ‘privacy by design

But here too, there are solutions to hand. The principle of ‘privacy by design’ introduced in the GDPR makes it possible to use innovative means to build a child-friendly digital world. Creative app designers could turn their hand to making data practices in apps transparent in a manner that children of all ages can understand.

Even better would be to change the ‘standard’ and stop automatically observing and analysing children’s online behaviour (‘privacy by default’) – or to anonymise their personal data immediately. Parental consent would be unnecessary then, and we would be safeguarding the rights of children.

Whatever choices we make in our eagerness to protect children, let’s make sure that their rights and freedoms remain intact. Because that is ultimately in the best interest of every child. 

By Simone van der Hof, Professor of Law and Information Society at eLaw, Centre for Law and Digital Technologies, Leiden University

Read more

Be sure to read the other articles in the Decent Digitisation series, and the related reports: