E. Right to privacy
67. Privacy is vital to children’s agency, dignity and safety and for the exercise of their rights. Children’s personal data are processed to offer educational, health and other benefits to them. Threats to children’s privacy may arise from data collection and processing by public institutions, businesses and other organizations, as well as from such criminal activities as identity theft. Threats may also arise from children’s own activities and from the activities of family members, peers or others, for example, by parents sharing photographs online or a stranger sharing information about a child.
68. Data may include information about, inter alia, children’s identities, activities, location, communication, emotions, health and relationships. Certain combinations of personal data, including biometric data, can uniquely identify a child. Digital practices, such as automated data processing, profiling, behavioural targeting, mandatory identity verification, information filtering and mass surveillance are becoming routine. Such practices may lead to arbitrary or unlawful interference with children’s right to privacy; they may have adverse consequences on children, which can continue to affect them at later stages of their lives.
69. Interference with a child’s privacy is only permissible if it is neither arbitrary nor unlawful. Any such interference should therefore be provided for by law, intended to serve a legitimate purpose, uphold the principle of data minimization, be proportionate and designed to observe the best interests of the child and must not conflict with the provisions, aims or objectives of the Convention.
70. States parties should take legislative, administrative and other measures to ensure that children’s privacy is respected and protected by all organizations and in all environments that process their data. Legislation should include strong safeguards, transparency, independent oversight and access to remedy. States parties should require the integration of privacy-by design into digital products and services that affect children. They should regularly review privacy and data protection legislation and ensure that procedures and practices prevent deliberate infringements or accidental breaches of children’s privacy. Where encryption is considered an appropriate means, States parties should consider appropriate measures enabling the detection and reporting of child sexual exploitation and abuse or child sexual abuse material. Such measures must be strictly limited according to the principles of legality, necessity and proportionality.
71. Where consent is sought to process a child’s data, States parties should ensure that consent is informed and freely given by the child or, depending on the child’s age and evolving capacity, by the parent or caregiver, and obtained prior to processing those data. Where a child’s own consent is considered insufficient and parental consent is required to process a child’s personal data, States parties should require that organizations processing such data verify that consent is informed, meaningful and given by the child’s parent or caregiver.
72. States parties should ensure that children and their parents or caregivers can easily access stored data, rectify data that are inaccurate or outdated and delete data unlawfully or unnecessarily stored by public authorities, private individuals or other bodies, subject to reasonable and lawful limitations. They should further ensure the right of children to withdraw their consent and object to personal data processing where the data controller does not demonstrate legitimate, overriding grounds for the processing. They should also provide information to children, parents and caregivers on such matters, in child-friendly language and accessible formats.
73. Children’s personal data should be accessible only to the authorities, organizations and individuals designated under the law to process them in compliance with such due process guarantees as regular audits and accountability measures. Children’s data gathered for defined purposes, in any setting, including digitized criminal records, should be protected and exclusive to those purposes and should not be retained unlawfully or unnecessarily or used for other purposes. Where information is provided in one setting and could legitimately benefit the child through its use in another setting, for example, in the context of schooling and tertiary education, the use of such data should be transparent, accountable and subject to the consent of the child, parent or caregiver, as appropriate.
74. Privacy and data protection legislation and measures should not arbitrarily limit children’s other rights, such as their right to freedom of expression or protection. States parties should ensure that data protection legislation respects children’s privacy and personal data in relation to the digital environment. Through continual technological innovation, the scope of the digital environment is expanding to include ever more services and products, such as clothes and toys. As settings where children spend time become “connected”, through the use of embedded sensors connected to automated systems, States parties should ensure that the products and services that contribute to such environments are subject to robust data protection and other privacy regulations and standards. That includes public settings, such as streets, schools, libraries, sports and entertainment venues and business premises, including shops and cinemas, and the home.
75. Any digital surveillance of children, together with any associated automated processing of personal data, should respect the child’s right to privacy and should not be conducted routinely, indiscriminately or without the child’s knowledge or, in the case of very young children, that of their parent or caregiver; nor should it take place without the right to object to such surveillance, in commercial settings and educational and care settings, and consideration should always be given to the least privacy-intrusive means available to fulfil the desired purpose.
76. The digital environment presents particular problems for parents and caregivers in respecting children’s right to privacy. Technologies that monitor online activities for safety purposes, such as tracking devices and services, if not implemented carefully, may prevent a child from accessing a helpline or searching for sensitive information. States parties should advise children, parents and caregivers and the public on the importance of the child’s right to privacy and on how their own practices may threaten that right. They should also be advised about the practices through which they can respect and protect children’s privacy in relation to the digital environment, while keeping them safe. Parents’ and caregivers’ monitoring of a child’s digital activity should be proportionate and in accordance with the child’s evolving capacities.
77. Many children use online avatars or pseudonyms that protect their identity, and such practices can be important in protecting children’s privacy. States parties should require an approach integrating safety-by-design and privacy-by-design to anonymity, while ensuring that anonymous practices are not routinely used to hide harmful or illegal behaviour, such as cyberaggression, hate speech or sexual exploitation and abuse. Protecting a child’s privacy in the digital environment may be vital in circumstances where parents or caregivers themselves pose a threat to the child’s safety or where they are in conflict over the child’s care. Such cases may require further intervention, as well as family counselling or other services, to safeguard the child’s right to privacy.
78. Providers of preventive or counselling services to children in the digital environment should be exempt from any requirement for a child user to obtain parental consent in order to access such services. Such services should be held to high standards of privacy and child protection.
F. Birth registration and right to identity
79. States parties should promote the use of digital identification systems that enable all newborn children to have their birth registered and officially recognized by the national authorities, in order to facilitate access to services, including health, education and welfare. Lack of birth registration facilitates the violation of children’s rights under the Convention and the Optional Protocols thereto. States parties should use up-to-date technology, including mobile registration units, to ensure access to birth registration, especially for children in remote areas, refugee and migrant children, children at risk and those in marginalized situations, and include children born prior to the introduction of digital identification systems. For such systems to benefit children, they should conduct awareness-raising campaigns, establish monitoring mechanisms, promote community engagement and ensure effective coordination between different actors, including civil status officers, judges, notaries, health officials and child protection agency personnel. They should also ensure that a robust privacy and data protection framework is in place.
The whole document is available as a pdf-file here.