Fairness, Consent and the United Nations Convention on the Rights of the
Child
Dr. Valerie Verdoodt, 16 September 2020 HMI-CAIDE Workshop Consent & Consumer Manipulation
Children are less aware of the risks and the potential consequences of the processing of their personal data on their rights and merit specific protection (
Recital 38 GDPR)
The special status of children in EU data
protection law
Fair processing of children’s personal data
Fairness is a core principle of the GDPR (Article 5 GDPR)
- Need to fairly balance competing rights and interests - Consider reasonable expectations of data subjects
The GDPR has left an important question unanswered:
- What is fair processing of children’s data?
Consider the impact of the data processing on children’s CRC rights
Consider the impact of the data
processing on children’s CRC rights
The CRC and its multidimensionality
“…the holistic nature of children’s rights demands that other perspectives are factored in when implementing protective measures in the law” (van der Hof, 2017)
Protection
Provision Participation
Play
Protection from exploitation
Well-being &
development
Freedom of expression,
thought
Education
Privacy
Balancing exercise guided by
the overarching children’s
rights principles
Fairness, children’s rights and (parental) consent
Article 8 GDPR
Conditions applicable to child's consent in relation to information society services 1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
Protection
Provision Participation
Fairness
Conclusion: need for a comprehensive, rights-based approach to the protection of children’s personal data
De-responsibilisation
De-responsibilisation Re-responsibilisation Re-responsibilisation
Obligation to conduct CRIAs for data controllers that want to process children’s personal data + monitoring
Default limitations on the processing and use of children’s
personal data for commercial purposes (precautionary approach)
Child-appropriate design
Enforcement priority of DPAs
Parents & children DPAs, data controllers, legislator