Social Media: What about children's privacy rights?
The right of privacy in respect of children has been protected as a fundamental right long before the digital revolution. However, with social media and digital content growing to be a major part of the everyday life for almost all citizens, this issue has been given greater importance by legislators, courts and civil society.
In this article we look at the General Data Protection Regulation (GDPR) and how this extends to protect privacy rights of minors, as well as the extent to which parents or guardians are able to post information related to children on social media in light of a recent Norwegian decision on the matter.
Privacy rights - the GDPR perspective
The GDPR came into force in May 2018, and contains a number of provisions aimed at safeguarding children’s privacy rights in the digital world. The Recital to the GDPR stresses the fact that children “may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data” (see Recital 38 to the GDPR).
One of the key rights to consider in particular is the right to erasure of personal data relevant where a person has consented to processing of such data as a child but not been “aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet” (see Recital 65 to the GDPR).
This is certainly something to take into account as children seek to download apps on to their smartphones, sign up to social media accounts or accept cookies when browsing the internet or even use connected toys or the Internet of Things.
When is a child considered “a child” for privacy purposes?
The GDPR doesn’t provide for one fixed age for when a person is deemed to be a child. This means that the age limit is set at the age of sixteen as a default position, but that EU member states have been granted a margin of maneuver to reduce the age of consent for privacy matters down to age thirteen. Statistics show that nearly half of the member states has exercised this legislative flexibility, and this is the case for the UK, for example, which lowered the privacy age to 13 years.
As is the case for processing of personal data from non-minors, processors and controllers need a lawful basis to process children’s personal data.
If you rely on consent for processing personal data and provide online services to a child, then consent can only be relied on if the child is at the age or over the age determined in accordance with Article 8(1) GDPR in the domestic law of the member state, i.e., between 13 and 16 years old.
If you are providing such services to a child that is under this age, then you would have to rely on consent from a person who has parental responsibility for the child.
Consent as lawful basis of processing is not always required, and in many cases can other grounds be better suited to instances where the data subject is a child. Nonetheless, it has been especially emphasized that particular attention shall be made to the fundamental rights of children, when they are the data subject, and the controller/processor is relying on legitimate interest as a legal basis (i.e., Article 6(f) of the GDPR).
What about AI/new technologies?
New technologies, such as automated decision-making, is a sensitive topic and processing personal data for such purposes is regulated in a specific provision in the GDPR at Article 22. The provision itself is silent with regard to children and how/if children can be subject of such processing. A general acceptance of such processing must be deemed legal, since the provision applies to all data subjects.
All conditions listed in the provision must be complied with, and when looking at Recital 71 of the GDPR, the threshold for accepting automated decision-making concerning children be set high level. Recital 71 further holds that automated decision-making “should not concern a child”.
Due to the fact that this general prohibition is nowhere to be found in the GDPR provisions, cannot this be seen as an absolute prohibition but rather an expression of the high threshold for accepting such decision-making when the data subject is a child.
Other areas of law
The issue of children’s right to privacy is also regulated in other areas of law.
In a recent Norwegian Supreme Court judgment a mother was held to be criminally liable for violating her daughter’s right to privacy. The mother had created a Facebook-page with the title “[Daughters name] shall come home” and published pictures and videos of her daughter on this page.
Facebook posts of children - criminal liability?
The mother had lost custody of her daughter, and the public Facebook-page was an attempt to overturn this decision. The Norwegian Supreme Court assessed pictures and videos of the daughter in vulnerable situations and videos of the daughter expressing strong emotions. The Facebook-page, now closed, had 5000 followers at its peak.
Posting on such a Facebook-page was found to clearly be a public posting, and neither consent from the daughter, seven years old at the time the posts were made, nor parental responsibility, was accepted as a defense to this criminal offence.
Human rights?
An important part of the judgment was whether making such posts was within the mother’s freedom of expression.
The Norwegian Court found, when relying heavily on the Axel Springer – case and the Krone Verlag-case from the European Court of Human Rights, that Facebook posts not done in the pursuit of enlightening the public as to the working methods of Norwegian Child Services, but rather due to the mother’s personal struggle of getting custody of her daughter.
The Norwegian Court was also afraid that by allowing such posts to take place, this could put vulnerable children in a difficult position where parents exert pressure on them to criticize Child Services.
The Norwegian judges concluded that the mother’s right to freedom of expression was overruled by the daughter’s right to privacy.
Children’s right to privacy has a particular status across several legal areas. This is not a new development, but the recent digital revolution has changed how we interact with each other. In the same way that the right to privacy of adults has changed with this digital revolution, there is now a need to adjust the children’s privacy rights to this new reality too - which parents and guardians should take into account - not least when sharing information on social media.
For more information about privacy laws and how they apply to you or your business, please get in touch!
Article by Anders Molander Skavlan @ Gerrish Legal, November 2019