Abstract
The Children’s Code was incorporated into the UK GDPR in 2018. Since then we have considered at defenddigitalme, whether the Best Interests of the Child principle viewed specifically as a child rights principle, brings potential conflicts and confusion into data protection governance. This may be inherent in the adoption of ideas from one area of governance into another. We have therefore explored existing precedents in law around the Best Interests of the Child outside data protection law, and considered the potential implications.
The ICO uses the term “the Children’s Code” so we will do the same in this paper. However this statutory code of practice will have significant effects beyond children’s activity in the digital environment because it sets out ways
in which digital services “likely to be accessed by children” should comply with the UK GDPR when using children’s data, thus infers knowing which user is a child.
The Children’s Code is a collection of 15 principles to set expectations of how children’s personal data should be processed in order to be compliant with UK data protection law. Its leading principle is that the “Best Interests of the Child” are the primary consideration when designing and developing online services. The Head of Regulatory Strategy at the ICO confirmed this in a blog in July 2021, “Put simply, the best interests of the child are whatever is best for any individual child using your service.”
This principle comes from Article 3 of the United Nations Convention on the Rights of the Child (UNCRC). The Code. Anyone processing children’s data must consider and be able to demonstrate how they are acting in the best interests of children, and have balanced this right against other rights, when the use of personal data about children impacts the range of rights children hold under the UNCRC. But the ICO should clarify whether it will consider the Best Interests of the Child as being a substantive or procedural obligation on digital service
providers.
Article 3 of the UNCRC in the Children’s Code should not be overemphasised at the expense of other rights and used to undermine children’s voice and choices in their own experiences in the digital environment. The UNCRC is emphatically not about protecting children as vulnerable objects of care who require protection by parents, guardians, the state, or digital service providers at
the expense of children’s other rights.
The nature of the Best Interests of the Child principle is patriarchal by design. Adults deciding for children can undermine children’s autonomy and agency under Article 12 of the UNCRC. However, the duties and responsibility of parents and guardians in the second paragraph of Article 3 itself is too often left out of
discussion of a child’s best interests. Parents and guardians are referenced further in Articles 5 and 18 of the UNCRC, and the latter notes that the Best
Interests of the Child shall be their basic concern.
Decision-making on how to balance children’s rights will be new for most businesses. The Children’s Code may shift the responsibility for decisions away
from parents at the point of their child’s use of digital products, and make it the responsibility of the architects and designers of tools and services, who will predetermine the available choices in a service.
Since the Children’ Code sits within the UK Data Protection regime its application is complicated by exiting the EU. Recent announcements made by the Department for Digital Culture Media and Sport suggest plans to change UK law., which are outlined in the consultation, Data: A New Direction.
In the context of other policy work in progress, this uncertainty means a lack of clarity, consistency, and confidence in how such principles should be applied.
Five key questions that therefore need to be addressed, are (1) Whether the ICO perceives the principle to be a substantive or a procedural right (2) How to operationalise the Code to ensure its realisation as intended (3) How the Best Interests of a Child will be balanced within the assessment of the full range of child rights by industry, (4) How it will be assessed (a) within the ICO priorities in external enforcement and (b) its own internal regulatory duties, and (5) How the wider effects of the Children’s Code will be assessed, inside and outside the field of data protection.
The ICO uses the term “the Children’s Code” so we will do the same in this paper. However this statutory code of practice will have significant effects beyond children’s activity in the digital environment because it sets out ways
in which digital services “likely to be accessed by children” should comply with the UK GDPR when using children’s data, thus infers knowing which user is a child.
The Children’s Code is a collection of 15 principles to set expectations of how children’s personal data should be processed in order to be compliant with UK data protection law. Its leading principle is that the “Best Interests of the Child” are the primary consideration when designing and developing online services. The Head of Regulatory Strategy at the ICO confirmed this in a blog in July 2021, “Put simply, the best interests of the child are whatever is best for any individual child using your service.”
This principle comes from Article 3 of the United Nations Convention on the Rights of the Child (UNCRC). The Code. Anyone processing children’s data must consider and be able to demonstrate how they are acting in the best interests of children, and have balanced this right against other rights, when the use of personal data about children impacts the range of rights children hold under the UNCRC. But the ICO should clarify whether it will consider the Best Interests of the Child as being a substantive or procedural obligation on digital service
providers.
Article 3 of the UNCRC in the Children’s Code should not be overemphasised at the expense of other rights and used to undermine children’s voice and choices in their own experiences in the digital environment. The UNCRC is emphatically not about protecting children as vulnerable objects of care who require protection by parents, guardians, the state, or digital service providers at
the expense of children’s other rights.
The nature of the Best Interests of the Child principle is patriarchal by design. Adults deciding for children can undermine children’s autonomy and agency under Article 12 of the UNCRC. However, the duties and responsibility of parents and guardians in the second paragraph of Article 3 itself is too often left out of
discussion of a child’s best interests. Parents and guardians are referenced further in Articles 5 and 18 of the UNCRC, and the latter notes that the Best
Interests of the Child shall be their basic concern.
Decision-making on how to balance children’s rights will be new for most businesses. The Children’s Code may shift the responsibility for decisions away
from parents at the point of their child’s use of digital products, and make it the responsibility of the architects and designers of tools and services, who will predetermine the available choices in a service.
Since the Children’ Code sits within the UK Data Protection regime its application is complicated by exiting the EU. Recent announcements made by the Department for Digital Culture Media and Sport suggest plans to change UK law., which are outlined in the consultation, Data: A New Direction.
In the context of other policy work in progress, this uncertainty means a lack of clarity, consistency, and confidence in how such principles should be applied.
Five key questions that therefore need to be addressed, are (1) Whether the ICO perceives the principle to be a substantive or a procedural right (2) How to operationalise the Code to ensure its realisation as intended (3) How the Best Interests of a Child will be balanced within the assessment of the full range of child rights by industry, (4) How it will be assessed (a) within the ICO priorities in external enforcement and (b) its own internal regulatory duties, and (5) How the wider effects of the Children’s Code will be assessed, inside and outside the field of data protection.
Original language | English |
---|---|
Publisher | Defend Digital Me |
Number of pages | 16 |
Publication status | Published - Oct 2021 |