Children’s data need special attention
Wednesday, January 26, 2022

Like adults, children have the right to private and family life in the digital environment, which includes the protection of their personal data.

The confidentiality of their correspondence and private communications is vital, and so is full control of their data, and the right to opt out of data collection or to have their data erased at any time.

The age of consent and the ability to consent should be viewed separately from child-specific data protection. Children are entitled to special protection and consideration for their data until they reach the age of maturity (18) irrespective of the age of consent.

This protection extends to the right of rectification and erasure (often referred to as the right to be forgotten) and protection from profiling based on automated processing.

Importantly, the adoption of data protection laws has become common across all regions.  At the national level, a couple of measures have been put in place for protection of children’s data, technically known as ‘data subjects’, though more needs to be done.

To begin with, there’s law on n°71/2018 of 31/08/2018 relating to the protection of the child, which is in fulfilment of the country’s international obligation, stemming from the UN Convention on the Rights of the Child (CRC).

The national law protecting child rights enunciates fundamental child rights as enshrined in the Convention. Particularly with respect to safeguarding children’s data, Article 26 of this law on child protection scantily mentions the right to privacy.

It only does that in criminal proceedings. It is short of a general description of data protection in a sense of the contemporary digital environment.

But in the context of using digital technologies, which is ubiquitous, the government adopted a policy, known as Rwanda Child Online Protection Policy ("the COP Policy”), designed to mitigate against those risks and harms, and to deliver a framework that meets children’s needs and fulfils their rights, while enabling them to safely and confidently navigate the digital environment.

This policy came into being in 2018. And it spells out the general protection of children’s basic rights as envisaged in the national child protection law as earlier noted.

Particularly, with regard to data protection, the COP Policy expresses the need to "introduce data protection regulations, ensuring that children’s data is protected appropriately, collected only where necessary with the high levels of security and care.

Such general regulations should include children’s data given special category status, requiring higher levels of protection and other safeguards, and the introduction of parental consent for the online collection and processing of younger children’s data”.

In this regard, Rwanda’s law no. 058/2021 relating to the protection of personal data and privacy, which is yet to come into operationalization, in its Article 9 provides: "Where the data controller, the data processor or a third party knows that personal data belong to a child under the age of sixteen (16) years, he or she must obtain the consent of a holder of parental responsibility for the child in accordance with relevant laws.”

This is obviously a remarkable development in protecting children’s data [as data subjects].

A question arises when there’s a breach of data subject’s right to consent prior to the operationalization of the foregoing legislation. Could such a breach be viewed in violation of the AU Convention on cyber security and Personal Data Protection (which Rwanda ratified in November 2019)?

Moreover, the AU Convention on Cyber Security and Personal Data Protection provides general data protection provisions for the whole continent. The AU Convention only refers to children in the context of child sex abuse materials (referred to in the text as ‘child pornography’) and does not give them any extra rights to data protection different to adults.

Unlike the General Data Protection Regulation (GDPR), which, under Article 8, provides conditions applicable for a child’s consent in relation to information society services.

According to the GDPR, the processing of the personal date of a child shall be considered as lawful if the child is at least 16 years old.

In other words, the general rule provides for a parental consent requirement for all youth under 16 years old in situations where information society services are offered directly to them, and consent is the lawful ground on the basis of which the data is processed.

Given that social networks and online communication services are the lifeline to childhood in the digital environment, it is paramount to have in place provisional measures in implementing the AU Convention while benchmarking the GDPR prior to operationalization of law no. 058/2021 relating to the protection of personal data and privacy.

To achieve this aim, relevant authorities need to recognise that the digital environment is complex and rapidly evolving, and is reshaping children’s lives in many ways, resulting in opportunities for and risks to their well-being and enjoyment of human rights.

Relevant authorities need to do more, by ensuring that existing regulatory frameworks are effectively enforced. In so doing, the participation of children should not be overlooked.

To sum up, all relevant public and private stakeholders share responsibility for ensuring that the integrity of children’s data is not compromised in spite of evolving digital environment, and thus a coordination of their actions is of paramount importance.  

The writer is a data protection and privacy expert.

The views expressed in this article are of the writer.