Hyperconnected, young generations benefit from easy and regular internet access at a very young age, and, most often from their smartphones which makes parental supervision more complicated. Furthermore, usage linked to social media takes up a significant portion of daily interactions by children in terms of socialisation. Yet, internet sites, mobile applications and connected objects collect huge quantities of sensitive data belonging to young users. What are the risks to which our children are exposed? How does the law provide for the protection of children’s personal data?
Protecting the sensitive data of children: a major societal challenge
There is an “internet paradox” which can be expressed as follows: the digital ecosystem is a land of infinite possibilities for younger generations, in terms of education, information, entertainment and socialising; but it is also a hostile territory riddled with dangers (shocking or inappropriate content, cyber-harassment, incitations to hatred, etc.) to which minors are particularly exposed.
Added to this are the risks related to the collection of massive amounts of personal data, the usage of which can have serious consequences for young internet users – not just now, but also in the future. In 2018, a report by the UK child protection commission (quoted by French newspaper Le Monde) underlined that “personal data collected during childhood can be used to shape the life experiences of an individual and their long-term opportunities – for the better and for the worse.” All told, a child’s digital identity, as it is defined by their online presence, is likely to have an impact on their lives for many years.
The three challenges to face regarding sensitive data
This increasing digitalisation of children presents us with a three-fold societal challenge regarding sensitive data:
- The necessity to better supervise children’s digital usage, particularly younger children.
- The need to regulate corporate personal data collection, thanks to appropriate data protection measures.
- The urgency to raise children’s awareness of the risks related to sharing sensitive data, but also their protection rights in this respect – which they too often ignore.
Data protection: specific rules for children
In this respect, we can observe that regulations are becoming more strict, at the European level with the GRDP (which came into force in 2018) and at the national level, in France, via the CNIL. The European general regulation on data protection includes specific provisions for children (recital No. 38): “Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.”
What “specific protection” are we talking about? The text refers (in Article 8) to the obligation to obtain the consent of a child and their parents in the event of collecting sensitive data relative to children aged under 15 years, or for data used for marketing or personal profile creation – on social media, for example. This threshold can be reduced to 13 years for countries who so desire. As a result, the data processor must make reasonable efforts to verify that in such cases this double consent is granted, although no terms and conditions related to compliance are specified.
School: a case study
Any educational establishment has the right to request personal data within the framework of schooling of the child.
- the vaccination status of the child for group life;
- health data in secure format consultable only by professionals bound by professional secrecy (school doctor, nurse, etc.);
- the family allowance for the calculation of grants and services.
Collecting and processing such data is considered necessary for the schooling of a child in compliance with regulatory texts, in other words within the framework of the public interest mission the State assigns to the School.
Collection of data relative to religion, origin and political opinions is prohibited.
Data relative to the health of children is authorised but limited to certain cases, the data must have a link with the implementation of a pedagogical assistance program (PAI, PPS, PAP or PPRE in France).
Lastly, establishments must request authorisation from a legal representative of the child to take photographs or disseminate images of the child, specifying the context and the usage that will be made. This authorisation may be requested at the start of the year or during the year for specific situations.
Obstacles to protection of children’s sensitive data: the example of social networks
Usage of social networks by child internet users is a prime example of the difficulties encountered with sensitive data protection on the internet. A study carried out by Génération Numérique (Digital Generation) in 2020 found that close to 96% of 15-18-year-olds have at least one social media account, but that this was also the case for 63% of under 13s… even though French law (which, in this case, mirrors US law) prohibits access to these applications before this age!
Between the ages of 13 and 15, consent from one of the parents is required by the European personal data protection regulation, as well as consent of the child. But, in practice, how many parents are involved in the creation of their children’s social media accounts, and, above all, how many of them monitor their children’s usage of these platforms?
What are the levers to protect the personal data of children?
The example of social networks calls for reflection on the levers to use to protect the sensitive data of children. Here are two, undoubtedly the most important:
- Inform children regarding their rights, in an age-appropriate way, and encourage them to exercise them: requirement for a data processor to obtain their informed consent, the right to be forgotten (the right of erasure) reinforced for under 18s (Article 40 of the French law on information society and freedoms), etc. The Génération Numérique report found that 75% of 11 to 18-year-olds encountered difficulties deleting content relative to them published by another internet user, and 58% of those who tried to delete an account on social media were unable to do so!
- Raising parental awareness of issues related to personal data protection, and providing them with the means to educate their children in appropriate digital usage. Studies show, in fact, that parents have scant knowledge of sensitive data protection measures: 57% of them do not use any parental control tools, 60% do not know who to turn to tackle acts of cyberbullying of their children (source: CNIL).
The protection of the sensitive data of children is therefore a genuine challenge in a world where digital technologies are available at any age, without parental supervision. While the legal framework does indeed exist, it does not have enforceable power: within the household, it is up to each member to reflect on the best ways to protect children using the internet and provide them with appropriate digital education.