Kia ora koutou,
Late last year, the Office of the Privacy Commissioner of New Zealand launched the Children and Young People's Privacy project, which aimed to review how children's privacy was being protected and consider whether the rules protecting children's privacy rights were working.
As part of this project, the OPC consulted with government agencies, professionals who work with children (teachers, doctors, nurses, etc.) and nongovernmental organizations who advocate for children and young people.
In April, the OPC published its report, Safeguarding children and young people’s privacy in New Zealand. The report did not receive a large amount of attention at the time of its publication, but this is a global privacy issue capturing the attention of privacy regulators around the world, including perhaps most prominently, the U.K. Information Commissioner's Office — which fined TikTok 12.7 million GBP for breaches of the U.K. General Data Protection Regulation relating to collecting and using personal information about more than one million children under the age of 13. The report identified three key themes that would inform future work from the OPC in relation to children's privacy.
First, the OPC identified that more guidance was needed for professionals, parents and children. This included guidance for parents and caregivers about children's privacy rights and how children can use technology, such as social media, in a privacy protective way. It also included child-friendly and age-appropriate resources for children, in plain language and multiple formats, such as posters, pamphlets, videos and e-learning modules. Finally, there was an overwhelming call for more privacy guidance for professionals who worked with children, particularly in the education, health and social service sectors.
Second, the OPC considers that regulatory changes could be required, to better protect children. Some of these changes could be achieved through amendments to the Privacy Act 2020, or other relevant laws, or through a child-specific code of practice. Of the changes up for discussion, I found the following particularly interesting:
- Many submissions were clearly influenced by the general principle of "best interests of the child." Some submitters called for a specific obligation to consider the best interests of the child when collecting, using, and sharing personal information about children. It is possible that such an obligation could better ensure child-focused interpretations of the privacy principles, and could help to mitigate the risk of privacy harm to children.
- Many submitters argued in favor of a "right to be forgotten" for children. The Privacy Act does not currently provide any specific right to delete personal information, though an individual can request the deletion of incorrect information as part of a correction request. There was a general view that a right to be forgotten was more important for children than other groups, noting the risks caused by children using social media irresponsibly, potentially causing long-term harm to themselves or others.
- Approximately 99% of submitters felt there should be a minimum age requirement for using social media, with the largest proportion suggesting that this age should be set at between 14 and 15 years.
Third, the OPC noted that there is significant concern about the use of social media by children and their parents. These concerns included parents sharing and monetizing content about their children, in order to increase their social media following. However, submitters were more concerned about how children used social media, noting they do not have the capacity to understand the risks, including bullying and harassment, the permanence of online content, and the potential for the misuse of personal information by social media platforms.
The report provides valuable insight for organizations on the "tone of the room" in relation to children's privacy issues, both in terms of parent tolerance levels about data collection and use, and general expectations of better control and transparency for children. We will need to wait and see how the OPC responds to these findings, and whether we can expect more specific regulation and guidance, similar to that developed by the ICO. In the meantime, this topic will be on the agenda at the upcoming IAPP ANZ Summit in Melbourne in November, which will open for registration shortly.
Daimhin Warner, CIPP/E is the country leader, New Zealand, for the International Association of Privacy Professionals.