UNICEF has published a manifesto that sets out a vision for better global governance of children's data. 

Children's data deserves special protection because children are more vulnerable than adults, and younger children depend on adults to consent to data processing on their behalf. Even older children are less able to understand the long-term implications of consenting to their data processing. The use of algorithms in children's education systems, their health care and youth criminal justice systems can have long-term implications for their future.

It is important robust regulations are put in place to ensure when children's data is processed, it is done in their best interests and with due regard for their human rights.

The global landscape of data governance for children

There is no comprehensive data governance legal framework at the global level, meaning that both children's and adults' data rights are not well protected, particularly when data is transferred across borders. 

Looking at international law, some elements of privacy and data protection rights are covered, but these are fragmented across various international human rights treaties. Privacy rights related to children can be found in the Convention on the Rights of the Child, General Comment No. 25 on children's rights in relation to the digital environment, the Universal Declaration on Human Rights, the International Covenant on Civil and Political Rights, the Organisation for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, and the Council of Europe's Convention 108+ which has a global reach beyond Europe. 

International human rights treaties are generally not binding upon their parties except in jurisdictions in which they are directly applicable, which means they are only implemented when translated into national law in most countries. 

The UNICEF manifesto notes that although many countries are developing their own data protection laws because a large percentage of the technology services used by children globally have headquarters in the United States, Europe or China, it is the legal framework from these three areas that predominate globally. Because it is difficult for multinational companies to implement different standards in their technology products for different markets, the tendency is for companies to level up to the highest standards required by the global marketplace. 

Currently, the EU General Data Protection Regulation represents the highest benchmark most multinational companies seek to comply with. This is good news for children because the GDPR requires data processing from children to adhere to the EU Charter of Fundamental Rights, which includes many of the rights contained in the international treaties listed above. 

The United States has not ratified the U.N. Convention on the Rights of the Child, and the U.S. Bill of Rights does not cover the full spectrum of rights set out in international law. U.S. federal law tends more toward business self-regulation. However, California has produced legislation providing greater data protection rights to children under the California Consumer Privacy Act and is influential because of the concentration of technology companies in Silicon Valley. 

China enacted two laws in the past few years related to data protection, including the E-Commerce Law of 2018 and the 2019 Regulation on Cyber Protection of Children's Personal Information. These laws specifically concern underage users of gaming platforms, e-commerce websites and social media platforms, but they are directed at the private sector and do not regulate data processing by the State.

De facto governance by the private sector

The UNICEF manifesto found that in the absence of a robust global governance framework for children, and with very little oversight of the implementation of data protection laws that exist, the result is often de facto governance by the private sector. Multinational companies set their own standards for many aspects of children's data processing and apply them across jurisdictions with very little transparency. 

The U.N. Guiding Principles on Business and Human Rights set out the corporate responsibility for human rights. One way for companies to assess how well they are meeting these responsibilities to children is to carry out a child rights impact assessment, including aspects related to data collection and privacy. The CRC General Comment No. 25 also requires states to promote the use of CRIAs by businesses relating to the digital environment.

Why do we need global standards?

Global standards are needed to allow companies to operate across borders. Data is transferred between sectors – from the public sector to the private sector, and sometimes back again – and is often processed in several different countries and then perhaps stored in the cloud. This means that national laws must contain common standards to allow for interoperability and support the global digital economy. 

Global standards related to good data governance are also important for trust — trust in governments, the private sector, and in humanitarian and development organizations — especially when it comes to children. Parents, educators and children themselves need to know their data is being protected so they can fully engage with the opportunities afforded by technology, and so the benefits of data for children can be maximized. 

As governments worldwide recognize the need for more robust data governance, UNICEF is calling for children's rights to be front and center.

The UNICEF manifesto includes 10 key action points aiming to lead to a governance model purposefully designed to realize children's rights worldwide. 

The Manifesto

  1. Protect children and their rights through child-centered data governance. Such data governance should adhere to internationally agreed standards that minimize the use of surveillance and algorithms for profiling children's behavior.
  2. Prioritize children's best interests in all decisions about children's data. Governments and companies should prioritize children's rights in their data collection and processing and storage practices. 
  3. Consider children's unique identities, evolving capacities and circumstances in data governance frameworks. Every child is different, and children mature as they get older, so data governance regulations must be flexible. Marginalized children must never be left behind. 
  4. Shift responsibility for data protection from children to companies and governments. Extend the protection measures to all children below the age of 18, regardless of the age of consent. 
  5. Collaborate with children and their communities in policy building and management of their data. Through distributed models of data governance, children and their communities should have more say in how data is processed, by whom it can be processed and with whom it can be shared. 
  6. Represent children's interests within administrative and judicial processes, as well as redress mechanisms. It is imperative that children's rights are integrated into existing mechanisms, such as the work of data protection authorities. 
  7. Provide adequate resources to implement child-inclusive data governance frameworks. Data protection authorities and technology companies must employ staff who understand children's rights, and governments should allocate funding for regulatory oversight. 
  8. Use policy innovation in data governance to solve complex problems and accelerate results for children. Policy innovation can help public authorities to make the most of data while also safeguarding children's rights. 
  9. Bridge knowledge gaps in the realm of data governance for children. There are some urgent knowledge gaps in need of further research to ensure data governance regulations are evidence-based. 
  10. Strengthen international collaboration for children's data governance and promote knowledge and policy transfer among countries. This manifesto calls for greater global coordination on law and policy. Uncoordinated national-level data governance laws can lead to competing assertions of jurisdiction and conflict. 

You can read the full manifesto, which provides examples of many of the child rights issues impacted by data processing, and goes into greater detail regarding existing governance frameworks and the geopolitical landscape underpinning the data economy. It also elaborates on the 10 action points listed above. 

Photo by Ralston Smith on Unsplash