Privacy and the right to privacy for children

Choose language in the Google-box below. Some translations may be flawed or inaccurate.

 

For privacy tips, see at the very bottom.

• Children’s right to have private life is set out in the Convention on the Rights of the Child («Barnekonvensjonen»).
• Children’s right to privacy is set out in the Personal Data Act («Personopplysningsloven», which is based on GDPR – General Data Protection Regulations).

There are also other regulations, such as the Health Information Act («Helseopplysninger»), but let’s stick to the two mentioned above.

The Convention on the Rights of the Child gives children the right to privacy

The UN Convention on the Rights of the Child gives children the right to private life. Neither authorities, businesses nor parents have the right to monitor or dig into children’s privacy.

It says: “No child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence. The child shall be protected from unlawful attacks on his or her honour and reputation.”

It is usually interpreted that the child has a rising right to privacy when it comes to the parents’ involvement. For example, parents can have a camera in the child’s bedroom for the very first few years of life to check if the child is crying at night, but they should not read the messages or diaries of a teenager. An exception is if the parents suspect that the child is in a harmful situation or is about to harm others.

Some child watches can tell parents where their children are at any given time. For the youngest, this will probably not be regarded as a violation of the Convention on the Rights of the Child. However, if parents monitor older children with a GPS app on their phones, it might be a violation of the convention.

At the same time, it is often the case that the tech giants monitor both the children and adults and know exactly where we are at all times. One might ask if this is really a violation of the Convention on the Rights of the Child.

The Convention on the Rights of the Child also states that children have the right to protection against media damage, while at the same time they have the right to information about the world. Children have the right to be protected from terrifying video clips such as war, while at the same time having the right to get information that there is war. If these two rights are to be fulfilled at the same time, children must receive age-appropriate information.

But the social apps do not necessarily take this into account and can feed children more and more often with horrifying war videos. The apps register what the kids show interest in. It is as if the apps are reading the kids’ diaries. One may ask whether this is also a violation of the rights of the Convention on the Rights of the Child.

Personal Data Act provides special protection to children

Personal Data Act has rules for when it is allowed to collect personal data. The rules state that processing is legal only if the registered person has consented to the processing of his or her personal data for one or more specific purposes.

In addition, there are separate rules for what is called Information Society Services («informasjonssamfunnstjenester»), sometimes abbreviated as ISS. In practice, it means social media and digital school solutions.

The definition of Information Society Services is abridged by «Barnevakten» here:

• The system must be electronic.
• The system must be individual-based.
• Users can respond to each other’s messages at any time.

From the three points above, one can see that social media is precisely an information society service: you have your own account, you can reply to other people’s messages, and it’s all digital.

In addition, there is a list of exceptions to the definition. For example, when your doctor notes personal data on his or her computer during a visit, or you buy airline tickets online. Both of them are not considered information society services.

No one is allowed to collect personal data about children under the age of 13 in such information society services. There are two ways around that rule. One possibility is that the parents give consent. The second possibility is when there is a so-called basis for processing in the law. There is a kind of exception that, for example, schools can make use of. The children can then be led into the school’s digital teaching systems without the school having to ask parents for permission.

But a basis for processing does not mean that the school can collect anything. Read more about it here. For example, the school cannot collect biometrics such as fingerprints and facial recognition, the Norwegian Data Protection Authority writes in its school solutions guide.

And the basis for processing in the act, i.e., the “permission” that schools have, applies only to the main apps in the school’s teaching solution. In the case of the smaller apps, the school must obtain consent from the parents – if the app collects personal data.

What is personal data?

The Norwegian Data Protection Authority’s website states: “Personal data is all information and assessments that can be linked to you as an individual.”  It mentions a number of examples, here listed by «Barnevakten»:

• Name
• Address
• Telephone number
• Email
• National ID number
• Pictures where the person can be recognized
• Audio recording of the person even if no name is mentioned in the recording
• Facial recognition
• Dynamic IP Address

 

When it comes to extra sensitive personal information, such as sexual orientation or philosophical perception, the rules are stricter. However, even if schools do not ask directly for such sensitive information, students may leave such information in assignments, chat, and group assignments. Students can thus reveal many personal matters that remain attached to the digital school solutions and can be detected by school staff or fellow students. However, as far as «Barnevakten» is aware, schools do not actively delete such information.

What do the Personal Data Act and the GDPR say?

Norway has its own privacy law. In addition, Norwegian law also refers to 99 rules that the EU has adopted. The 99 rules of the EU have become a part of Norwegian law. Digging into Norwegian laws on privacy can be a bit confusing. The 99 rules are often referred to as “Personvernforordningen” or the General Data Protection Regulation (GDPR).

By the way, there is no such thing as the “Privacy Act,” it is just a popular word. The “Privacy Act” is actually the Act relating to the Processing of Personal Data and can be called the “Personal Data Act.” But let’s use the popular word Privacy Act here.

First and for all, the Privacy Act states that it is based on the EU’s 99 rules on privacy (which you can also find here if you want to avoid reading PDFs on the phone).

A search for the word “child” in the 99 rules takes you to Article 5 which is about consent and the age limit of 13 years. This means that social media must exclude children under the age of 13 unless the parents have given their consent.

The next hit is item 38, which states that children deserve special protection, especially when it comes to marketing purposes, personality profiles, and user profiles.

Section 58 states that information regarding the collection of personal data should be short and easy to understand. And when it comes to collecting personal data from children, it should be written so simply that children easily understand. It seems that this rule is broken by most of the major social media. Apps’ privacy policy, which applies to anyone over the age of 12, should be simple and easy to understand for the children. But the usual thing today (2022) is that the terms are kilometer-long and written in heavy and vague legal language.

Furthermore, one may ask whether section 58 also applies to schools. Are students or parents explained easily what schools collect from personal data?

Section 65 concerns the right to be forgotten, i.e., the right to withdraw consent so that the app must delete all personal data. It says that this right is more significant for children, because children may not fully understand what they have given consent to until they may first understand it as an adult. In other words, you have the right to withdraw your consent even after many years.

Section 75 is a super-long sentence of as much as 170 words. It says about what a person can be exposed to, such as fraud or racism, if you are lax with privacy, and that this applies especially to children.

• The Norwegian Data Protection Authority explains the rules for personal data.

Parents monitor other people’s children

What many may not think about is that if they monitor their own child, in some cases they also monitor the children of others, because their own child is chatting with other children or working on group assignments. Read more here:

• When other parents violate your child’s right to privacy
• Monitoring other people’s children via child watches

You should not make children completely paranoid. You may rather consider telling them that not everything one should tell in writing, for what has been written is often searchable or easy to take a screenshot of.

Privacy in schools

Here are some articles about privacy in schools. There are unfortunately some failures:

• Municipalities and schools lag on privacy (2022)
• Privacy failure in Norwegian schools (2021)
• Failing in privacy when municipalities introduced Google’s school solution (2020)

However, some works are also being done to improve privacy in schools. Schools, i.e., the municipalities that own the schools, are supposed to make a risk assessment of all apps and systems that are introduced. At the same time, this means that teachers can feel tied to their hands and feet when they have to wait for a simple app with pieces of math to go through an ample check in the municipality.

Slowly, the school solutions will be put in place where privacy checks will go faster. Here’s an example:

• A new tool that checks whether teachers take care of students’ privacy (2021)

Barnevakten has asked questions about privacy in schools several times, including in these articles:

• Is it okay for schools to use cameras in class? (2021)
• How much student data is ok to collect? (2020)
• Children’s digital footprints in school (2017)

Privacy in apps and phones

Here you can read even more about privacy:

• Give your kids better privacy with the new iPhone update (2020)
• Complaints about poor privacy in Tiktok (2020)
• New Privacy Law for the benefit of Children (2018)
• How should parents relate to the new Privacy Act? (2018)
• How your child is affected by the new Privacy Policy (2018)
• Here’s what you should know about the new Privacy Policy. (2017)

The EU has also established several digital rights that Norway will eventually copy.

Privacy is also about the settings in the apps

If you set the social app account as “private,” there is less risk of children spreading information about themselves to the rest of the world. Read about safer settings.

Feel free to also read this article about tracking and monitoring children.

• How to prevent the misuse of children’s data online? (2022)

Barnevakten’s privacy tips

• Be careful about entering too much personal information in an app (name, date of birth, address, phone number, linking the app with another social media account, and so on).
• If your app has settings for turning off “targeted advertising,” i.e., advertisements that are personalized to the user based on name, age, gender, place of residence, usage of the app, and so on, it probably won’t prevent the app from collecting data, but will prevent targeted advertising based on the data collected.
• In the Apple App Store, there are separate information menus that explain what kind of information an app collects. In addition, what kind of features of the device the app requests access to, such as the contact list on the mobile, GPS, and so on. Google Play also provides some of the same types of information.
• Apps that are free to use often collect more user data to earn revenue than apps that require payment.
• Check the app description. Apps that do not collect information from children are happy to write this in plain text. You can also read the privacy statement of the app developer.
• On iPhone/iPad, there’s a separate setting inside the Privacy tab to let apps not track (sharing user information among each other). The same can be done in Safari, Chrome, and Edge browsers.
• In some apps, there are settings to delete history, cache memory, data, and so on.
• There are non-commercial apps that are run on a nonprofit basis. As a rule, such apps are not designed to collect user information. For example, the Signal chat app.
• There are also search engines that do not collect information about what you are searching for. DuckDuckGo is an example.

(Translated from Norwegian to English by Ratan Samadder)

Utviklet som en del av Erasmus+ prosjektet «TeachingTools».