General comment No. 25 - Chapter VI: Civil rights and freedoms E 1
E. Right to privacy
Privacy is vital to children’s agency, dignity and safety and for the exercise of their rights. Children’s personal data are processed to offer educational, health and other benefits to them. Threats to children’s privacy may arise from data collection and processing by public institutions, businesses and other organizations, as well as from such criminal activities as identity theft. Threats may also arise from children’s own activities and from the activities of family members, peers or others, for example, by parents sharing photographs online or a stranger sharing information about a child.
Data may include information about, inter alia, children’s identities, activities, location, communication, emotions, health and relationships. Certain combinations of personal data, including biometric data, can uniquely identify a child. Digital practices, such as automated data processing, profiling, behavioural targeting, mandatory identity verification, information filtering and mass surveillance are becoming routine. Such practices may lead to arbitrary or unlawful interference with children’s right to privacy; they may have adverse consequences on children, which can continue to affect them at later stages of their lives.
Interference with a child’s privacy is only permissible if it is neither arbitrary nor unlawful. Any such interference should therefore be provided for by law, intended to serve a legitimate purpose, uphold the principle of data minimization, be proportionate and designed to observe the best interests of the child and must not conflict with the provisions, aims or objectives of the Convention.
States parties should take legislative, administrative and other measures to ensure that children’s privacy is respected and protected by all organizations and in all environments that process their data. Legislation should include strong safeguards, transparency, independent oversight and access to remedy. States parties should require the integration of privacy-by-design into digital products and services that affect children. They should regularly review privacy and data protection legislation and ensure that procedures and practices prevent deliberate infringements or accidental breaches of children’s privacy. Where encryption is considered an appropriate means, States parties should consider appropriate measures enabling the detection and reporting of child sexual exploitation and abuse or child sexual abuse material. Such measures must be strictly limited according to the principles of legality, necessity and proportionality.
Where consent is sought to process a child’s data, States parties should ensure that consent is informed and freely given by the child or, depending on the child’s age and evolving capacity, by the parent or caregiver, and obtained prior to processing those data. Where a child’s own consent is considered insufficient and parental consent is required to process a child’s personal data, States parties should require that organizations processing such data verify that consent is informed, meaningful and given by the child’s parent or caregiver.
States parties should ensure that children and their parents or caregivers can easily access stored data, rectify data that are inaccurate or outdated and delete data unlawfully or unnecessarily stored by public authorities, private individuals or other bodies, subject to reasonable and lawful limitations. They should further ensure the right of children to withdraw their consent and object to personal data processing where the data controller does not demonstrate legitimate, overriding grounds for the processing. They should also provide information to children, parents and caregivers on such matters, in child-friendly language and accessible formats.
Table of content with link to the whole document as an accessible pdf-file