1. Codify Children’s privacy rights:
-
Ensure that all processing of children’s data is subject to a ‘best interests’ test, and only occurs where it is in children’s best interests
-
Require a children’s best interests assessment before data processing¹ — These assessments must include identifications of any potential issue, and include reasonable attempts to mitigate these risks. This ensures that platforms that process children’s data have to pro-actively consider children’s rights, and that data processing would only be lawful where they had considered and acted to protect rights. This would align with a number of other suggestions proposed within the Privacy Act Review. These risk assessments must consider how children’s data is processed by the following systems and how these function in children’s best interests and do not harm via:
- Targeting Systems; e.g.:
- Recommender systems and algorithms (content, friends etc)
- Advertising systems
- Privacy-by-design settings
- Training for ‘extended-use’ and ‘engagement’ design
- Use of ‘sensitive’ personal data, e.g.:
- Geolocation data
- Health data
- Data about protected characteristics
- Targeting Systems; e.g.:
-
Requiring privacy-by-design best practice be implemented for accounts under 18s accounts — such as defaulting them to private when they are opened, and not nudging them towards lower privacy settings
-
Require data minimisation and restricted data sharing — only strictly necessary data should be processed, and it should not be circulated except where it is in their best interests to collect or share (e.g. medical emergencies)
-
Require accessible ways for children to request, access, correct and delete their data — and for children under the age of data consent, except where it is in their best interests to retain or refuse data access requests (e.g. medical emergencies)
-
Require active, expressed consent — data should only be processed where children have meaningfully consented and been informed, and parents for children under the age of data consent, except if it is in their best interests to process data without expressed consent (e.g. medical emergencies or permitted health situations). Consent can not justify data abuse.
¹ These may need to have some sort of size exemption, i.e. only processors who handle X amount of children’s data need to do this.
2. Codify accountability and transparency to child users by:
-
Children’s Best Interests Assessments must be submitted to the OAIC for review
-
Requiring T&Cs be published in plain speak, accessible to the youngest users
-
Requiring T&Cs be enforced. Providers should live up to their T&Cs, and children, parents and advocates should have a right of redress if they do not. This should include a public complaints review facility, which if a child feels they have not received an adequate response to, should have an independent complaints board available
-
Offering a clear process to ‘make things right’ where things go wrong. Children should be able to exercise their rights easily, and mechanisms should be child-friendly. This should include an independent complaints review facility, which if children, parents and advocates can use if they feel an initial complaint raised with a platform has not been adequately addressed
3. Respect young people’s rights in the Code development and implementation
-
Apply to all children under 18, and all products and services that they are likely to use.
-
OAIC must lead the way on drafting the Code, not industry.
-
Consult with children and young people as the Code is being developed, and in an ongoing fashion with the OAIC as the Code is being implemented. Other advocates, like parents, teachers and child rights advocates should also be consulted.
-
Ensure that children and young people are respected as digital citizens. This means ensuring that age-appropriate services don’t shut them out, or downgrade their service because it’s ‘too hard’ to meet their rights as described in the Code
-
Ensure that children and young people are provided with clear accessible information on their rights that underpin the code and the mechanisms that are available through the code (and ideally elsewhere in consumer rights, health consumer rights, and rights to safety, information and education). This should also include details of restrictions and limitations with rationales, such as gambling, pornography etc, and in appropriate circumstances the opportunity for challenge to those restrictions
-
Ensure the Code is meaningfully implemented and enforced, which will require appropriate resourcing for regulators