PROTECTION OF CHILDREN’S PERSONAL DATA
With the growing popularity of social media and the internet, children have been among the subjects of violations in the field of personal data protection. Children’s personal data is shared and processed “unconsciously”, both by their parents and, because of the decline in the age of using the internet, by even themselves. Although protecting children who do not have enough mental and physical development in this field is important, the legal regulations as to the protection of children’s personal data are yet too young.
In fact, in Turkey’s data protection legislation (Personal Data Protection Law No 6698) there is no special provision in terms of the age of the data subject. However, there are direct or indirect regulations regarding the protection of the child's personal data in international regulations which will be briefly summarized below.
1. United Nations Convention on the Rights of the Child
In Article 3 of the Convention, best interests of the child are regulated as a primary consideration. According to this regulation, best interests of the child prevail in all circumstances. This is also valid in cases where children's data is processed, and parental consent is given on behalf of the children.
It is obvious that the protection of personal data is included in the scope of the right to respect for private life. In Article 16 of the Convention, it is accepted that the existence of the private life of children is worth being protected not only by third parties, but also by their parents.
2. USA Regulations
The first regulation regarding the protection of children’s personal data is Child Online Privacy Protection Act (COPPA) which was published in 2000 in the USA.
In COPPA, the concept of a child includes individuals under the age of 13. Under this law, certain obligations have been imposed on websites and service operators that provide services directly to children and are aware of collection of personal data from children. These obligations are reporting privacy policies, obtaining verifiable parental consent, allowing parents to review and erase personal data provided by their children, and establishing and maintaining appropriate procedures to ensure the security of personal data collected.
However, there are criticisms of COPPA's regulations on parental consent, such as the fact that it is hardly identifiable in practice whether the approver belongs to the parent of the child whose data is collected.
3. European Union and the Member States
The current data protection regulation in the European Union is the General Data Protection Regulation (GDPR). A special provision has been made in the GDPR regarding the protection of children's personal data, and in accordance with Article 8 titled "Conditions applicable to child's consent in relation to information society services”.
In cases where the processing of personal data is subject to the consent of the data subject, the condition that the data subject is over 16 years of age is sought. In cases where the data subject is under the age of 16, the consent must be given by the person who has the right of custody over the child or the consent of the child must be approved by the parent; in order to verify that the consent was given by the person who has the right of custody over the child, the obligation to inform the data subject of the data controller should also be fulfilled against the parent who will give consent instead of the child.
When the regulation is analyzed in its current form, it is concluded that the data of children under the age of 16 are not allowed to be obtained, processed, and transferred by third parties without the consent of their parents.
At the same time, with the last sentence of paragraph 1 of Article 8 of the GDPR, member states have the right to lower the age limit to 13.
Although the data protection legislation in Turkey does not make a distinction in terms of age, data controllers who know that they process personal data of children during its processes, for example; the practices of the school’s, online games for children's, at least when evaluating the obligations related to the consent of the data subject, should consider whether the consent of the children will be valid according to their age, and how to obtain consent from their parents or guardians of the children whose consent will not be valid.