By Sonia Livingstone
The “best interests” principle is one of the four general (cross-cutting) principles of the UN Convention on the Rights of the Child (UNCRC): “In all actions concerning children, whether undertaken by public or private social welfare institutions, courts of law, administrative authorities or legislative bodies, the best interests of the child shall be a primary consideration.” (article 3(1))
These actions include data protection. As the Information Commissioner’s Office (ICO) asserts, “Children’s rights must be respected and we expect organisations to prove that children’s best interests are a primary concern.” The best interests principle is the first of 15 standards in the Age Appropriate Design Code, requiring of businesses that “The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.”
What does this mean in practice? What actions are expected of businesses?
The best interests principle requires balancing all child rights
While it may be supposed that data protection mainly concerns UNCRC article 16 (the right to privacy), the UNCRC takes a holistic approach to children’s rights. General comment 14 explains that “there is no hierarchy of right in the Convention” and that the best interests principle “is aimed at ensuring both the full and effective enjoyment of all the rights recognised in the Convention and the holistic development of the child.” (para 4)
As General comment 25 further explains, data protection increasingly matters for many of children’s rights in a digital world. Consequently, data protection legislation has become a crucial domain in which “States parties should ensure that, in all actions regarding the provision, regulation, design, management and use of the digital environment, the best interests of every child is a primary consideration.” (para 12)
The best interests principle has a complex and at-times contested history so applying it to data protection is demanding.
The role of the regulator
Data protection matters for children’s privacy, and for their safety and protection. However, “Privacy and data protection legislation and measures should not arbitrarily limit children’s other rights, such as their right to freedom of expression or protection.” (para 74)
Faced with this demanding agenda, the ICO has been developing guidance for businesses on how they “must consider how your use of their data impacts on the range of rights they hold under the UNCRC.” The ICO invites input on this as “the Children’s code team are periodically updating this guidance.”
Since we have defined the agenda of the Digital Futures Commission as seeking “to inspire innovation in the digital environment that is consistent with children and young people’s ‘best interests,’” we have followed the ICO’s work and seek to contribute to it.
Four proposals to the ICO from the Digital Futures Commission
Drawing on the considerable expertise of colleagues, we wrote to the ICO to suggest four ways of developing their framework further.
- Include the right to education. Bearing in mind both the holistic approach of the UNCRC and our current research on beneficial uses of education data, we advocated including the child’s right to education (UNCRC article 28) in the framework. This is needed because we are finding that schools, those advising them and providers of digital products and services do not always agree on children’s best interests in relation to data protection and EdTech.
- Clarify that the best interests concept must be applied holistically. Concerned that the ICO’s framework could be read as implying that each right can be addressed separately and additively or, at worst, treated as a box-ticking exercise, we urged explicit steps to explain that rights are interconnected (indivisible, in UN language). This is especially important when, given the complexities and contingencies of children’s lives, rights appear to clash. Crucially, the “best interests of the child” requires that a holistic judgement is reached through careful consideration (for instance, by a professional whose role is that of a “best interests assessor”) so that, on balance, taking all things into account, the best interests of the child prevail.
- Advise providers on how to assess best interests in practice. The steps to achieve this are carefully set out in General Comment 14. While not advocating for best interests as a procedural over a substantive right, for both matter, we suggested that the ICO could recommend these steps to businesses, especially in cases where rights need to be balanced. In instances where the best interests of the child do not prevail, the reasons for overriding children’s best interests should be documented for audit and possible challenge – for example, in a Child Rights Impact Assessment or Data Protection Impact Assessment.
- Require provision of remedy. General Comment 14 requires governments to establish
“mechanisms and procedures for complaints, remedy or redress in order to fully realize the right of the child to have his or her best interests appropriately integrated and consistently applied in all implementation measures, administrative and judicial proceedings relevant to and with an impact on him or her.”(para 15(c))
While it is hardly easy for children to seek remedy for infringement of their rights in relation to data protection, clarifying that this, too, is a responsibility of businesses is likely to drive improvements in service provision.
In response to our letter of 6th December 2021, we were pleased to receive a constructive response from the ICO on 17th December, welcoming our “thoughtful and constructive feedback” and setting out their plans to develop the best interests framework in 2022. We look forward to continuing our dialogue with them as the work of the Digital Futures Commission develops.