Technological developments in recent years have deeply affected our daily lives and they continue to affect each passing day. This interaction spreads to all areas of life and results great changes. Changes have been occurring sometimes create great convenience and, sometimes raise new questions that need to be answered. One of the biggest questions that have arisen at the international level has been how to ensure privacy of personal data belonging to real persons during the large data streams arising from digitalization.
In response to this question first, the European Union Directive 95/46/EC ("Directive") and then the European General Data Protection Regulation ("GDPR") that came into force on 25 May 2018 were regulated in Europe. As of today, personal data protection practice is still developing with GDPR. In Turkish legislation, data privacy continues to its development with the Turkish Personal Data Protection Law No. 66981 ("KVKK"), which came into force on April 7, 2016.
One of the most sensitive group affected by ongoing digitalization is minor group. Children, who are taken under special protection regarding every process they are involved with under almost all legal systems, are among the groups which has the easiest access to digitalization and technology, and therefore at the greatest risk. Children have frequent and widespread access to technological tools and digital networks, as much as adults, and sometimes they spend even much more time on a wide variety of digital platforms. As a consequence, they have become the most sensitive group facing developments.
- Local and International Regulations
Today, tools such as computers, phones or gaming consoles used by children have become their biggest friends, communication and self-expression tools, libraries. The acquisition of personal data, which has become one of the focal points of the digital services used, starts with the moment of opening an application, logging into a game or entering a website. Data such as the friends of the user children, their locations, how they feel, how old they are can be easily processed in this context. Given this situation, children, who are more sensitive and vulnerable than adults and need protection, have become one of the easiest targets of ads, cyber-attacks and any other data breaches that may occur.
Mobile devices owned by children are not restricted for the use purposes most of the time, and children use mobile devices in an indifferent way comparing to the adults.
One of the places where children spend most of their time is their schools, as educational and training institutions. Schools are institutions that use a wide range of digitalization and technology to facilitate education and training as they are crowded institutions that appeal to many children.
Computers in classrooms, which has been used to be in the use of the teachers only, have been replaced by smart boards, tablets, which are allocated for students' use over the years. In addition, the necessary technical precautions are not taken regarding the risks posed by the applications used for the purpose of communicating with the parents and the online systems where the schools process data such as exam grades and attandence to the classes.
KVKK, as personal data protection law in Turkey, contains provisions that does not regulates a different protection for adults2 and minors3, but only states that real people are data subjects4. From this point of view, it will be concluded that the legal protection of KVKK will have the same effect for children as for adults, based on the definition of a real person specified as the right subject in accordance with the Turkish Civil Code5 ("TCC").
Therefore, it would not be wrong thing to say that in the case of personal data processing, the addressee of the explicit consent and clarification obligation sought in KVKK will be the parent or guardian of the child. At this point, it should not be concluded that the child's consent declaration is insignificant. Because, as it will be mentioned below, when the regulations in Europe and America are taken into consideration, the child has power of appointment on his/her personal data and detailed regulations were introduced in this context.
GDPR introduced more detailed regulations in the field of data protection law and Article 86 regulates the processing of personal data belonging to children solely. Accordingly, in order to process the personal data of the child, the child is required to be at least 16 years old, and the permission of the legally appointed parent or guardian for the children under this age is indicated. GDPR also stated that EU member states may change this age with their own internal regulation on condition that the age determined shall not be less than 13 years old.
Similar to the regulations in Europe, restrictive provisions have been introduced in American law regarding children's personal data processed via online systems with a specific law. According to the relevant law children have power of appointment on their personal data provided that if they are not under the age of 13; and for those who are under 13 years old, consent of their parents is required.
In the United Kingdom, data protection authority Information Commissioners Office ("ICO") has published the Age Appropriate Design Code ("Code") in January 2020. The Code does not aim to remove children from the digital world, but to protect them without interfering with their presence in this digital World. And to serve this purpose, it introduces 15 interconnected principles that must be complied with by real or legal persons who serve digitally.
Within the scope of the subject, investigation of the Hong-Kong based VTech Company in 2015, due to data breach constitutes an important example. Namely, the situation causing the investigation was caused by the "VTech's Kid Connect App". Through this application, children communicate with other children or their parents. As a result of its investigation, The United States Federal Trade Commission (FTC) found that VTech company did not obtain the necessary permissions from the parents and did not comply with the security measures. It is understood from the text of the decision that the company, which has been subjected to a penalty of 650.000 USD for violation, did not provide clear and understandable information about the personal data of the children, did not obtain the necessary permission from the parents and, did not take the necessary measures to ensure data security.
Another remarkable decision made recently was made by the Norwegian Data Protection Authority (Datatilsynet) on October, 2019. 120,000 Euro penalty was imposed on the Education Agency, which is affiliated with the Municipality of Oslo, regarding the mobile application used to provide communication between school employees, parents and students. According to the announced decision, the necessary technical and institutional measures have not been taken against the existing risks related to the application, and special categories of personal data, such as health data belongs to students, are not under adequate protection. In the end of the investigation, it has been revealed that there is a risk of accessing more than 63,000 students' personal data by unauthorized people.
Data protection and privacy are areas that is developing today, changing rapidly and creating new focal points. Recently, children, one of the most important users of the digital world, have been emphasized as a sore spot in regulations and board decisions regarding the personal data protection and privacy. In this context, establishment of more detailed regulations and verdicts are expected in both international law systems and Turkish law.
1 Personal Data Protection Law numbered 6698 and dated 24.03.2016, has been published in the Official Gazette numbered 29677 and dated 07.04.2016.
2 Article 11 of the TCC.
3 Article 3/1/a of Children Protection Law numbered 5395 and dated 03.07.2005, published in the Official Gazette numbered 25876 and dated 15.07.2005: "Child: refers to a person who has not completed the age of eighteen, even if he/she is considered as adult by law or court."
4 Article 2 of KVKK, "The provisions of this Law shall apply to natural persons whose personal data are processed and natural or legal persons who process such data wholly or partly by automatic means or otherwise than by automatic means which form part of a filing system."
5 Turkish Civil Code numbered 4721 and dated 22.11.2001, published in the Official Gazette numbered 24607 and dated 08.12.2001
6 Art. 8 GDPR Conditions applicable to child's consent in relation to information society services
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.