Personal data protection and privacy on the Internet

Image Title
 

Personal data protection and privacy on the Internet 

Author: Dobrinka Kuzmanović, PhD

zastita-licnih-podataka

The right to personal data protection and privacy is one of the fundamental human rights. With the rapid development of digital technology and the Internet, this right has been seriously undermined.

The time we live in, the so-called ‘Big Data Era’, is characterized by the processing of an enormous amount of various data. Our personal information is treated as the ‘new oil’. The companies actually charge customers for their ‘free’ services by asking them to leave more and more personal data. Well, we all know the old saying, “there’s no such thing as a free lunch”. The information on users, their activities and behaviour on the Internet is used for: analysis and creation of personal social and psychological profiles; targeted placement of commercial products tailored to users’ individual characteristics and needs (so-called one-to-one marketing); and sale to companies or services (so-called third parties), etc.

Children, being the youngest Internet users, have been placed in the centre of a constantly growing personal data market. Using ‘smart devices’ and toys connected to the Internet (such as Hello Barbie) are just some of the ways to collect children’s personal information.

 

What are personal data?

Personal data are all data relating to a person, on the basis of which such person can be identified (directly or indirectly) and thus his/her privacy endangered.

Personal data include:

  • Name and surname
  • Residential address
  • Email address
  • Photograph
  • IP address
  • The location of the person
  • Information used to analyse and create user profiles (working abilities, economic status, personal interests, behaviour, consumer habits, mobility, etc.)
  • Online behaviour of the person (data collected with cookies).

The European General Data Protection Regulation (GDPR), being effective as of 25 May 2018 in the countries of the European Union, refers to personal information and is a new standard of protection of personal data and privacy of citizens. This Regulation puts much emphasis on the protection of specific categories of personal information:

  • Race affiliation
  • Ethnicity
  • Religious affiliation
  • Membership in trade unions
  • Sexual orientation
  • Health information (personal data relating to the physical and mental health of an individual, including the provision of health services)
  • Biometric data[1] (personal information obtained by special technical processing in relation to the physical, physiological or behavioural characteristics of a person enabling or confirming the unique identification of that person, e.g. face photos or fingerprints)
  • Genetic data (personal data relating to the inherited or acquired genetic characteristics of a person providing unique information on the physiology or health of a person and obtained by analysing the person’s biological sample).
 

What is privacy?

The right to privacy and the protection of personal data is one of the fundamental rights prescribed by the United Nations Convention on the Rights of the Child (Art. 16). This right equally applies to the digital environment.

According to Helen Nissenbaum, professor of Information Technology at Cornell University, privacy is not the right to secrecy, or to control, but the right to the proper flow of personal information. What exactly does it mean? This means that, depending on the situation and context, a person can estimate and decide what to share with others in the digital environment. In other words, a person has the right to know how and for what purposes his/her data are used, who keeps them and for how long, and who such information is available to. The person can also request the deletion of personal data or the correction of the incorrect ones.

 

The ways we leave personal information online

When it comes to children, the question is whether they are able to figure out what personal information is not appropriate to share with others, in which situations and why? Although they are quite concerned about what personal information will come into their parents or friends’ possession, children do not understand why large corporations (like Facebook, Instagram or Snapchat) are interested in such information. According to some research, children care about their privacy in relationships with others, but, in spite of this, they share it in public; that is, they are not aware of the personal data misuse in commercial purposes and institutional context (e.g. school, healthcare institution).

Due to the fact that they are not sufficiently aware of the risks, consequences, protection and rights related to personal data processing, children deserve special protection of privacy on the Internet (GDPR).

Personal data on the Internet can be grouped into three categories:

  1. Active digital footprints – information (about themselves or others) users leave when using the Internet, usually consciously, though not necessarily intentionally (e.g. when buying some products, downloading some content from the Internet, uploading photos, creating profiles on social networks)
  2. Passive digital footprints – information users leave on the Internet when using it, mostly unconsciously (e.g. through cookies, fingerprints, location data, use of smart things and smart toys)
  3. Information obtained by analysing the first two data categories, using algorithms (through the profiling process), possibly combined with other data sources.
 

Why it is important to abide by age restrictions

A large number of websites and applications (e.g. video games, social networking, dating or gambling websites) require users to indicate their age when creating profiles (registering). These services have a minimum age limit for their use.

The reasons why the majority of such services require a minimum age limit for their use are:

  1. Some websites and applications, due to their content, purpose or because they collect and store data about users, are intended for adults (people above the prescribed age) and not for children.
  2. According to the American Children’s Online Privacy Protection Act (COPPA), no organization or person using services on the Internet (including social networking website owners) may collect personal data of persons under the age of 13 without the approval of their parents or guardians. In order to avoid obtaining parental consent for persons younger than the prescribed age, most service providers have set an age restriction on the use of their services. This restriction is clearly stated in the Terms and Conditions, requiring users to comply with these conditions before they begin using the services. In order to protect users, but also themselves (to avoid violation of the law), websites commit themselves to delete any profile created by a person under the age of 13.

The Terms of Service of the popular social network Facebook says that the site cannot be used by those who are under 13 years of age (or those who have not reached the “minimum legal age in your country to use our products”). Although most social networks (such as Facebook, Snapchat, Twitter, Instagram, Skype) require a minimum age limit of 13 years (there are also some interactive services that are designed specifically for younger children), research shows that a large percentage of children (both in Serbia and elsewhere) begin to use these networks at a much earlier age than prescribed.

Many parents face the challenge of allowing their children to create a profile on a social network at a younger age than prescribed. It is possible to have a personal profile at the age younger than prescribed only if a user enters a wrong age when creating a profile.

If a child claims to be older than he/she is when creating a profile on a service or social network, some of the following might happen:

  • a child might be exposed to content that is inappropriate for his/her age (disturbing, violent or explicit content), or to see something he/she does not want to
  • a child might lose additional protection and privacy settings related to the age younger than the one specified
  • a child’s personal profile might be deleted along with all content on it; in addition, a child may be prevented from creating a personal profile even when he/she reaches the required age.
 

The things you should observe when helping a child create his/her first profile on the Internet

Various websites (those for playing video games, social networks, learning websites) require the possession of a personal profile. When helping your child create his/her first profile on the Internet, observe the following:

  • Use the family email address
  • When creating a username, use a nickname for a child rather than his/her full name; do not use someone else’s name, or the birth year of a child
  • Advise the child to add as friends only people he/she knows outside the Internet
  • Create a strong password
  • If there is a possibility to use an avatar for the profile image, take advantage of this option – in that way you avoid sharing personal information. If a child wants to upload his/her own photo, it is important to make sure it does not contain hidden personal information (e.g. the place or time where the photo was taken).
  • Talk to your child about changing the privacy settings and default settings in order to better protect personal data and privacy on the Internet.

Also note that among the EU Member States (where GDPR applies) there is currently no consensus regarding the minimum age limit below which it is necessary to seek the consent of the parent/carer for the child’s use of the Internet service. This limit ranges from 13 to 16 years of age. Some countries state their intention to support active involvement of parents in the online lives of their children as a reason for raising the age limit. Countries that have dropped the age limit to 13 years see this as a way to encourage Internet providers to create protective tools and take responsibility for child safety on the Internet, since the responsibility for child care has been transferred from parents to the industry.

However, we might conclude that scientific knowledge about developmental needs of children of different ages and their personal characteristics are insufficiently considered when making this decision.

 

What is sharenting?

Parents often unconsciously endanger the right to privacy of their children as well as their safety by sharing children’s personal information on the Internet (social networks, blogs). The term sharenting is often used to describe different ways in which parents share details of their children’s privacy online. In this way, parents shape their child’s digital identity long before the child starts using the Internet independently.

Unfortunately, we witness an increase in the number of cases in which sharing photographs of children on social networks results in a negative experience.

How to protect personal data and privacy on the Internet?

  1. Bear in mind that the Internet is a public space and that data posted online are available to the public.
  2. Privacy in an online environment is equally important as it is in the real world – do not post on the Internet things you wouldn’t share with a stranger in the street.
  3. Share personal information only with people you are close with; do not share it with strangers.
  4. Read carefully the Terms of Service and Privacy Policy before you begin to use any Internet platform, application or service.
  5. Abide by age restrictions for using the Internet, bear in mind that you leave your personal data on any web page you visit.
  6. Think critically! Before posting any information or personal data on the Internet, think of the image of yourself you send to others and the way you shape your own digital identity.
  7. Be a responsible parent. Protect your child’s privacy. Do not share personal information (photos of a child) on social networks, for this provides many opportunities for misuse by malicious people.
  8. Talk to your child about personal data, discuss the importance of privacy protection on the Internet, explain the concrete steps a child should take if someone asks for his/her personal information.

See some of the ways you can share children’s photos online without endangering their privacy.    

——————

[1] Biometric and genetic data are new categories included in GDPR.

This Digital Guide was produced within the Family Safety Net project, launched by UNICEF and Telenor Company, and implemented by the Serbian Ministry of Education, Science and Technological Development and the Užice Child Rights Centre NGO. The attitudes and opinions expressed do not necessarily reflect the views of UNICEF.

All terms used in the masculine grammar gender refer to persons of both male and female gender.

By clicking the button below you can download the application for the Android mobile phone