Opal Masocha Sibanda
LLB (Zimbabwe), LLM (Pretoria)
Technical Expert Secretariat of the African Committee of Experts on the Rights and Welfare of the Child
Edition: AHRY Volume 6
Citation: OM Sibanda ‘Towards a more effective and coordinated response by the African Union on children’s privacy online in Africa’ (2022) 6 African Human Rights Yearbook 154-178
Download article in PDF
The development and expansion of digital technologies in Africa have brought invaluable opportunities for the realisation of children’s rights. However, the significant growth of internet connectivity and ICT access has also raised concerns about children’s online safety and privacy. With growing concerns on children’s privacy and personal data protection, there is a need for robust harmonised standards and regulatory frameworks to address all aspects of children’s privacy online. Through desk review, this article assesses the extent to which children’s right to privacy online and personal data is protected and integrated in the standards and regulatory frameworks of the African Union. An assessment of the applicable instruments and jurisprudence of the key human rights bodies indicates that children’s privacy online and data protection are not adequately addressed as there is limited or no focus on the protection of children’s personal data online. In most instruments related to cybersecurity, there are no explicit provisions relating to the protection of children’s personal data and children are only mentioned in provisions on child pornography. The article argues that children deserve specific protection as a vulnerable group hence the urgent need to explicitly protect children’s personal data and privacy in the human rights instruments adopted at the African Union level as it is the approach in the European Union’s General Data Protection. The article further argues that there is a need to adopt more effective measures by the African Union and its organs to ensure that children’s privacy in all its aspects is protected in the digital sphere.
Vers une réponse plus efficace et coordonnée de l’Union africaine sur la vie privée des enfants sur internet en Afrique
Le développement et l’expansion des technologies numériques en Afrique ont apporté des opportunités inestimables pour la réalisation des droits de l’enfant. Cependant, la croissance significative de la connectivité Internet et de l’accès aux TIC a également suscité des inquiétudes quant à la sécurité et à la vie privée des enfants en ligne. Face aux croissantes préoccupations concernant la vie privée des enfants et la protection des données personnelles, il est nécessaire d’établir des normes harmonisées et des cadres juridiques robustes pour réglementer tous les aspects de la vie privée des enfants en ligne. Grâce à une approche documentaire, cette contribution évalue la mesure dans laquelle le droit des enfants à la vie privée en ligne et aux données personnelles est protégé et intégré dans le cadre juridique mis en place au sein de l’Union africaine. Une évaluation des instruments applicables et de la jurisprudence des principaux organes des droits de l’homme indique que la protection de la vie privée en ligne et des données des enfants n’est pas abordée de manière adéquate, car la protection des données personnelles des enfants en ligne est peu ou pas du tout prise en compte. Dans la plupart des instruments relatifs à la cybersécurité, il n’y a pas de dispositions explicites relatives à la protection des données personnelles des enfants et les enfants ne sont mentionnés que dans les dispositions relatives à la pornographie enfantine. La contribution fait valoir que les enfants méritent une protection spécifique en tant que groupe vulnérable, d’où la nécessité urgente de protéger explicitement les données personnelles et la vie privée des enfants dans les instruments des droits de l’homme adoptés au niveau de l’UA, comme c’est le cas dans l’approche de la protection générale des données de l’UE. Elle conclut en réitérant la nécessité pour l’Union africaine et ses organes d’adopter de mesures plus efficaces afin de garantir la protection de la vie privée des enfants dans tous ses aspects dans la sphère numérique.
The world has witnessed an increase in internet usage in the past few years and the cyberspace has become crucial due to its potential to connect individuals and businesses as well as to facilitate service delivery and economic growth.1 Furthermore, internet usage was impacted by the COVID-19 pandemic as governments, schools, institutions and families shifted to the digital environment to ensure continuity in children’s activities such as education, leisure, play and communication.2 The International Telecommunications Union (ITU) estimates that approximately 66% of the world’s population are using the internet in 2022.3 These figures include children, who represent a third of all internet users in the world,4 and are increasingly exposed to the virtual environment.
The continued rapid expansion in internet connectivity and usage in Africa has presented benefits to some children in the region as they can enjoy their fundamental rights and freedoms such as the right to education, child participation, freedom of association, as well as their mental health through the provision of psychosocial support online. It is however noted that the benefits presented by the internet are not equally enjoyed by all children. According to a UNICEF report published in 2017, Africa is one of the continents where nearly nine out of ten children are not using the internet.5 According to the report, Africa has the highest share of non-users. Another report by UNICEF and the ITU published in 2020 reveals that only five percent of children and young people aged 25 years or less and just 13% in Eastern and Southern Africa have internet access at home, compared to 59% in Eastern Europe and Central Asia.6 These digital divides mirror broader socio-economic divides - between rich and poor, men and women, cities and rural areas, and between those with education and those without.7 Further, children with disabilities have also been left out due to lack of access to digital technologies and assistive technologies.8 Such lack of access to the internet by some groups of children impedes on their rights that have been already mentioned.
While the increased access to the internet and technology has created these opportunities for children, the benefits present other growing dangers for children’s rights online.9 Among the most critical threats to children online is the violation of children’s right to privacy. Just like adults, going online on various online platforms can put children’s right to privacy at greater risk of interference,10 hence the need to protect children’s privacy in the digital sphere in Africa. This position has been affirmed by the African Committee of Experts on the Rights and Welfare of the Child (Committee) General Comment 7 on article 27 (sexual exploitation) which stresses that ‘legal and policy frameworks should be reviewed and where necessary adapted to rapidly changing realities concomitant with developments in the digital world.’11 The United Nations Committee on the Rights of the Child (UN CRC) has also affirmed this position in its General Comment 25 in relation to children’s rights in the digital environment, noting that ‘children’s rights shall be respected, protected, and fulfilled in the digital environment.’12
In the past few years, there have been efforts to adopt treaty and soft law standards (general and child-specific) to address human rights in cyberspace, including the right to privacy by some organs of the African Union. Whilst the African Charter on the Rights and Welfare of the Child (Children’s Charter)13 provides for the protection of children’s privacy, the adoption of the Charter did not anticipate the surge of internet usage and its implications on children’s rights in Africa and thus does not have explicit provisions on children’s privacy online. In recognition of the need for cyber security and protection from cybercrime, the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention)14 was adopted in 2014. The Malabo Convention which is not yet in force as of July 2022 aims to harmonise cyber security in the member states of the African Union and to establish mechanisms capable of addressing violations of privacy that may be a result of personal data collection, processing, transmission, storage, and use.15 The Protocol to the African Charter on Human and Peoples’ Rights on the rights of persons with disabilities16 is also worth mentioning as it has a section on the rights of children with disabilities. Other soft law standards have been adopted by the African Union organs to safeguard privacy and other rights online such as the Committee’s General Comment 7, the Declaration of Principles on Freedom of Expression and Access to Information,17 and the Personal Data Protection Guidelines for Africa.18 The question that arises therefore is whether there is sufficient protection of children’s privacy online in the normative framework and standards of the African Union.
Through desk review, this article analyses the extent to which the protection of children’s privacy online is addressed in the norms and standards of the African Union. This is done through an assessment of the sufficiency of the primary instruments such as the Children’s Charter, the Malabo Convention, the African Disability Protocol and other instruments related to cybersecurity and personal data protection at the regional level in protecting children’s rights online.
The African Charter on Human and Peoples’ Rights does not provide for the protection of the right to privacy but only provides for the protection of dignity in article 5. The right to privacy is provided for in article 10 of the Children’s Charter. However, children’s right to privacy online has not yet been the subject of interpretative guidance from the Committee. Originally, children’s right to privacy focused on protections against arbitrary or unlawful interference with privacy, family home or correspondence, or attacks upon honour or reputation.19 It is however noted that privacy now has a much wider remit as the digital sphere has innovated privacy norms.20 Discussions on children’s privacy online have intensified over the past years, with many scholars trying to explain what privacy online entails and to unpack the various ways in which children’s privacy is threatened in the online environment.
Livingstone and others note that privacy in the online environment is under scrutiny as there are concerns about people’s loss of control over their personal information, their awareness about what information is public or private online and the various privacy violations that occur online as a result of their actions or the actions of state and non-state actors as well as criminals.21 The same sentiments can be shared regarding children who are increasingly using the internet and there are growing concerns on how children can lose control of their personal information, their lack of appreciation as to what information is private online and the threats to their privacy online resulting from their actions and those of other players.
Privacy online is often linked to the concept of harm and the major harm contexts that are the subject of most privacy discussions include the solicitation or grooming of young people for sexual activities; receiving inappropriate sexual images; cyberbullying; computer hacking; manipulation by technology companies or commercial enterprises; spying; and damage of reputation.22
The United Nations Children’s Fund (UNICEF) industry toolkit on children’s online privacy and freedom of expression also explains the notion of children’s privacy online as follows:23
Children’s right to privacy is multifaceted, and the physical, communications, informational and decisional aspects of children’s privacy are all relevant in the digital world. Children’s physical privacy is affected by technologies that track, monitor and broadcast children’s live images, behaviour or locations. Children’s communications privacy is threatened where their posts, chats, messages or calls are intercepted by governments or other actors, and children’s informational privacy can be put at risk when children’s personal data are collected, stored or processed. Children’s decisional privacy may be affected by measures that restrict access to beneficial information, inhibiting children’s ability to make independent decisions in line with their developing capacities.
The UN CRC notes that threats to children’s privacy may also emanate from the activities of other individuals, for instance the sharing of children’s information and photos by parents, caregivers, relatives, teachers, friends or strangers.24 The UN CRC also notes that children’s identity can be revealed by biometric data and digital practices such as automated data processing, profiling, behavioral targeting, mandatory identity verification, information filtering and mass surveillance which are becoming routine.25 Undoubtedly, these practices may result in the arbitrary and unlawful interference with children’s fundamental right to privacy and may have negative impacts on children. These impacts can affect children in their future, considering that information in the internet can stay for a long period.26
What can be noted from above is that children’s right to privacy online is also closely linked to the protection of personal data or information. There are a number of reasons as to why personal data is needed and this includes public service delivery and advertising, media reporting and legal investigations. The online environment has however created new challenges for the creation and control of personal information.27 Generation, collection, publication, storage, retention or analysis of data has implications on the protection of personal data.28 Failure to protect personal data leads to the violation of the right to privacy, hence the link between privacy and protection of personal information. Of importance to note further is that the right to privacy is linked to online surveillance as surveillance strategies may have distinct implications on children’s privacy.29
Also linked to privacy is the protection of reputation. International human rights instruments such as the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political Rights guarantee individuals the right to be protected from unlawful attacks on their honour and reputation.30 The same protection is guaranteed to children in the Children’s Charter which shall be discussed in detail in the next section. Due to the increasing number of information available on online platforms, ‘the developing right to reputation will undoubtedly have serious implications for privacy’.31 UNICEF notes as follows:32
The protection of reputation online is an increasingly contentious legal and political question, and the Internet has transformed the concept of managing reputation by dramatically increasing the scale, scope and reach of information. For instance, inaccurate or revealing news items that would traditionally have been rectified with a retraction are now duplicated innumerable times and effectively stored in perpetuity. Similarly, as Internet users publish personal information about themselves and others at progressively greater rates, antisocial attacks on reputation have proliferated and been memorialized in the public domain.
Children are particularly challenged by the concerns about reputation online, especially when considering the lasting impact of damaging information.33 Issues of specific importance to children with regards to reputation online are the unauthorised use of children’s images, bullying and harassment, and the perpetuity of information shared by children or other individuals about children.34
Threats to children’s privacy online may negatively impact children’s well-being and mental health. For instance, while taking online child safety measures, educational institutions may inadvertently collect or utilise children’s data in ways that may present a threat to children’s mental health and well-being. An example would be the identification and discussion of children’s behavior (unintentional shaming) through digital technologies that are meant to enhance communication with parents. 35 On the other hand, the digital environment can present significant opportunities for enhancing child health and well-being through the provision of psychosocial support, mental health services and information to children, especially in areas where there are limited physical resources or services or in instances where children may feel uncomfortable seeking such services physically.36
It is therefore important to ensure that children’s privacy is protected online, with a focus on all the aspects of privacy. As stated by Singh and Power, the right to privacy is important both a right and an
enabler of other rights such as freedom of expression, access to information, and freedom of association among other rights.37 The right is equally important to children both offline and online and the full realisation of children’s privacy on and offline enables children to ‘fully self-actualise and self-identify in a manner of their own choosing, without undue intrusion or influences that may wish to steer their path in a particular social or cultural direction’.38 As was held by the South African Constitutional Court in the case of Centre for Child Law and Others v Media Limited & Others,39 when dealing with children, the right to privacy is crucial as it is key to a child’s self-identity which is still developing and it fosters respect for dignity, personal integrity and autonomy of young persons.
This section reviews the responses to safeguarding children’s privacy online in the normative framework of the African Union. Focus is on the Children’s Charter, which is a comprehensive regional instrument that sets out rights and defines universal principles and norms for children within the African region, as well as the Malabo Convention which imposes obligations on Member states to establish legal, policy and regulatory measures to promote cybersecurity governance and control cybercrime.40 The section also reviews cybersecurity and data protection instruments adopted by the African Union organs, analysing the extent to which they protect children’s privacy and personal data online.
Before discussing the provisions of the Charter on privacy, it is imperative to highlight that the four guiding principles enshrined in articles 3 - non-discrimination; article 4-best interests of the child; article 5 - survival and development; and article 7 - freedom of expression are of paramount importance to children’s privacy in the digital environment. As such, these principles should be taken into consideration in all actions that have a potential impact on children’s privacy online.
No child shall be subjected to arbitrary or unlawful interference with his privacy, family home or correspondence, or the attacks upon his honour, or reputation provided that parents or legal guardians shall have the right to exercise reasonable supervision over the conduct of their children. The child has the right to the protection of the law against such interference or attacks.
The interpretation of the Convention on the Rights of the Child (CRC)’s provisions on privacy by UNICEF also applies in relation to the Children’s Charter. The inclusion of ‘correspondence’ is of significance in the digital context as it implies that children’s forms of communications, including through the internet, should not be interfered with unlawfully. This implies that any instances permitting interference with a child’s correspondence should be prescribed by law.41 Regarding ‘unlawful attacks on honour and reputation’, the provision implies that there should be laws in place to protect children from conduct either verbally, orally, or through the media which may have negative impacts on their reputation.42 This provision, therefore, implies that state parties to the Children’s Charter should ensure that internet service providers (ISPs), online platforms, and internet café owners protect children’s privacy as internet users. An obligation is placed on internet service providers (ISPs) to ensure that children have adequate information and guidance to enable them to be in a position to protect their privacy online.43
The role of parents and caregivers in article 10 is worth mentioning in respect of children’s privacy online. In terms of article 10 of the Children’s Charter, parents or legal guardians have a right to exercise reasonable supervision over their children’s conduct. This is a reinforcement of article 20(1) of the Children’s Charter which provides that parents or other persons responsible for the child shall have the primary responsibility for the upbringing and development of the child. Parents and caregivers thus can provide guidance to children as they explore the internet and also control children’s activities online. This is usually done through setting up parental controls which are defined as settings that enable parents to control the type of content children can access.44 However, it has been argued that whilst the goal of parental supervision can help protect children online, parental controls also present a clear interference with children’s privacy,45 freedom of
expression, access to information, participation, and development of digital literacy.46 Parental controls can result in children failing to use technologies freely and confidentially, thereby hampering their right to freedom of expression and child participation. On the other hand, ‘applications installed to track children online may generate even more data about children’s internet use’.47 Further, parental controls may also make it difficult for children to seek outside help or advice with problems at home, thereby limiting their right to access to information.48 This includes access to information on sexual and reproductive health services as some parents may block content related to sexuality in adolescents.
Jasmontaite and De Hert argue that consideration has not been made to the fact that some children are aware of the threats to their privacy online, just like their parents.49 There is also evidence to the fact that most African parents and caregivers are ill-equipped to intervene in matters related to the cyberspace, due to generational divide.50 In some instance, parents’ activities online may also be a threat to children’s privacy, particularly the sharing of children’s information online considering that some children have no say or control on what their parents share online about them.51 In this regard, there have been different views amongst scholars as to whether there should be reliance on parental guidance to limit children’s fundamental freedoms such as privacy and freedom of expression and whether it is akin to positive African traditions.52 There is therefore a need to strike a balance between the authority exerted by parents and access to fundamental rights by children. The Committee’s General Comment No 7 stipulates that a child exploring the online environment is similar to a child offline and his or her rights to access certain online services without parental consent may well be allowed before the child turns 18. Although children are entitled to special protection, this must necessarily be balanced against their right to information and to freely express their views when using the internet and also in the context of the evolving capacity of the child.53 In addressing the tension between parental supervision and children’s right to privacy and engagement with cyberspace, due deliberation needs to be given to the importance of the internet as a resource and a means of increasing and strengthening children’s capacities, and their evolving capacities.54 Further, there is a need to strengthen the capacity of parents to educate children about online safety, as opposed to hindering children from using the internet.55 Parents should be supported to fulfill their responsibilities through educational programs and parental guides.56
Whilst the provisions of the Children’s Charter on privacy are notable and they can also apply in the online context, it is argued that the Children’s Charter does not sufficiently protect children’s right to privacy in the digital environment despite the growing evidence that children are increasingly using the internet. It is only implied that the right to privacy in the Children’s Charter also applies to children in the online sphere, but the Children’s Charter does not mention the digital environment in article 10. Implying that this right applies in the digital context might pose challenges as it might be subject to different interpretations. In as much as there are growing uncertainties over how to interpret and implement the CRC in relation to the digital environment,57 there are also uncertainties over how to interpret and implement the provisions of the Children’s Charter in relation to children’s privacy in the digital environment. The Children’s Charter does not consider the new forms of Information and Communication Technologies (ICTs) and the new privacy-related offences presented by the internet and thereby falls short in the protection of children’s privacy online. As highlighted in the introduction of this paper, this is attributed to the fact that the Children’s Charter was adopted in 1990, when the drafters did not anticipate the surge of internet usage and its implications on children’s rights, including the right to privacy online.
The Malabo Convention is premised on the understanding that the protection of personal data and private life constitute a major challenge to the information society, and that such protection requires that a balance be struck between the use of computer technologies and the protection of citizens in their daily or professional life, while guaranteeing the free flow of information.58 The Malabo Convention provides a personal data protection framework which African countries may adopt in their national legislation and calls upon member states to ‘recognise the need for protecting personal data and promoting the free flow of such personal data, taking global digitalisation and trade into account’.59
Chapter two of the Convention deals with the protection of personal data. In terms of section nine, the Convention is applicable to any collection, processing, transmission, storage or use of personal data by a natural person, the state, local communities, and public or private corporate entities. It further applies to any automated or non-automated processing of data contained in or meant to be a part of a file. In terms of article 11 and 12, state parties have an obligation to establish an authority in charge of protecting personal data whose duties among other things are to ensure that ICTs do not constitute a threat to public freedoms and the private life of citizens. Article 13 provides for the basic principles governing the processing of personal data and these are consent and legitimacy, lawfulness and fairness, purpose and relevance, accuracy, transparency, and confidentiality and security of personal data protection. Articles 16 to 19 provide for the rights of data subjects and these are the right to information, right of access, right to object and the right of rectification or erasure. The Malabo Convention also has provisions on offences specific to ICTs. In terms of article 29(2)(e), states should criminalise the processing of personal data without complying with the preliminary formalities for the processing. Children are specifically mentioned in article 29(3) which requires state parties to criminalise various offences related to child pornography. This is noteworthy considering that child pornography is an attack on children’s honour or reputation and it results in the infringement of children’s privacy online. It should however be noted that there are other forms of abuses online which might infringe children’s right to privacy and protection of their honour and reputation such as cyberbullying and grooming but these are however not covered in the Malabo Convention. There is therefore a need for more robust legal frameworks in the continent to address these issues, instead of focusing on child pornography only.60
Interestingly, the provisions on personal data protection do not mention children at all. The author believes that this might jeopardise children’s privacy online as there is no guidance to Member states on how to protect children’s personal data. As will be discussed fully in section 4, children are the most vulnerable group of internet users hence legal frameworks should have specific provisions related to children.
As of July 2022, the Convention is not yet in force as it has been only ratified by 13 countries,61 and it will come into force upon ratification by 15 countries. African Union member states are encouraged to ratify the Malabo Convention in order to unify implementations of cybersecurity and data protection regulations in the continent.62
3.3 Protocol to the African Charter on Human and Peoples’ Rights on the Rights of Persons with Disabilities
The Protocol which is not yet in force, was adopted in 2018 noting the lack of a substantive binding African normative and institutional framework for ensuring, promoting and protecting the rights of persons with disabilities. Article 28 provides for the protection of the rights of children with disabilities. Whilst this is applauded, it is noted that the Protocol does not have any provisions on children’s privacy. Article 28(3) only mentions that children with disabilities have the right to enjoy a full and decent life in conditions that ensure dignity. These shortcomings jeopardise children’s rights to privacy online as some children with disabilities use technology devices for assistance and there is no guidance on how their rights online, including the right to privacy should be protected.
3.4 Safeguarding children’s privacy online efforts by the African Union human rights institutions and other organs with potential child protection roles
Organs within the African Union that can impact the protection of children’s rights including children’s privacy online include the African Union Commission, the Committee, the African Commission on Human and Peoples’ Rights and the African Court on Human and Peoples’ Rights. This section reviews the responses of these African Union organs in the protection of children’s privacy online in Africa. The Committee would be a good starting point considering its mandate of monitoring the implementation of the Children’s Charter.
The Committee was established in 2002 and its mandate is to promote and protect the rights enshrined in the Children’s Charter.63 The Committee thus has both a promotion and protection mandate. Children’s privacy online did not explicitly feature much in the activities of the Committee until in 2019 when the Committee held a Day of General Discussion (DGD) on Online Child Sexual Exploitation (OCSE) during its 33rd ordinary session which was held from 18 to 28 March 2019. During the DGD, it was noted that OCSE was not known during the drafting of the Children’s Charter hence the provisions of the Charter do not specifically address OCSE.64
The Committee’s jurisprudence on children’s privacy online can be derived from various aspects of its mandate such as General Comments and Concluding Observations on state reports among others. No communications have been received on the violation of children’s privacy in the digital environment so far.
In 2021, the Committee adopted General Comment 7 on sexual exploitation. The general comment is based on the African Union Executive Council Decision which places an obligation on the Committee to broaden its work in ‘safeguarding and promoting the rights and welfare of children in the cyberspace, namely the protection of children’s information, rights to safety, informed choices and digital literacy.’65 The General Comment elaborates the legislative, administrative and other measures that should be taken by state parties to protect children from all forms of sexual exploitation and abuse both offline and online. Most importantly, General Comment 7 stresses that legal and policy frameworks should be reviewed and where necessary adapted to rapidly changing realities concomitant with developments in the digital world. Legislation should address online grooming and provide a mandatory reporting obligation for internet service providers.66
The General Comment also addresses issues of sexual abuse online such as online grooming and child pornography. An obligation is placed on states parties to criminalise all offences related to child pornography.67 The General Comment also has a section on extraterritoriality and international mutual legal assistance and cooperation, noting that perpetrators will constantly adapt their behaviours to exploit gaps in law and in enforcement methods. Technology on the other hand is permitting offender communities to attain unprecedented levels of organisation, which in turn creates new and persistent threats as these individuals and groups exploit online ‘safe havens’ and ‘on-demand’ access to victims.68 Legislation must give national courts jurisdiction to prosecute alleged offenders for all offences committed on the territory of the state, and also allow the state to investigate and prosecute all these offences regardless of whether the alleged perpetrator or the victim is a national of that state.69 States parties are encouraged to collect data on children’s online practices and their impact on children’s lives and safety, and on factors that affect children’s resilience as they access and use ICT.70 Due respect should be given to children’s privacy when collecting data. Whilst the general comment does not make reference to the impact of OCSEA on children’s privacy, the provisions of the general comment also protect children’s privacy online, considering that online sexual exploitation and abuse such as online grooming and child pornography have an impact on children’s privacy, honour and reputation.
The Committee also executes its mandate through state party reporting, wherein member states submit reports to the Committee on measures they have taken to give effect to the provisions of the Children’s Charter.71 A review of the state party reports and concluding observations and recommendations of the Committee reveals that the issue of children’s privacy online is not yet being highlighted by most state parties and the Committee’s concluding observations. In relation to privacy, focus has been on the privacy of children in the justice system as well as other physical settings such as schools and homes. It is however noteworthy to mention that in some of the Committee’s concluding observations, the Committee has made reference to protection of children’s privacy in the media. Although there is no explicit mention of ‘privacy online’, these recommendations also apply in relation to the online environment considering that the media can be described as ‘the main ways that large numbers of people receive information and entertainment, that is television, radio, newspapers, and the internet’.72 In the concluding observations and recommendations to the Republic of Namibia, the Committee raised concerns over the violation of children’s privacy by the media due to lack of supervision and monitoring mechanisms. The Committee recommended the government of Namibia to strengthen the Media Ombudsman to ensure that children’s right to privacy is respected and promoted.73 In 2016, the Committee also raised concerns with regards to Ghana on the frequent media coverage on accusations of child witchcraft due to its impact on the child’s dignity and privacy. The Committee recommended that the state party apply media laws strictly
to protect the identity of children when portrayed by the media.74 The Committee further noted during the consideration of Zimbabwe’s state report that there are instances whereby the media violates the rights of children due to lack of supervision and monitoring mechanisms. The government of Zimbabwe was recommended to take measures against the media houses that violate children’s right to privacy and to put in place monitoring mechanisms to ensure that children’s right to privacy is respected and promoted.75 Recently, in the concluding observations and recommendations to the government of Seychelles, the Committee raised concerns about the unauthorised portrayal of a protected child living in a children’s home in the media. The Committee encouraged the state party to adopt policies and put in place strategies to address this issue including training journalists and media practitioners about the necessity to consider the sensitivities related to children’s rights issues in general, and protecting children in this case while processing information.76 Further, the Committee encouraged the state to intensify efforts in order to stop the rising number of cases of sexual exploitation in Seychelles including online sexual exploitation and sexual exploitation of children in tourism.77 These developments are an indication that the Committee is gradually moving towards ensuring that children’s privacy is protected in the digital sphere, although there is a need for the Committee to explicitly address the issue, as opposed to just referring to the ‘media.’
In 2016, the Committee adopted a 25-year plan entitled Agenda 2040: Africa’s Agenda for Children: Fostering an Africa Fit for Children. The Agenda provides for the protection of children’s privacy online in Aspiration 7 which among other things states that by 2040, no child should be used for child pornography and calls upon states to prohibit child pornography and ensure the effective implementation of the laws prohibiting child pornography.78 As mentioned before, child pornography infringes upon children’s privacy as well, hence provisions on the prohibition of child pornography are remarkable as they ensure the protection of children’s rights to privacy.
It is also important to highlight that the Committee established a Working Group on Children’s Rights and Business during its 35th Ordinary Session held from 31 August to 8 September 2020.79 The working group was established pursuant to rule 58 of the Committee’s Rules of Procedure that allows the Committee to establish special mechanisms and ‘assign specific tasks or mandates to either an individual member or group of members concerning the preparation of its periods of sessions or the execution of special programs, studies and projects.’80 The goal of the working group is to promote the integration of a child rights based approach to business practices with a view to addressing business-related rights in Africa. The working group has the potential to advance the protection of children’s privacy in the digital environment, considering that the business sector also affects children’s privacy online. Notably, the Committee, through this working group, adopted a resolution on the protection and promotion of children’s rights in the digital sphere in 2022. The resolution notes that globalisation, technological innovations and industrial growth has resulted in increased connectivity among different groups in the continent which contributes to children’s increased access to information but makes them vulnerable to perpetrators of exploitation and abuse.81 The resolution calls upon member states to report to the Committee through state party reporting procedures, the extent to which a state is placing the necessary measures to protect children in the digital sphere, to ratify the Malabo Convention and enact Cyber Security and Data Protection legislation.82 This shows commitment of the Committee to advance children’s rights in the digital sphere and the author believes this will go a long way in protecting children’s privacy as they explore the internet. For instance, through reporting by state parties on the measures to ensure children’s privacy and personal data protection online, the Committee will be in a better position to provide informed guidance to member states on how the measures can be improved.
The Commission which was inaugurated in 1987 is established in terms of article 30 of the African Charter on Human and Peoples’ Rights to promote human and peoples’ rights and ensure their protection in Africa. The Commission is charged with three major functions, that is, protection of human and peoples’ rights, promotion of human and peoples’ rights and interpretation of the Charter.83 Currently, most of the initiatives of the Commission have been less focused on children’s privacy online and efforts to promote privacy online have occurred to a lesser extent. During the Commission’s 62nd Ordinary Session held from 25 April to 9 May 2018, a draft resolution on the right to privacy was introduced and forwarded to the Commission for consideration by the Legal Resources Centre, supported by Privacy International and the International Network of Civil Liberties Organizations (INCLO). The draft resolution which was adopted by the NGO forum but not adopted by the African Commission has noteworthy provisions on privacy in the digital sphere, although it does not mention children. It calls upon the African Commission to resolve inter alia that the mandate of the Special Rapporteur on Freedom of Expression and Access to Information should include privacy and digital rights concerns including issues related to unlawful surveillance and the collection and processing of personal data.84
Furthermore, the African Commission adopted the Declaration of Principles on Freedom of Expression and Access to Information in Africa in 2019.85 Notably, the principles mention children and thus can be used to safeguard children’s privacy online. The noteworthy provisions of the principles are discussed below.
To begin with, principle eight calls for the recognition and respect of children’s evolving capacities. States are encouraged to adopt measures that enable children to exercise their rights to freedom of expression and access to information, ensuring that the best interests of the child shall be the primary consideration. Principle 37(5) places an obligation on states to adopt laws, policies and other measures to promote affordable access to the internet for children that equips them with digital literacy skills for online education and safety, protects them from online harm and safeguards their privacy and identity. In terms of Principle 39(5), internet intermediaries may be requested by law enforcement agencies to expeditiously remove online content that poses danger or may be harmful to a person or a child.
Principle 40 provides for privacy and the protection of personal information. Although it does not specifically mention children, the principle stipulates that ‘everyone has the right to privacy, including the confidentiality of their communications and the protection of their personal information’. Further, the principle provides for everyone’s right to ‘communicate anonymously or use pseudonyms online and to secure the confidentiality of their communications and personal information from access by third parties through the aid of digital technologies.’86 States are obliged to adopt laws for the protection of personal information of individuals in accordance with international human rights law and standards in terms of Principle 42(1).
Principle 42(6) provides that the harmful sharing of personal information, such as child sexual abuse or the non-consensual sharing of intimate images, shall be established as offences punishable by law. In terms of Principle 42(7), individuals shall have legal recourse to effective remedies in relation to the violation of their privacy and the unlawful processing of their personal information. As noted by Singh and Power, the adoption of the principles is a landmark development in the recognition of the right to privacy in Africa.87 The specific provisions of children’s privacy are also significant as children’s privacy in the digital sphere is important.
There are already avenues for collaboration between the Commission and the Committee, especially in the development of general comments in which the two organs interpret the provisions of the Children’s Charter and the Protocol on Women’s Rights. The Commission can also respond to violations of children’s privacy online through various mechanisms such as onsite investigations and studies.
The African Court on Human and Peoples’ Rights was established by the Protocol to the African Charter on the Establishment of an African Court on Human and Peoples’ Rights.88 Among other human rights issues, the court has jurisdiction over issues concerning children’s rights and welfare in the region. However, currently there is no record of judicial processes concerning child protection or children’s privacy brought before the Court.
The African Union Commission (the AU Commission) is the African Union’s secretariat and undertakes the day to day activities of the Union.89 Through its various departments, the AU Commission has undertaken a number of initiatives on children’s rights online. For instance, the AU Commission is implementing a project titled ‘Strengthening Regional and National Capacity and Action against Online Child Sexual Exploitation (OCSE) in Africa. The African Union also conducted a Continental Consultation on combatting OCSE in 2019 under the theme ‘Protecting Children from Abuse in the Digital world.’ The principal objective of the continental consultation was to raise awareness among African Union member states on the dangers of OCSE as an emerging cybercrime, and to encourage member states to commit to address OCSE.90 The African Union also hosted a Global Summit on online child sexual exploitation in December 2019, in collaboration with We Protect Global Alliance to raise attention and enhance understanding of online child sexual exploitation amongst high-level decision makers, among other objectives.91 The Commission also has a Strategy and Action Plan against Online Child Sexual Exploitation and Abuse (OCSEA) in Africa (2020-2025). A combination of factors has necessitated the need for a protective online strategy for children including the rapidly increasing connectivity, limited regulation, and limited awareness.92 It is expected that the strategy will result in a number of initiatives to end OCSEA by African Union Member states,93 thereby safeguarding children’s rights online including the right to privacy.
It should also be noted that the AU Commission in collaboration with the Internet Society (ISOC) adopted Data Protection Guidelines in order to facilitate implementation of the Malabo Convention.94 The guidelines set out recommendations including two foundational principles to create trust, privacy and responsible use of personal data; recommendations for action by duty bearers (states, policy makers, data protection authorities and data controllers and processors) and recommendations on multi stakeholder solutions, wellbeing of digital citizens, and enabling and sustaining measures.95 While the Data Protection Guidelines are a welcome development, they are silent on issues related to the protection of children’s personal data.
An analysis of the instruments and jurisprudence at the African Union level indicates that children’s privacy online is still an evolving issue and children’s privacy online is not adequately protected. Although the provisions of the Children’s Charter can be used in relation to children’s privacy online, the Charter does not have explicit provisions governing children’s rights in the online environment. Therefore, there is inadequate guidance to member states on how to protect children’s privacy online, considering the emerging forms of violations of children’s privacy online which are not referred to in the Children’s Charter. The Protocol on the rights of persons with disabilities on the other hand is silent on the rights of children with disabilities online, yet there are potential privacy violation aspects related to children with disabilities online.
The Malabo Convention is a noteworthy development as it can be used to cover the gaps in the Charter relating to children’s privacy online. Whilst the Convention has a comprehensive section on personal data protection, there is no reference to the protection of children’s personal data, thereby impeding the realisation of children’s privacy online. Whilst the author agrees that the principle of universality of human rights can be implored to argue that the provisions of the Malabo Convention equally apply to children even if they are not explicitly mentioned, the author argues that children are vulnerable internet users hence their rights deserve specific protection and hence specific mention. A specific section governing the protection of children’s personal data would have addressed the special vulnerabilities of children by providing clear guidance to data controllers on how to collect and process children’s data.
Best practices can be drawn from the European Union General Data Protection Regulation (GDPR) which explicitly provides for the protection of children’s data and introduces new requirements for the protection of children’s personal data online.96 Recital 38 states that children deserve ‘specific protection with regards to their personal data, as they may be less aware of the risks, consequences and their rights in relation to the processing of personal data.’ Among other provisions, the GDPR provides for conditions applicable to the processing of children’s personal data.97 Article 8 for instance provides for the conditions applicable to children’s consent and places an obligation on controllers to take reasonable measures to ensure that consent is given by a parent or guardian. In this regard, the author argues that having a specific section dealing with children’s personal data in the Malabo Convention would have strengthened the protection of children’s personal data, thereby ensuring the protection of children’s privacy online. It is further noted that the Malabo Convention is not yet in force hence the African Union should continue with its efforts in encouraging Member states to ratify the Malabo Convention.
Other best practices to be drawn from Europe include the Council of Europe Strategy for the Rights of the Child (2022-2027),98 which includes a focus on children’s rights in the digital environment and is reinforced by the Recommendation of the Committee of Ministers to member states on Guidelines to respect, protect and fulfil the rights of the child in the digital environment, which is also available in a child friendly version. Notably, the Guidelines calls for the respect, protection and fulfillment of children’s right to privacy and data protection.99 Further, a new handbook for policy makers on the rights of the child in the digital environment was developed to complement these guidelines, by supporting policy makers in dealing concretely with the online rights and protection of children. It assists the formulation of national frameworks and policies, and provides interpretative and practical guidance to ensure the respect of children’s rights online.100
A further analysis of the jurisprudence of the African Union human rights organs further reveals that children’s privacy online is not safeguarded to a large extent. To begin with, the Committee which is the principal organ promoting children’s rights has not undertaken initiatives or developed instruments to sufficiently address children’s privacy online, especially the protection of children’s personal data. General Comment 7 addresses children’s rights online but focus is only on online child sexual exploitation and abuse. In addition, the concluding observations and recommendations to Member states do not reflect on children’s privacy online, except for a few. This can be attributed to the fact that when it was established, the Committee did not anticipate the increase in internet usage by children which could have a potential impact on children’s privacy online. As highlighted previously, the Committee is gradually moving towards ensuring that children’s privacy is protected in both the offline and online environment. The Committee’s Resolution 17 of 2022 comes in handy at this point as it calls upon states to highlight in their state party reports how they are protecting children’s rights in the digital environment in their state reports. It is thus hoped that this will assist the Committee in identifying gaps related to the protection of children’s privacy online and to come up with concrete recommendations to states on how to ensure the realisation of the right to privacy online. It is also important to note that during its 39th Ordinary Session held from 21 March to 1 April 2022, the Committee decided to hold a DGD on Children’s Rights in the Digital World during its next 40th Ordinary Session. Further, the Committee decided to commemorate the Day of the African Child 2023 on the same theme. The author believes this will go a long way in accelerating the Committee’s efforts in advancing children’s rights online, including the right to privacy.
It is further noted that children’s privacy online has not featured in the other organs of the African Union. The African Commission is an exception as the Declaration of principles on Freedom of Expression and Access to Information notably has provisions on the protection of children’s privacy online. Besides the principles, the African Commission does not address children’s privacy online elsewhere. On the other hand, the African Court and the African Commission do not have any jurisprudence on privacy online and personal data protection in general In comparison, although not specific to children, the European Court of Human Rights (ECtHR) has dealt with some cases relating to personal data protection, interpreting the concept of privacy. In its case of S and Marper v The United Kingdom,101 the ECtHR emphasized that personal data protection is crucial to an individual’s enjoyment of his or her right to respect for private life and family life as guaranteed by article 8 of the Convention. The Court further stressed that safeguards are needed where the protection of personal data undergoing automatic processing is concerned.
In the case of Axel Springer AG v Germany,102 the ECtHR held as follows:
The concept of ’private life’ is a broad term not susceptible to exhaustive definition, which covers the physical and psychological integrity of a person and can therefore embrace multiple aspects of a person’s identity, such as gender identification and sexual orientation, name or elements relating to a person’s right to their image... . It covers personal information which individuals can legitimately expect should not be published without their consent.
Regarding the AU Commission, efforts in addressing children’s rights online do not cover all aspects of children’s privacy online as much focus has been directed towards tackling online child sexual exploitation and abuse and little or no attention is paid to the protection of children’s personal data in the digital sphere. Further, little or no attention has been paid to the rights of children with disabilities online. As indicated in section 2 of this article, threats to children’s privacy also emanate from other aspects such as data collection and processing as well as sharing of children’s images online. The African Union and its organs should therefore ensure that all aspects of children’s privacy are adequately protected in its frameworks.
In that regard, the African Union and its organs, with the Committee taking the lead should encourage member states to ratify the Malabo Convention as this will enhance cooperation between African Union member states on the protection of personal data.
There is also a need for engagement with state parties during reporting procedures on the extent to which a state is placing the necessary measures to ensure protection of children’s privacy and personal data online. This will enable organs such as the Committee to identify gaps in the protection of children’s privacy online and thereby give informed guidance to member states.
There is a need to develop a guidance note for member states on children’s rights to privacy online in the context of the Children’s Charter and the Malabo Convention. As done by the Council of Europe, guidelines for policy makers on children’s rights online should be developed as these will support policy makers in concretely addressing children’s rights online and protection of their rights, including their right to privacy. The guidelines will also assist in the formulation of national frameworks and policies, and provide interpretative and practical guidance to ensure the respect of children’s privacy online. The guidelines should cover all aspects of privacy online including data collection and processing, interception of communications, surveillance and the unauthorised sharing of children’s personal information in online platforms. Most importantly, the privacy and personal data protection related to children with disabilities should be clearly addressed in the guidelines. The guidelines should also be available in child friendly formats and accessible for children with disabilities.
Guidelines on the process of child rights due diligence by companies and businesses should be developed. The guidelines should provide corporate responsibilities to private sector digital service providers on protection of children’s privacy and personal data, and putting systems in place to address violations on children’s privacy online. Guidelines on child rights due diligence by state institutions and schools should also be developed as their activities such as data collection also pose a threat to children’s privacy online.
The African Union organs should cooperate and engage in dialogue with the private sector, National Human Rights Institutions, relevant intergovernmental organizations, and civil society organisations to create awareness with children, parents, and teachers on digital literacy, children’s safety and responsible use of digital technology. Tools to assist teachers, parents and children on how to ensure privacy online should be developed.
The aim of this article was to assess the extent to which children’s privacy online is protected in the normative framework of the African Union. An assessment of the applicable instruments and jurisprudence of the key human rights bodies and reveals that children’s privacy online has not featured to a large extent in the agenda of the African Union and its organs. Most instruments adopted and initiatives undertaken on cybersecurity have paid more attention to online child sexual exploitation and there is limited focus on aspects of children’s privacy such as personal data protection, surveillance and the unauthorised sharing of children’s information online, among other things. Regarding the instruments adopted on data protection, there is no reference to the protection of children’s privacy and personal data except for the provisions of the Declaration of principles on Freedom of Expression and Access to Information in Africa. Nevertheless, such provisions are not comprehensive and there is no guidance to member states and businesses on the conditions applicable to the collection and processing of children’s data and conditions related to parental consent. Furthermore, the rights of children with disabilities online, including the right to privacy has not been given attention in the frameworks and standards of the African Union. These gaps have implications on the protection of children’s fundamental right to privacy in the digital sphere in Africa as the protection granted to children is inadequate.
The article concludes that children deserve specific attention as a vulnerable group hence the explicit protection of children’s personal data and privacy as in the approach of the EU General Data Protection Regulation is necessary to ensure the protection of children’s privacy in the digital environment in Africa. The article further concludes that cybersecurity initiatives at the African Union level should not only focus on online child sexual exploitation but on other aspects of children’s privacy such as data collection and processing, interception of communications, surveillance and the unauthorised sharing of children’s personal information in online platforms, including children’s images. The rights of children with disabilities should be clearly addressed in the responses.
2. UNICEF ‘Covid-19 and its implications for protecting children online https://www.unicef.org/sites/default/files/2020-04/COVID-19-and-Its-Implications-for-Protecting-Children-Online.pdf (accessed 11 July 2022).
8. African Union DA-NEPAD ‘Leveraging new technologies in education for children with disabilities in Africa’ https://www.nepad.org/blog/leveraging-new-technologies-education-children-disabilities-africa (accessed 24 October 2022).
9. Council of Europe Commissioner for Human Rights ‘Protecting children’s rights in the digital age: An ever growing challenge’ 29 April 2014 https://www.coe.int/en/web/commissioner/-/protecting-children-s-rights-in-the-digital-world-an-ever-growing-challen-1 (accessed 11 July 2022).
14. African Union Convention on Cyber Security and Personal Data Protection 2014 https://au.int/en/treaties/african-union-convention-cyber-security-and-person al-data-protection (accessed 24 October 2022).
16. Protocol to the African Charter on Human and Peoples’ Rights on the Rights of Persons with Disabilities in Africa 2019 https://au.int/sites/default/files/treaties/36440-treaty-protocol_to_the_achpr_on_the_rights_of_persons_with _disabilities_in_africa_e.pdf (accessed 26 October 2022).
17. African Commission on Human and Peoples’ Rights Declaration of Principles on Freedom of Expression in Africa 2019) https://www.achpr.org/public/Document/file/English/Declaration%20of%20Principles%20on%20Freedom% 20of%20Expression_ENG_2019.pdf (accessed 24 October 2022).
18. Internet Society & African Union Personal Data Protection Guidelines for Africa 2018 https://www.internetsociety.org/wp-content/uploads/2018/05/African UnionCPrivacyGuidelines_2018508_EN.pdf (accessed 24 October 2022).
20. Centre for Human Rights ‘A study on children’s right to privacy in the digital sphere in the African region’ (2022) 3 https://www.chr.up.ac.za/childrens-right-unit-publications (accessed 24 October 2022).
29. S Feldstein ‘State surveillance and implications for children’ https://www.unicef.org/globalinsight/media/1101/file/UNICEF-Global-Insight-data-governance-surveillance-issue-brief-2020.pdf (accessed 12 July 2022).
35. R Desai & P Burton ‘Child and adolescent mental health and the digital world: a double edged sword’ 116 http://www.ci.uct.ac.za/sites/default/files/image_tool/images/367/Child_Gauge/2022/digital%20worlds.pdf (accessed 24 October 2022).
45. UNICEF ‘Privacy, protection of personal information and reputation: Children’s rights and business in a digital World’ (2017) 17 https://www.unicef.org/csr/css/UNICEF_CRB_Digital_World_Series_PRIVACY.pdf (accessed 14 July 2022).
49. L Jasmontaite & P De Hert ‘The EU, children under 13 years, and parental consent: a human rights analysis of a new, age-based bright-line for the protection of children on the internet’ (2015) 5 International Data Privacy 7.
54. UNICEF ‘Child safety online global challenges and strategies’ (2012) 53 https://www.unicef-irc.org/publications/652-child-safety-online-global-challenges-and-strategies-technical-report.html (accessed 16 July 2022).
57. S Livingstone ‘Rethinking the rights of children for the internet age’ (2019) https://blogs.lse.ac.uk/medialse/2019/03/18/rethinking-the-rights-of-children-for-the-internet-age/ (accessed 16 July 2022).
59. The IBA African Regional Forum Data Protection/ Privacy Guide for Lawyers in Africa (2021) 14 https://www.lssa.org.za/wp-content/uploads/2021/07/Data-Protection-Privacy-Guide-Africa.pdf (accessed 16 July 2022).
60. J Kaberi and others ‘A case for the Malabo Convention: child protection online’ 22 April 2021 https://mtotonewz.medium.com/a-case-for-the-malabo-convention-child-protection-online-a9372840e449 (accessed 24 October 2022).
61. List of countries which have signed, ratified/acceded to the Malabo Convention https://au.int/sites/default/files/treaties/29560-sl-AFRICAN_UNION_CON VENTION_ON_CYBER_SECURITY_AND_PERSONAL_DATA_PROTECTION.pdf (accessed 18 July 2022).
62. TS Nlar ‘Why is it important for African states to ratify the Malabo Convention’ 31 July 2018 https://aanoip.org/why-it-is-important-for-african-states-to-ratify-the-malabo-convention/ (accessed 18 July 2022).
81. Resolution 17 of 2022 of the Committee Working Group on Children’s Rights and Business on the Protection and Promotion of Children’s Rights in the Digital Sphere in Africa https://www.Committee.africa/working-groups/ (accessed 20 July 2022).
84. Privacy International at the 62nd Session of the African Commission on Human and Peoples’ Rights https://privacyinternational.org/news-analysis/2227/privacy-international-62nd-session-african-commission-human-and-peoples-rights (accessed 21 July 2022).
85. ACHPR Declaration of Principles on Freedom of Expression and Access to Information in Africa 2019 https://www.achpr.org/legalinstruments/detail?id= 69#:~:text=The%20Declaration%20of%20Principles%20of,2019%20in%20Banjul%2C%20The%20Gambia (accessed 21 July 2022).
90. African Union ‘Continental consultation on combatting online child sexual exploitation’ 2019 https://au.int/en/pressreleases/20190306/african-union-continental-consultation-combatting-online-child-sexual (accessed 22 July 2022).
92. The African Union Commission Strategy and Action Plan against online children sexual exploitation and abuse in Africa 2020-2025 https://www.aucecma.org/en/campaign/the-african-union-commission-strategy-and-action-plan-against-on line-children-sexual-exploitation-and-abuse-in-africa-ocsea-2020-%E2%80%93-2025.html (accessed 22 July 2022).
96. Information Commissioner’s Office (ICO) ‘Children and the GDPR’ (2018) https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/children-and-the-uk-gdpr/ (accessed 28 July 2022).
100. Council of Europe Handbook for policy makers on the rights of the child in the digital environment (2020) https://rm.coe.int/publication-it-handbook-for-policy-makers-final-eng/1680a069f8 (accessed 24 October 2022).