Keeping the balance between fundamental rights: the case of children protection

Photo of  Kelly Sikkema on Unsplash

The main focus of the "best interests of the child" (BIC) concept is promoting the child's holistic development. This concept has three main components: substantive rights, fundamental and interpretative legal principles, and procedural rules designed to guarantee the complete and practical realization of all rights acknowledged in the United Nations Convention on the Rights of the Child (UNCRC). This concept is also anchored in article 24(2) of the Charter of Fundamental Rights of the European Union and has been highlighted by different judgments of the Court of Justice of the European Union, such as Case C-230/21.

The best interests of the child must be interpreted as an instrument to give children the right to have their benefit or convenience considered in all actions or decisions that concern or affect them.

When we face the protection of children on the Internet, very often someone advocates for a balance between the child's best interests and the right to data protection, meaning that all Internet users, including children, should assume the risk of being located, identified, monitored, controlled or profiled by third parties. This implies a balance must be struck between fundamental rights and the same fundamental rights. Exactly, the expression "fundamental rights" has been repeated twice in the previous sentence because if we do not guarantee the right to data protection of all citizens, we do not protect the right to data protection of children, and thus, we endanger their fundamental rights, among which are the best interests of the child.

This false dichotomy really wants to express that fundamental rights should be balanced concerning the commercial interests of a few actors operating in the digital ecosystem. This is a false choice that must not be made, in the same way that the false choice between security and privacy expressed in the past in different scenarios was not required. 

Only a few of these actors, very significant, and with a very specific business model relying on personal data, derive some kind of economic benefit from certain approaches to child protection.  Most Internet providers, including SMEs, those operating small or medium-sized e-commerce platforms or retail services, do not profit from their users' data. Their sites are safe for children (or can easily be made so) without needing new, high-risk processing of personal data, risking location, identification, monitoring, etc.

The best interests of the child and the right to data protection are on the same scale's pan; they are complementary, and therefore, they should not be balanced, nor should one be compromised in favor of the other; a hierarchy or competition cannot be established between them. Protecting the best interests of the child is crucial to safeguarding their safety, privacy, and data protection; ensuring the right to data protection is essential to guaranteeing the best interests of the child. 

The General Data Protection Regulation (GDPR) emphasizes that individuals, including children, especially children, have the right to data protection and to control their personal data (directly or through adults holding parental responsibility). Children often lack the maturity and the legal capacity to provide informed consent for using their personal data or entering into contracts. Protecting their personal data implies respecting their autonomy and protecting them from making uninformed decisions or that are not theirs to make.

Children are particularly vulnerable to manipulation and exploitation online. Data protection helps prevent specific actors from using children's data for targeted advertising, addictive patterns and other exploitative practices. Protecting their personal data helps create a safer online environment. Furthermore, the misuse of children's data can have long-term consequences, including identity theft and the creation of detailed profiles that can be used against them in the future. 

If the argument that refers to the balance between the best interests of the child and data protection refers to the protection of data, not of children, but of other adult individuals who use the Internet and digital products and services, we must remember the recital 4 of the GDPR: "The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality".

In such a context, fundamental rights, effectiveness, necessity and proportionality are key concepts. Effectiveness requires choosing measures genuinely effective and, at the same time, the least intrusive for the rights at stake: the measure limiting the right must effectively achieve the envisaged objective, protecting the child's best interests. Necessity requires that limiting the fundamental right to data protection be strictly needed based on objective evidence. The processing of personal data and the categories of personal data processed shall be demonstrably necessary for the purpose of the processing. 

Proportionality, however, requires that the disadvantages of limiting the right to data protection do not outweigh the advantages of processing personal data.  In other words, the limitation on the right must be justified.  Proportionality, in addition, requires that only personal data which is adequate and relevant for the purposes of the processing is collected and processed.

As can be seen, the concept of "balance" that is often invoked to take measures that are very intrusive to citizens' rights is far from meeting these requirements of effectiveness, necessity and proportionality. So maybe it is a simplistic commonplace, useful for fast or shallow discussions, but we should avoid using it if we want to reach useful conclusions that allow us to put the focus where it should be.

This post is related with the Statement 1/2025 on age assurance by the EDPB and with some other materials published by the Innovation and Technology Division of the AEPD, such as:

• Vital interest and data protection [october 2024]
• Evaluating human intervention in automated decisions [march 2024]
• Digitalization without alternatives: The risk of discriminating against elderly people [february 2024]