A. Introduction
In the digitalized world, children are introduced to the internet and various digital platforms from an early age and share a lot of personal data in this process. The rapidly advancing digital age has made the protection of children’s personal data an important legal and social issue. In this context, the fact that children need to be protected in digital environments during their developmental stage has led to the necessity of special regulations for their personal data. Efforts are made to ensure the privacy and security of children through legal regulations in both Turkish and international law.
In this article, the concept of a child, the need to protect children’s personal data, the legal grounds for this necessity, the basic principles, and legal requirements in terms of data protection will be discussed; finally, the regulatory proposals that can be brought for the protection of children’s personal data in Turkish law will be included.
B. The Concept of “Children” in the Scope of Turkish Law and International Regulations
Defining the concept of a child is important as it provides a basis for the protection of children’s rights and the implementation of protective measures in accordance with their needs. According to Turkish law, although every person has legal capacity from birth, full capacity to act requires that a person be an adult, have the power of discernment, and not be restricted. Therefore, children cannot have full capacity to act unless they reach the age of 18. The fact that children do not have the capacity to act means that they cannot give consent to the processing of their personal data independently.
In Turkish law, the concept of children is primarily regulated in basic laws such as the Turkish Civil Code No. 4721 (“TCC”), the Child Protection Law No. 5395 (“CPL”) and the Turkish Penal Code No. 5237 (“TPC”). Pursuant to the relevant basic legislation, “child” is defined on the basis of age as “a person who has not attained the age of eighteen”.
The concept of child is emphasized in international regulations, especially within the framework of the United Nations Convention on the Rights of the Child (“UNCRC”) and the European Union General Data Protection Regulation (“GDPR”). According to the UNCRC, a child is defined as “every human being up to the age of 18”. With Turkey’s incorporation of the UNCRC into domestic law, the definition of a child in Turkey is accepted as 18 years of age. In the GDPR, the concept of child generally covers individuals under the age of 16. The GDPR requires parental consent for the processing of personal data of children, and EU member states can lower this age limit to 13.
As can be seen from the aforementioned regulations, the concept of child is defined in Turkish law and international regulations based on the age limit, and as a rule, individuals who have not reached the age of 18 are considered children.
C. Necessity of Protection of Personal Data of Children
Protecting children in digital environments is important for ensuring the protection of their privacy and supporting their psychological and social development. Children are more at risk than adults because they are not aware of protecting their rights and privacy online. Violations of children’s personal data can lead to interference in their private lives, digital threats, and various forms of abuse. Therefore, the protection of children’s personal data is a necessity mandated by both national and international regulations.
D. Regulations on the Protection of Personal Data of Children
a. Regulations under the PDPL
Under Turkish law, the processing and protection of personal data is subject to the regulations in the PDPL. The PDPL determines the legal framework of personal data processing activities and imposes obligations on data controllers. Although there is no special regulation for children in the PDPL, the security of children’s data is protected by adhering to general principles.
Article 4 of the PDPL states that data processing must be in accordance with the rule of good faith, accurate, up-to-date, specific, clear, and for legitimate purposes. The aforementioned principles also apply to the processing of children’s data and require the best interests of children to be considered. The principle of best interests will be discussed separately under a distinct heading, but it is obvious that there is a need for more regulation and supervision for the protection of children, as Turkish law does not include special regulations on the protection of children’s personal data.
For instance, as a rule, explicit consent is required for the collection and processing of personal data pursuant to the PDPL. As such, explicit consent, including for children’s data collection and processing, is generally required. However, since there is no special age limit for the processing of children’s data in the PDPL, the process is carried out according to the principles of general capacity to act. Therefore, when it comes to the processing of children’s data, data controllers are required to obtain consent from parents or guardians instead of children. In other words, parents or guardians make decisions on how their children’s personal data will be used and are obliged to protect their children’s privacy. It is assessed that parents or guardians who have such an obligation should be made aware of and supervised in this regard.
b. International Regulations and GDPR
The UNCRC provides a universal framework for the protection of children’s rights. Article 16 of the UNCRC states that the child must be protected against interference with his or her private life, family, and communications. This provision also includes the need to ensure the confidentiality of children’s personal data in digital environments. The UNCRC, to which Turkey is a party, places the obligation to ensure children’s data security on the state parties and provides a basis for the protection of children’s rights in the digital world.
The GDPR is one of the most comprehensive regulations for the protection of children’s personal data. The GDPR requires parental consent for children under the age of 16 to access digital services and requires children to be informed about data processing processes. The GDPR’s principles of “privacy by design” and “privacy by default” mandate high security standards to protect children’s data on digital platforms. The GDPR also recognizes the right to be forgotten, which allows children to have their data deleted from digital platforms upon their request, so that they are not affected by their digital traces in the future.
In addition, various international organizations such as the Council of Europe and the Organization for Economic Cooperation and Development (“OECD”) have also adopted principles for the protection of children’s data.
c. Principle of the Best Interest of the Child
The principle of the best interests of the child is a principle that prioritizes the needs and safety of the child in data processing. The best interest of the child aims to protect their physical, mental, social, and emotional development. This principle, enshrined in Article 3 of the UNCRC, is an international regulation to which Turkey is a party and considers the protection of the child as a priority right. At the same time, this principle obliges ensuring the data security of the child and taking child-specific measures in data processing.
The principle of the best interest of the child must be taken into account by decision-makers at all levels, families, educators, and society in general, and this principle is a norm that should always be prioritized. As a matter of fact, the balance between the concepts of public interest and the best interest of the child is set out in the decision of the Personal Data Protection Board dated 30.09.2021 and numbered 2021/989, which states that the public interest should be interpreted narrowly when the source of personal data is a child.
E. Violations against the Protection of Children’s Data and Legal Remedies
In the event of a breach of children’s data in the digital world, parents or guardians can apply to the data controller and request that the breach be remedied. In Turkey, complaints can be filed to the Personal Data Protection Authority in case of data breaches. While Article 12 of the PDPL stipulates administrative fines for data controllers who violate the data security obligation, it should be noted that children who have suffered a breach are also entitled to compensation for material and moral damages.
For instance, when children’s photos or information are shared on social media platforms without their consent, this may be considered a data breach. In this case, the child’s private life is violated, and they are vulnerable to threats such as identity theft or digital bullying. Data controllers are required to implement additional security measures to ensure that children’s personal data is not breached.
F. Suggestions for the Protection of Children’s Personal Data under Turkish Law
The lack of specific data protection regulations for children may lead to legal gaps and difficulties in implementation. Considering examples such as the GDPR at the international level, it is important to establish a special data protection law for children in Turkish law. For this reason, drawing inspiration from the GDPR, the regulatory proposals for the protection of children’s personal data in Turkish law can be listed as follows:
- Regulations on Age Limits: Setting age limits for the processing of children’s personal data and requiring parental consent for children under a certain age
- Simplification of Disclosure and Consent Processes: Ensuring transparency in data processing processes on digital platforms for children and preparing information texts in a simple manner that children can understand
- Education and Awareness Raising Activities: Organizing training programs for children to gain digital awareness, raising awareness of parents and children on data security
- Ensuring High Security Standards: Digital platforms for children should ensure high security standards, taking into account the principles of “privacy by design” and “privacy by default” in the GDPR
G. Conclusion
The protection of children’s personal data is of great importance to ensure effective protection against the risks they face in the digital world. Although the PDPL provides a general framework for the protection of children’s data, the lack of child-specific regulations leads to legal gaps in practice. Since parents and guardians have the authority to give consent on behalf of their children in the processing of children’s personal data, it is of great importance to raise awareness regarding data security among parents in this process. In particular, for children to safely navigate digital environments, the data security awareness of parents and guardians should be increased, and informed consent mechanisms should be established. When necessary, filing a complaint to the Personal Data Protection Authority in cases of data breaches or security vulnerabilities will be an effective step to protect children’s digital rights.
At the international scale, regulations such as the GDPR set high security standards for the protection of children’s data and ensure that children can safely exist in digital environments. In Turkish law, regulations that prioritize the best interests of children will provide more effective protection against the risks that children may be exposed to in the digital world and will significantly contribute to their healthy development.