COVID-19 and children in the digital environment

May 5 2020, defenddigitalme

Many Data Protection Authorities have published fresh guidance on health data, but there has been less discussion of data protection and privacy in education. The implications of the global rush to remote instruction at unprecedented speed and scale, include an increased datafication of children, with consequences that may last well beyond lockdown, and for life.

Together with thirty-five organisations across five continents— we call for action from policy makers, data protection authorities, and providers worldwide, to co-operate globally to publish guidelines, monitor practice, and ensure compliance, and to recommend and promote only safe, fair and transparent products, ensuring education without exploitation.

Text of the letter in full follows below, with signatories.
[Download letter as .pdf].
Or listen to an audio file of the text of the letter here. [10 minutes]

First published online on April 16, 2020 and was separately distributed by email to data protection authorities and policy makers

An open letter to policy makers, data protection authorities, and providers worldwide, regarding rapid technology adoption for educational aims

We believe that every child has the right to a safe, open, and inclusive education, free from commercial exploitation, that enables their full and free development into adulthood and promotes human flourishing.

As an estimated 90% of the world’s student population are affected by school closures [1] in the COVID-19 pandemic, technology is playing a vital role worldwide. Some tools enable the delivery of essential information, connecting school communities outside the classroom. Others provide national platforms [2] for sharing educational materials, or offer alternative means and modes of Assistive Technology and augmented communications, supporting the rights of those with disabilities. [3]

However the rushed adoption of technology around the world, to deliver emergency remote instruction, risks undermining learners’ and children’s rights at an unprecedented speed and scale. We urge organisations and education authorities to procure and recommend only those technologies which openly demonstrate that they uphold children’s rights, and call on States Parties to offer a secure online space for all children to access knowledge without commercial interference.

Recognise the Rights of the Child

Sustainable Development Goal 4 [4], adopted by all United Nations Member States in 2015, provides a shared blueprint to ensure inclusive and equitable education opportunities for all, without discrimination. [5] Article 24 of the UN Convention on the Rights of Persons with Disabilities, and the UN Convention on the Rights of the Child [6], ratified by over 197 State Parties worldwide, already offer a robust framework for protecting children’s rights that should be applied by all parties in the rapid adoption of online learning technologies during the COVID-19 crisis.

Children’s rights include non-discrimination (Article 2 UNCRC), that the child’s best interests shall be a primary consideration in all things (Article 3 UNCRC and Article 24 of the Charter of Fundamental Rights of the EU (CFREU)) [7], freedom to full development of their personhood and character (Article 6 UNCRC), rights to privacy and reputation, and protection from arbitrary or unlawful interference with family, home or correspondence (Article 16 UNCRC and Article 8 of the European Convention on Human Rights (ECHR), Article 7 CFREU), data protection (Article 8 CFREU), freedom of expression (Article 13 UNCRC, Article 10 ECHR, Article 11 CFREU) and freedom of thought (Article 14 UNCRC, Article 9 ECHR, Article 10 CFREU). Children have rights to rest, leisure and play (Article 31 UNCRC) and health (Article 24 UNCRC). And the education of the child shall be directed, according to Article 29 [8], to the development of the child’s personality, talents, mental and physical abilities to their fullest potential with respect for human rights, fundamental freedoms and principles. Children are also entitled to protection from economic exploitation under Article 32 of the UNCRC. [9]

To protect these critical rights for children, we call on

  1. Data protection authorities to co-operate globally to publish guidelines, monitor practice and enforce compliance of e-learning platforms [10], children’s apps and other edTech.
  2. Policymakers to consider the impacts of the current use of e-learning, and to conduct and publish children’s rights, equality and data protection impact assessments. Recommend and adopt only platforms and resources to schools that adhere to the obligations to respect, protect and fulfil the rights of the child in the digital environment [11] and UN General Comment No.16 (2013) [12] regarding the business sector impact on children’s rights. Publish any decisions about new national level product or service adoptions, and commit to review practices, and their impacts with civil society including the most affected and marginalised communities, once the emergency situation has ended.
  3. Providers not to exploit students’ participation in compulsory education for commercial gain, in particular at this time when consent cannot be considered freely given. To adhere to best practice consistent with the rule of law, and with suitable safeguards for students’ security and privacy, including accessible and inclusive curriculum needs, encryption and data protection by-default-and-design; avoiding profiling, dark patterns or interference from opaque nudge techniques, and behavioural and emotional analytics. Further, we call on providers to be fully transparent about processing personal data, automated decision making, and the sources and assumptions made in any training data, used in tools that employ artificial intelligence. [13]
  4. Educators to procure and recommend resources where children can learn untouched by monitoring, profiling, data mining, marketing, or manipulation for commercial exploitation.

Why this matters now and for every child’s future

A child’s human dignity [14] and their journey into adulthood is, in part, shaped by their digital experience and their digital footprint created from it. The effects of such tracking, profiling, data distribution and commercial targeting may be lasting, and impede the full and free development of a child—in particular where children are influenced by those who see them only as consumers, where data are discriminatory or stigmatising, used to manipulate their mood [15], and where personal data are reused without consent, in further and higher education, or for employment, identity or insurance screening.

Software introduced without adequate due diligence and staff or families’ training with regard to privacy and security settings can compromise safety, exposing children in virtual classrooms to advertising and manipulative content [16], racist, pornographic, violent, or other inappropriate material. [17]

Children are disadvantaged by the power imbalance between them and school authorities [18] under normal circumstances. But this imbalance is only made worse in the current circumstances, as some States Parties choose to impose surveillance, and allow commercial companies into children’s home life without consent. [19] Others take the view that ‘tracking student data without parental consent is not only illegal, it is dangerous.’ [20] Companies must not misuse the additional power that the current situation conveys on them, to further their commodification and use of children’s personal data, for their own purposes and to extract profit.

Privacy is not only a right, it is integral to the development and adoption of responsible online tools, for the good of society, and for keeping children safe. [21] We can and we must make fairer, safer and more transparent choices for our children’s future in the design and use of technology in education.

General comment No. 5 on the implementation of the UNCRC emphasises that “implementation of the Convention is a cooperative exercise for the States of the world” [22] and includes the obligation to ensure that non-State service providers also operate in accordance with its provisions, thus creating indirect obligations on such actors.

We call on every country to commit to action, and to require all actors in education to uphold children’s and family rights, including their protection, participation and privacy; to build and procure trustworthy tools; and to turn a rights’ respecting vision of education into reality.


Defend digital me
Campaign for a Commercial-Free Childhood
5Rights Foundation
Access Now
Asociación por los Derechos Civiles (ADC)
Badass Teachers Association
Berkeley Media Studies Group
Bolo Bhi
CRIN (Child Rights International Network)
Consumer Action
Consumer Federation of America
Corporate Accountability
Digital Rights Foundation
EDRi (European Digital Rights)
Educadigital Institute – Open Education Initiative
Electronic Frontiers Australia (EFA) Inc.
EPIC (Electronic Privacy Information Center)
Instituto Alana
IPANDETEC (El Instituto Panameño de Derecho y Nuevas Tecnologías)
The National Education Union (NEU)
New Dream
Obligation, Inc.
Open Rights Group
Parent Coalition for Student Privacy
Parents Across America
Parents Together
P.E.A.C.E. (Peace Educators Allied For Children Everywhere)
Privacy International
Privacy Salon
Public Citizen
Public Knowledge
TEDIC (The Association of Technology, Education, Development, Research, Communication)
TRUCE (Teachers Resisting Unhealthy Childhood Entertainment)
Women Leading in AI Network


[1] UNESCO COVID-19 Educational Disruption and Response
[2] UNESCO list of National learning platforms and tools (accessed March 28, 2020)
[3] UN Convention on the Rights of Persons with Disabilities (UNCRPD) Article 24
[4] The SDGs build on decades of work by countries and the UN
[5] Discrimination by age, ethnicity, gender, language, race, religion, political or other opinion, national origin, as well as the characteristics of persons with disabilities, special educational needs, migrants, and indigenous peoples.
[6] The UN Convention on the Rights of the Child (1990)
[7] Charter of Fundamental Rights of the European Union
[8] UNICEF aims of education
[9] Van der Hof, S et al (forthcoming 2020) The International Journal of Children’s Rights.
[10] Resolution on e-learning platforms adopted by the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC) (2018)
[11] In accordance with the Council of Europe Guidelines on Children in the Digital Environment Recommendation CM/Rec(2018)7
[12] Committee on the Rights of the Child General comment No. 16 (2013) on State obligations regarding the impact of the business sector on children’s rights
[13] Federal Court Rules ‘Big Data’ Discrimination Studies Do Not Violate Federal Anti-Hacking Law (2020)
[14] The Committee on the Rights of the Child set out in 2001 that education must be provided in a way that respects the inherent dignity of the child
[15] Facebook’s flawed emotion experiment: Antisocial research on social network users (Shaw, 2015)
[16] Kids are being bombarded with online ads (sometimes graphic)––in school. Time to STOP online ads to students? Missouri education watchdog (2018)
[17] New York Attorney General Looks Into Zoom’s Privacy Practices (March 30, 2020)
[18] Facial recognition in school renders Sweden’s first GDPR fine (2019)
[19] The Welsh Government Hwb (March 23, 2020) ‘Previously, these services have only been made available where learners or their parents/carers had given consent, from Monday 23 March 2020, schools will no longer rely on consent.’
[20] Google sued by New Mexico attorney general for collecting student data through Chromebooks (Feb 2020) The Verge
[21] $610K settlement in School Webcam Spy Case (2010) Robbins v Lower Merion
[22] General comment No. 5 (2003) General measures of implementation of the Convention on the Rights of the Child (arts. 4, 42 and 44, para. 6) The Committee emphasizes that States parties to the Convention have a legal obligation to respect and ensure the rights of children as stipulated in the Convention, which includes the obligation to ensure that non-State service providers operate in accordance with its provisions, thus creating indirect obligations on such actors.


Published regulatory comments or guidance

Slovenian Data Protection Authority (IP)

  • Issued an opinion on the processing of personal data of minors in education in response to the pandemic. [link in English to NOYB summary] [link to original source]

France Data Protection Authority (CNIL)

  • Consultation open until June 1, on the processing of personal data of minors. [link]

The European Data Protection Board

  • Statement by the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak. [March 19, 2020, link]

Poland Data Protection Authority (UODO)

  • A guide for schools on security and data privacy principles in remote learning, under Polish law and GDPR. [April 1, 2020 link]

Turkey Data Protection Authority

  • Public Announcement on Distance Learning Platforms [link]

The US Federal Trade Commission (FTC)

summary of asks to recognise the rights of the child

Our broader COVID-19 response at defenddigitalme

Our first reaction was to address hand hygiene and the use of biometric fingerprint readers in schools, and ask If schools close, what happens to children on Free School Meals.

We are happy to answer questions for support at any time.