Highlights from a panel discussion following on the release of UNICEF’s manifesto on better governance for children’s data

By Emma Day

In June 2021, the United Nations Children’s Fund — better known as UNICEF — published The Case for Better Governance for Children’s Data: A Manifesto, the result of a year of brainstorming with a working group made up of seventeen data governance experts, writing discussion papers, and regional online consultations across different time zones. In the manifesto, UNICEF urged the international community to develop stronger norms, standards, and principles related to data protection for children, and called on governments, companies, and civil society to implement children’s data rights and to give children and communities more agency over their own data. UNICEF also identified key enablers of good governance of children’s data such as policy innovations and international collaboration to strengthen children’s data protection across jurisdictions.

On August 10, Malavika Jayaram, founding executive director of Digital Asia Hub, and I sat down (virtually) with data governance experts from South Africa, Zimbabwe, Singapore, Malaysia, and the Philippines to discuss how the manifesto could be implemented in Asia and Africa and to try to answer some compelling questions, such as:

• What does it mean for the world that the most influential data protection laws come from the United States, Europe, and China, with Europe’s General Data Protection Regulation (GDPR) being the most dominant globally? How should countries in Asia and Africa revise their data protection laws and what standards should they be following?
• How can companies operating in Asia and Africa protect children’s data to the highest standards, even with few data governance laws and standards at national levels?
• What innovations in Asia and Africa could be leveraged to improve data governance for children globally, and what else is needed?

Telecoms in Malaysia: a private sector perspective

To help us understand what the private sector can do in this space, we heard from Phillip Ling, head of sustainability at Digi, one of the leading mobile operators in Malaysia, about responsible business initiatives (also known as “Yellow Heart”) the company has taken to improve children’s data protection in Malaysia. Ling explained that, for Digi, online safety, data protection, and cybersecurity form a triangle as three interdependent components. Though the Malaysian Personal Data Protection Act is not as comprehensive as the GDPR, Digi is influenced by its Norwegian parent company, Telenor, and has implemented greater data protections for children than required by Malaysian law, including the appointment of a data protection officer in 2018.

Digi also conducted a child rights impact assessment, using a UNICEF tool, that Ling emphasized is different from a general human rights impact assessment because it covers many issues related to children that might otherwise be missed. Apart from a desire to be socially responsible, Ling explained that Digi recognizes that customers value trust, transparency, security, and accountability, so it also makes good business sense to invest in all of these things for the long run.

Some examples of putting these principles into practice at Digi include:

• They created an infographic version of their privacy notice to make it more accessible and easier for users to understand, especially children.
• They have a dedicated Safer Internet website to teach children about how data is shared and about the dangers of oversharing online, which aims at empowering children with information to make informed choices.
• They specifically address children’s rights when participating in policy and decision-making. For example, in a public consultation with the Malaysian Personal Data Commission, Digi pushed for children’s rights to be included by advocating for special provisions related to children’s data processing to be incorporated into the Personal Data Protection Act.

Notwithstanding Digi’s efforts so far, Ling highlighted that there is still a lot of work to be done by the private sector. For example, obtaining meaningful parental consent is an issue that many companies are still grappling with. Parents need more awareness about data protection, and most don’t even understand the basics about what privacy is and how it works, let alone the jargon (e.g., “data subject”) used in contracts. This means it can be difficult for parents to know what they are agreeing to, and often they might just opt-in to their child’s data being collected, in order for their child to be able to enjoy using important online services. Today’s children are often required to be online for school or, eventually, work, and parents may not have the time or energy to consider the ramifications of what is being asked when something is deemed as “important” or “essential” for their children.

Enabling youth participation and use of data for good with Code for Africa

Tricia Govindasamy, senior data product manager with Code for Africa, highlighted that data is extremely important in development contexts and in informing policy and decision-making. Child populations are much larger percentage-wise in developing nations, whereas most policies are developed in the countries in North America and Europe, which have some of the lowest percentages of child populations. Compared to all other regions in the world, Africa has the highest percentage of youth population — 50 percent are 19 or younger — followed by Latin America and the Caribbean, then Asia, Oceania, North America, and Europe, according to the 2019 UN World Population Prospects.

There are many challenges in relation to using data for good in Africa, including an overall lack of quantity of data, a lack of access to open data, and the exclusion of groups of people from datasets, making those datasets poor quality. Most data that is available is not available online or, if it is, remains on websites or in PDF reports, which then need to be scraped into machine readable format to be useful for policymakers.

Code for Africa is working to empower civil society in several African countries to understand how to collect and process their own data, leading to policy change and greater social inclusion. For example, in the Makoko slum in Nigeria, the community living in the area did not appear on any official maps, and so were excluded from provision of government services. Code for Africa trained young people to collect data and map their local area to allow for easier navigation of its streets going forward and to highlight the need for social services to be provided to the area, both as part of an effort to equip girls with more technical skills.

In Kenya and South Africa, Code for Africa’s “sensors.AFRICA” initiative deployed air quality sensors in schools. In South Africa, children were also trained in data collection and data literacy. In Kenya, the results produced from the sensors indicated that the air quality was so poor that it was similar to a child smoking two cigarettes a day, and highlighting this made it easier to campaign for changes to improve children’s health.

Tricia emphasized that we need children to better understand data and privacy. Data literacy camps can be good, but they are not accessible to everyone, so there is a need to incorporate data literacy into the school curriculum, which therefore requires teachers to be trained in data literacy. It has worked well in South Africa where schools have run hackathons that give teams of students the opportunity to be mentored by experts, motivating them with prizes for the best solutions, and focusing on girls to increase their representation in STEM fields.

Challenges in Zimbabwe and elsewhere in Africa

Kuda Hove, a policy officer at Privacy International, noted that, as a Zimbabwean living and working in the United Kingdom, he has observed distinct differences between Western and African approaches to data governance. Hove noted that we see a lot of policies developed outside of Africa that are imported into Africa. The challenge with this, however, is that there’s a difference in the context in which the policy is made and the contexts to which the policy is imported. We know that the dominant data governance policies come from the United States and Europe, where there are strong democratic institutions, functioning judicial systems, and independent commissions that oversee rollout and enforcement. These, however, can be less common in African jurisdictions. In Western countries, there is also generally a higher level of public awareness about how to claim individual rights and greater access to redress mechanisms.

To further complicate matters in Africa, many data protection authorities are not well funded and therefore do not have the resources to provide much oversight over data processing. There are also questions about independence of data protection authorities that may be led by people closely connected to those in power. On top of this, members of the public often aren’t aware of the importance of data protection and privacy, so they don’t push the government to do better: in the absence of public pressure, the government won’t hold itself accountable.

Hove recommends prioritizing educating the public about privacy and data rights so they can push their elected officials for accountability. In practical terms, at a local level, Hove also identifies a need to think about how to start in schools and introduce clubs focused on privacy and data protection, which can then be expanded into community meetings and discussions. Data needs to be spoken about in less abstract and technical ways and better explained in day-to-day language that average people can understand. It doesn’t need to be a formal workshop, but rather can start in social clubs and through groups on Whatsapp,Viber, or any other platform people are already using.

Making data privacy laws work for children in the Philippines

Regarding the Philippines, Rory Torres, an independent Filipino attorney, said that, since the pandemic and as schools have relied more on remote learning platforms, there is increasing data being collected from children by those who don’t necessarily have children’s data rights as a priority. When both the government and private sector provide learning resources, especially those that create learning profiles and use individualized learning approaches, more individualized data will be collected, and, with that, there is a risk that children can be surveilled by governments or profiled by the private sector.

There are already quite robust privacy laws in place in the Philippines that are mostly based on the GDPR, but there is still a need to focus more on how these should apply to children. A consent-based framework for data processing can be problematic when it comes to children’s data. Parents will give consent because otherwise their children will be excluded from educational opportunities. There is a need to shift responsibility of data governance to the government, which is a great opportunity for collaboration with the private sector, governments, and parents and children.

Torres emphasized that it’s important to move the discussion beyond internet safety to also include data governance for children. This needs to take into account the evolving capacities of children, different identities of children across cultures, genders, sexualities, and religions, and how to empower them to be part of a thriving internet on which they feel safe and at the same time can be who they are and who they want to be. The key is context. There cannot be a blanket approach, noting the differences between two years olds and six year olds, or between tweens and teens, first-time internet users or advanced users, not to mention many other other social, cultural, and economic considerations.

Conclusion

The Case for Better Governance for Children’s Data: A Manifesto is just the beginning, and the real challenge of implementing its recommendations still lies ahead. This panel discussion was an important first step in hearing from thought leaders from Asia and Africa about the importance of children’s data governance for their own countries and regions and about how the aspirations set out in the manifesto can best be implemented in countries where governance in general is weak and child rights are not prioritized. UNICEF hopes that experts from all regions of the world will take up the call to action for improving the governance of children’s data. It is critical that leadership on children’s data governance emerges not just from the countries of North America and Europe, but also from the Global South, and that these voices are afforded space and power in the global data governance arena.

Emma Day is a Non-Resident Fellow with the Digital Forensic Research Lab (DFRLab).

Cite this article:

Emma Day, “Policy brief: Children’s data governance in Asia and Africa,” Digital Forensic Research Lab (DFRLab), September 2, 2021, https://medium.com/dfrlab/policy-brief-childrens-data-governance-in-asia-and-africa-40d174b891c5.

Follow along for more in-depth analysis from our #DigitalSherlocks.