Introductory Statement
Human Rights Watch is a non-governmental organization that monitors and reports on human rights in over 100 countries around the world, including Japan. Human Rights Watch submits these comments in response to the call for public consultation on the Draft First Report of the Youth Protection Working Group under the Study Group on Addressing Various Issues in Information Circulation in Digital Space (Ministry of Internal Affairs and Communications, June 2026).
Human Rights Watch welcomes the Working Group’s recognition that existing frameworks are insufficient to address the diversifying risks children face online, including those arising from platform design, algorithmic amplification, and children’s own information-sharing activities, and that protection measures should be activated in the default setting. However, Human Rights Watch urges the Japanese government to go beyond merely identifying these risks by adopting laws that comprehensively protect children’s data, and in doing so, protect the full range of their rights in the digital environment. Such measures should be grounded in the United Nations Convention on the Rights of the Child (UNCRC) and the Committee on the Rights of the Child’s General Comment No. 25 (CRC/C/GC/25), which provides authoritative guidance on implementing the UNCRC in the context of digital technologies.
Chapter 4 Discussions at This Working Group
2. Common Understanding at This Working Group
Human Rights Watch supports the Working Group draft’s recognition that risks have diversified beyond passive content reception; that safety needs to be balanced with children’s rights to access information, their right to expression and broadcasting, and their right to participation; that a broader, multi-stakeholder approach is needed; and that “mere prohibition is not enough.” Children have a right to participate meaningfully in digital environments, including by contributing to policy development and the design and implementation of digital products and services (General Comment No. 25, paras. 16–17). A comprehensive approach—rather than one that relies solely on prohibition—is therefore required (General Comment No. 25, para. 24).
However, the draft’s risk management framing needs to be complemented. These protections should be understood not merely as risk prevention, but as the protection of children’s rights as rights-holders under the UNCRC—and should be in line with Japan’s obligations as defined in the UNCRC, and General Comment No. 25—children’s rights in relation to the digital environment—to which Japan also contributed.
Companies have a responsibility to respect children’s rights. When resolving potential tensions between different rights, for example, between protecting children’s access to information and protecting them from harmful information that injures their well-being, regulations need to ensure that children’s freedom of expression is respected, and that any safety measures that restrict it should be strictly limited, and are lawful, necessary, and proportionate (General Comment No. 25, para. 56, 59).
3. Youth Protection Measures in Platform Service Design
① Approach to Protection Measures
Human Rights Watch supports the Working Group’s recommendation that platform operators be required to conduct risk assessments and implement and publish protection measures, together with the establishment of an external mechanism to re-evaluate these. At the same time, Human Rights Watch recommends that a comprehensive child data protection framework should be added to these recommendations.
To avoid the risk of specific regulations becoming outdated in the face of unpredictable technological development and progress, children need to be protected in a future-proof and technology-neutral way. And the key common element across all technologies is “the use of children’s data.” How companies collect and use children’s data to deliver their products and services is a central factor in whether technology promotes or violates children’s rights.
The government of Japan should therefore either (a) amend the Act on the Protection of Personal Information to incorporate comprehensive child data protection provisions, or (b) enact a new child data protection law, each supported by effective and adequately resourced implementation and enforcement mechanisms.
Technology companies have long freely gathered vast amounts of personal data from children—piecing them together to deduce intimate characteristics including each child’s identity, location, interests, emotions, health, and relationships—and used this information to design and deliver products and services that prioritize profits over protecting children’s rights and wellbeing. Human Rights Watch’s own research on educational apps—including products recommended in Japan by the Ministry of Education—found that the vast majority secretly surveilled children and sent their data for behavioral advertising. There have also been reports of AI chatbots using data gathered through their conversations with children to nudge them towards self-harm.
The child data protection framework should embed at least the following principles: (a) Coverage (General Comment No. 25, para. 39): apply to all digital products and services that children are likely to access or be impacted by, regardless of whether they are “directed at” children; (b) Children’s best interests (General Comment No. 25, paras. 12, 35, 38): (i) child rights due diligence must evaluate businesses’ impacts on children’s rights, disclose these impacts to the public and take steps to prevent, monitor, investigate and punish abuses; (ii) safety restrictions must be lawful, necessary, and proportionate (para. 59); (c) Privacy and safety by design and by default (General Comment No. 25, paras. 70, 77): companies must set children’s privacy and safety settings to the most protective level by default and proactively address risks before harm occurs.
Legislation should apply to all digital products and services that children are likely to access or be impacted by. The Working Group’s recommendation states that “criteria should be set such that services actually used by many young people are covered, without limiting by service type or category.” Human Rights Watch recommends going beyond to include all digital products and services that children are likely to access or be impacted by should be covered. Children’s rights are inalienable, unconditional, and apply wherever children are. Companies should not apply protections only to products directed at children or draft their terms of service to formally exclude children in order to avoid legal responsibility, even when their services are actually being used by children.
② Age Verification as a Prerequisite for Protection Measures
Human Rights Watch supports the Working Group’s recommendation that the stage, method, and level of “age verification” should be examined with due consideration for privacy and security risks.
At the same time, Human Rights Watch recommends that the introduction of a robust child data protection framework should be added to the recommendations, to address the risk that “age verification” processes may give rise to rights violations of children and others. Reliance on single, standalone solutions such as age verification should be avoided, particularly where they fail to consider equally important measures such as businesses’ responsibility to design and operate their services in ways that are safe for children by default, and to ensure that any restrictions on their rights meet the requirements of legality, necessity and proportionality.
Self-declaration methods are ineffective in practice. Most age verification methods that exist today pose a high risk of violating the privacy rights of children and adults alike. Indeed, a 2025 study conducted by the Australian government and a 2022 study conducted by the French government both concluded that there currently exists no age verification solution that satisfies accuracy, effectiveness, and data privacy and security protection simultaneously.
Furthermore, even if age verification processes violate privacy or other rights, there is currently no legal basis in Japan that would provide children with safe redress and remedy, a problem that needs to be addressed.
③ Default Settings for Protection Measures
Human Rights Watch recommends expanding the Working Group’s recommendation—that “protection measures should function in the default setting when a user is confirmed to be a minor”—so that default protections apply across all digital products and services that children are likely to access or be impacted by, not only when a user has been confirmed to be a minor. This is to reflect General Comment No. 25’s emphasis on privacy and safety by design and by default for services children are likely to access (General Comment No. 25, paras. 70, 77).
Legislation should compel companies to set children’s privacy and safety settings to the most protective level by default—not merely make such settings available or provide opt-out measures. The burden must not fall on parents or children to navigate complex settings menus. This includes algorithmic settings (e.g., disabling recommendation algorithms, infinite scroll, and push notifications for minor accounts by default), consistent with the obligation to proactively identify and address risks to children before harm occurs (General Comment No. 25, para. 38, 40).
5. Technical Protection Measures Including Filtering
Human Rights Watch agrees with the Working Group’s analysis that the concept of “filtering” is outdated and should be reconceptualized as “technical protection measures”—in the sense of protecting young people through technology in a broader way—and that the approach under the Youth Internet Environment Act should be reviewed (General Comment No. 25, para. 39, 96). Human Rights Watch also supports the recommendation that “the provision of protective features by Operating Software developers should be mandated as ‘technical protection measures,’ given their usefulness.”
At the same time, for such “technical protection measures” to be truly effective, children’s data protection must first be established as a prerequisite.