Data Protection Bill: Lower age of consent, limit data portability, strengthen data breach rules, and introduce more grounds for processing data #NAMA

Key takeaways

• The age of consent is too high and needs to be reduced  
• More grounds are needed for processing without consent
• Data portability provision is too wide
• Align data breach guidelines with international standards
• Leave content regulation out of the Bill
• Redefine psychological harm

The above were some of the key points raised at MediaNama’s Decoding India’s Data Protection Bill event held last week, where Nehaa Chaudhari from Ikigai Law, Ulrika Dellrud, Chief Privacy Officer at PayU, Uthara Ganesh, Head of Public Policy at Snap India, and Udbhav Tewari, Public Policy Advisor at Mozilla, shared their thoughts on the Data Protection Bill 2021 and the Joint Parliamentary Committee (JPC) report on Bill, both of which were tabled in the parliament in December 2021.

This discussion was organised with support from Google, Flipkart, Meta and Star India, and in partnership with ADIF. To support future MediaNama discussions, please let us know here.

Why the age of consent needs to be reduced

Threshold of 18 years is too high: The Data Protection Bill 2021 sets the age of consent at 18 years, which multiple stakeholders have found to be too high. Commenting on this, Ganesh, pointed out that:

1. Higher than global standards: Ganesh pointed out that at 18 years, the age of consent in India is much higher than in the US and UK, where it is 13 years, and the EU, where the GDPR gives members state flexibility to choose between 13 to 16 years.
2. Cuts out 41 percent of the population: By keeping the age of consent at 18 we are effectively cutting out 41 percent of the population, Ganesh said. “It is sort of note worthy because it is a time where tech adoption has generally seen acceleration because of the pandemic. So,  this is sort of taking away autonomy from young persons,” she added.
3. Obtaining parental consent involves a fair degree of friction: Giving the example of Snap, Ganesh explained how the company will have to build a parental consent flow off the platform because parents are usually not Snapchat users. This will introduce a fair degree of friction into the process and also requires additional resources and engineering, Ganesh added.

Recommendation: The 18 years threshold for the age of consent should be removed from the Bill and should be left to the Data Protection Authority to come up with at a later stage after consulting relevant stakeholders, Ganesh recommended.

How to address problems with age verification

Age verification poses privacy concerns: In order to verify age, platforms will have to collect some sort of ID, mostly a government-issued one. This has privacy ramifications because there will be mass collection retention of these IDs, Ganesh pointed out. This complexity has not been acknowledged by the Bill, Ganesh noted. And even if the age of consent was lowered, the concerns around how age verification will be carried out still remains.

“I do think it’s something that that everyone in the ecosystem needs to get together to evolve a solution. […] But there are many things that you can do to try and ensure that people are in fact the age that they’re trying to say.” – Uthara Ganesh

Recommendation: Ganesh recommended that age verification could be carried out by other means rather than government-issued ID and should be left for subordinate legislation by DPA. Examples of other methods include:

1. 1. Using AI-based tools: Noting that there is no easy solution, Ganesh said that various players in the ecosystem need to come together to see what the resolution might be, but that there are some other options like AI-based tools, which can try to assess whether or not your users are, in fact, a certain age.
   2. Have checks at every point of the value chain: “So for instance, people buy cell phones, people buy SIM cards, and then download apps on your phone. So perhaps there is a responsibility that you could create for every single person in that value chain in trying to ensure that they’re not having 9-year-olds and 10-year-olds pretending to be 15-year-olds on the platform,” Ganesh recommended.
   3. Parental verification of age: Another option is parental verification of age, Ganesh said.
   4. Don’t market to underage users: Platforms can also take preventative measures where they do not market to users who are less than 13 years old, Ganesh noted.

Grounds for processing data without consent is limited

Consent as the only ground for processing is inflexible and unlike GDPR: Noting that consent is pretty much the only ground for processing any kind of personal data, Chaudhari said that this is one of the major compliance burdens. Even though the Bill allows processing without consent for some “reasonable purposes”, these purposes are left for the Data Protection Authority to come up with at a later stage, which is not ideal, Chaudhari added.

“I think this one of the instances where there is a fairly big sort of gap between how in India is thinking about grounds of processing versus what you have in the GDPR, where you have a legitimate interest ground, which can play out and be understood in several different ways like routines processing, direct marketing, network security, fraud detection, it could be a whole bunch of different things that could qualify as legitimate interest and we don’t have that kind of flexibility.” – Nehaa Chaudhari

Recommendation: There should be more grounds for companies to process personal data without consent such as legitimate interests, Chaudhari suggested.

Why the trade secret exception to data portability should not have been removed?

Removing trade secret exemption to data portability has unreasonably widened the scope of provision:Chaudhari strongly objected to the removal of the trade secret exception to data portability arguing that the provision is now wide enough to cover unreasonable cases. According to an earlier version of the Bill, users have the right to data portability, but fiduciaries could seek exemptions if the data in question contains trade secrets. Chaudhari explained that companies generate three types of data from users,

1. information a user gives a platform, for example, a photograph upload by a user
2. the information generated while the user interacts with a platform, for example, information that’s generated when the user is liking or commenting
3. information the platform is generating, for example, scrolling rate, hovering on certain advertisements, etc

The problem with the data portability provision as it stands is that it is wide enough to encompass all three kinds of data and the second and third types might fit the criteria of trade secrets, Chaudhari explained. In contrast, the GDPR restricted data portability to the first type of data, which is data that users have themselves provided, Chaudhari added.

“There is a sort of underlying suspicion that I see playing out here if you look at the language that the committee has used to justify this change. […] I don’t know where that that deep distrust or deep suspicion is coming from because this is a question that the Srikrishna committee also examined in sufficient detail and very specifically noted in its report, not just in the text of the Bill, that you had the exception for trade secrets” – Nehaa Chaudhari

Recommendation: Narrow the grounds for users right to data portability to reflect the GDPR standard or retain the exception to trade secrets and define the criteria for the same, Chaudhari suggested.

What changes do you want in the Data Protection Bill from a company’s perspective. Do leave a comment.

Do the data breach guidelines go far enough?

Data breach guidelines welcome, but not up to global standards: Speaking on the new data breach guidelines incorporated in the Bill, Tewari said that they are better than the current legal provisions that are there in India but still not up to global standards where there are shorter timelines for notifying customers.

“Despite all of the data breaches that have taken place and inquiries that have been initiated both by the RBI and CERT, there still hasn’t been a time where a data breach has been been properly fined. So it’s very clear that even though provisions do exist under certain CERT rules, they aren’t really like working in practice. – Udbhav Tewari

Recommendation: Consumers should be told that they were involved in a data breach in both shorter timelines as well as without the intermediation of the DPA unless there is a compelling reason otherwise, Tewari recommended. The penalty should be determined on a case by case basis by taking into account the extent of harm, size of the company, etc, Chaudhari added.

Is the inclusion of psychological manipulation under the definition of harm necessary?

Loaded term and that could even cover advertisements: Under the definition of harm, the Bill now includes “psychological manipulation which impairs the autonomy of the individual.” Tewari explained that the term “psychological manipulation” is a loaded term if you take the dictionary meaning.

“Imagine you browsed a social media platform for one hour a day for a year, and at the end of it, you were radicalised, to what extent is the platform responsible for that and what role does the term psychological harm play there?”  –Udbhav Tewari.

“This definition of harm could effectively mean all advertisements. […]  And I guess it’s worth saying that not all advertising is bad, medium and small businesses will often use targeted ads to get access to customers. Customers sometimes would prefer potentially relevant ads or non relevant ones as well. […] Pessimistic lawyers could interpret this to mean all advertising.” – Uthara Ganesh

Recommendation: The psychological harm definition must be removed from the Bill and left for the DPA to come up with later. The DPA should define it more narrowly to address issues like dark patterns and consent, Tewari suggested.

Should social media platforms be classified as publishers?

In its report, the JPC has recommended that all social media platforms, which do not act as intermediaries, should be treated as publishers and be held accountable for the content they host. Sharing her thoughts on this, Ganesh, said:

1. Unnecessary as IT Rules address policy objectives: Ganesh found the JPC recommendation unnecessary and ignorant of the fact that we have the IT Rules. These rules, which were notified last February, “required social media companies to make significant changes and also, in a sense, it addressed the policy objectives of keeping content or having safety online,” Ganesh noted.
2. Not a good fit in data protection legislation: Ganesh opined that the provision is not a good fit in data protection legislation and other international regulations like GDPR stay clear of it because content regulation is a complex issue in itself.
3. There is no proper guidance: Ganesh also pointed out that the IT Rules created demarcation between social media intermediaries and publishers and have specific rules and guidelines for the two, whereas the Data Protection Bill does not. This creates significant conduction for social media platforms, she said.