By Vrinda Bhandari
Discussions around the Data Protection Bill, 2021 (“DPB”) released by the Joint Parliamentary Committee (“JPC”) in December last year have largely revolved around the exemptions provided to the government, the impact of data localisation provisions, the inclusion of non-personal data, and issues of enforcement and regulatory structure of the Data Protection Authority. In many of these conversations, the DPB’s stipulations regarding the processing of children’s data have been sidestepped. Additionally, many companies believe that they need not concern themselves with the obligations surrounding children’s data, since their services are not targeted towards children. This belief is based on a misunderstanding of the manner in which Clause 16 of the DPB, which relates to children’s data, operates.
Obligations of companies while processing children’s data
Under the DPB, all companies and organisations (i) must verify the age of the child and obtain parental consent before processing any personal data relating to the child; (ii) process such data in a manner that “protects the right of the child”; and (iii) are prohibited from profiling, tracking, engaging in behavioural monitoring of children, direct targeted advertising at children, or undertaking any other processing that can cause “significant harm” to the child.
Earlier versions of the Bill, including the Personal Data Protection Bill, 2019 had introduced a separate category of “guardian data fiduciaries”, regulating those companies operating online services directed at children or which processed large volumes of personal data of children. Such guardian data fiduciaries had to comply with stricter obligations, including the prohibition on profiling mentioned above. Apart from recommending some other changes in Clause 16, the JPC has done away with the separate categorisation of guardian data fiduciaries. Thus, under the DPB, 2021, a single standard applies to all companies, regardless of the nature of services provided.
Age of a ‘child’
While the intent of the JPC may be laudable, the phrasing of Clause 16 raises many concerns and has unintended consequences. The first relates to the definition of “child”. Under the DPA, any person under the age of 18 is defined as a child and is presumed to not have the capacity to consent. This is at variance with the international position, where the age of consent for children is 13 years (USA), 15 years (Australia) or between 13-16 years (Europe). However, as the Covid-19 pandemic has revealed, the internet plays a vital role for teenagers, whether for their academic, entertainment, or other trivial pursuits. By maintaining the age of consent at 18 and requiring parental consent, the DPB is depriving teenagers of their autonomy and privacy, thereby inhibiting their growth and self-expression on the internet. Despite recognising that “from the perspective of the full, autonomous development of the child, the age of 18 may appear too high”, the JPC effectively equates the maturity levels of a toddler with that of a teenager. A graded approach is needed while dealing with the privacy rights of minors.
Parental consent and age verification requirements
The mandatory requirement for parental consent means that in practice, the entire internet will be age-gated. Every organisation will have to verify the age of every user to ascertain whether parental consent is required. This is problematic from both a commercial and privacy point of view. For companies and service providers, especially those not directed at children, it will be expensive and onerous, and in many cases, unnecessary.
Many will choose to implement it either by requiring simple self-declarations (which may undermine the Bill’s intention of protecting children from commercial exploitation of their data) or by requiring users to furnish “hard” identifiers such as Aadhaar, passport etc. (which is contrary to the principles of data minimisation). Unlike the 2019 version where the manner of age verification was to be specified in the regulations, the DPB leaves it to companies to decide, after considering various factors.
Further, requiring children to seek parental consent is not always practical, possible, or advisable, especially for teenagers who may not receive parental support for use of a technology or a service; have easy access to relevant age documents; or whose parents may not be familiar with the digital space.
Does the DPB undermine the privacy of children?
The DPB actually undermines the privacy of children who may wish to access counselling or child protection services. Recognising the importance of confidentiality in such situations, the 2019 version did not require parental consent to access such services. However, the JPC has completely done away with this statutory protection. At a time when mental health and child safety concerns have become paramount, such a dilution is unfortunate.
The absolute prohibition on tracking – a step too far?
The DPB now prohibits all organisations from profiling, tracking, or engaging in behavioural monitoring of the child. What does this mean in practice? Consider a company that offers students practice for competitive exams by providing them with performance-based assessment and periodic online testing. The standard of the next practice test, in this case, will be based on the student’s previous performance. Such performance-oriented assessment, which is cognizant of the learning ability and outcomes, is actually beneficial to a child. However, such an act would be prohibited under the DPB’s expansive definition of “profiling” and the general understanding of “tracking”. Thus, the only option is to provide standardised practice tests to all children, regardless of their ability and previous performance.
In fact, the text of the law technically also prohibits schools from releasing report cards, which, by their very definition, engage in profiling, tracking, and monitoring the behaviour of children. One would hope that the regulator would not adopt such a strict interpretation of the law. Unfortunately, however, the text of the law provides a lot of leeway to the regulator (the Data Protection Authority) and does not expressly limit the applicability of Clause 16 to harmful or automated data processing practices. At the same time, the prohibition against targeted advertising for children is likely to see a spurt in contextual advertising and advertising directed at parents. Interestingly, the DPB goes beyond the Advertising Standard Council of India’s self-regulatory Code, whose guidelines regarding advertising for children defines a child as being under the age of 12 years.
The need to regulate the processing of children’s personal and sensitive personal data is essential. However, the manner in which Clause 16 of the DPB has been formulated has various unintentional consequences and practical concerns. We can only hope that the Parliament addresses some of these issues before it introduces the Data Protection Bill this year.
Vrinda Bhandari is a lawyer practicing in Delhi and specialising in data protection and technology. Views expressed are personal and do not necessarily reflect the views of MediaNama.
- Deep Dive: How India’s Data Protection Bill Will Impact Online Advertising
- Lower Age Of Consent To Allow Children To Benefit From Technology: MP Ritesh Pandey On Data Protection Bill 2021
Have something to add? Subscribe to MediaNama here and post your comment.