“We need to put in place practices that protect young individuals but do not curb them from enjoying autonomy in the digital realm,” Swati Sudhakaran, Nazara’s AVP Public Policy & Government Affairs, recommended while detailing the impact of the draft Data Protection Bill, 2021 on gaming companies. Nazara is one of the few publicly-listed gaming companies in India.
Sudhakaran told MediaNama that it will be difficult for a data fiduciary to know that they are dealing with a child as the JPC has deleted the concept of guardian data fiduciaries from its report. Firms will need to build a “separate parental consent flow off the platform” as parents may not engage with the games themselves, she explained.
“The only way to know is by age-gating the whole of the internet, i.e. every individual, having to certify that they are an adult. While the bill does not distinguish between a 17-year-old and a 13-year-old, the age-gating measures deployed will have to.” — Swati Sudhakaran
The proposed changes to the 2019 draft will impact the user interface (UI) of gaming platforms affecting the gaming experience and the player count because the companies will need to offer parents precise information to which they offer their consent, Sudhakaran said.
The Joint Parliamentary Committee’s report on the Personal Data Protection Bill, 2019 was tabled in both houses of the Parliament on December 16, 2021 after two years of deliberations, bringing India one step closer to its first data protection law. The bill’s impact will be wide-ranging across all sectors but this post attempts to outline the impact on gaming companies specifically, with the help of industry stakeholders.
Age gating may lead to consent fatigue
The revised Bill has left the age of consent for processing personal data at 18 years, citing the Contract Act as the basis for this. Data fiduciaries can process a child’s personal data only after verifying their age and obtaining the consent of their parent or guardian, according to the Bill.
Rutuja Pol, Senior Associate, Ikigai Law, said that the age gating may “lead to a significant drop in users below 18 years of age”. The age group of players below 18 constitutes a sizeable chunk of gaming companies’ user base. Ikigai Law is a law firm, with a focus on technology businesses, and has worked with several digital gaming companies.
Pol warned that multiple levels of verification for teenagers, or even adults, is going to potentially hinder business prospects.
“It will be challenging for digital gaming companies to prepare for this since the standards for these [age verification] techniques will come through subsequent regulations. The bigger challenge will be for the digital gaming industry to come together to establish codes of practice which can be endorsed by the regulator.” — Rutuja Pol
Sudhakaran added that some situations in which gaming companies have to take explicit consent could cause consent fatigue and disrupt the gaming experience. “The standards needed for age gating will need to be uniform and in agreement across the gaming industry to ensure that they are recognised by the Data Protection Authority when it is set up,” she said.
The provision will not have any material impact on Mobile Premier League’s (MPL) business, said Dibyojyoti Mainak, the Senior Vice President (Policy and Legal) of the mobile gaming and e-sports platform. “However, this will have a huge impact on free-to-play gaming businesses that rely heavily on the 13-18 age group,” he added.
Several stakeholders had earlier requested that the bill lower the age of consent to either the US standard (13 years) or GDPR standard (13-16 years), but the committee wrote:
“We are aware that from the perspective of the full, autonomous development of the child, the age of 18 may appear too high. However, consistency with the existing legal framework demands this formulation. Were the age of consent for the contract to reduce, a similar amendment may be effected here too.”
JPC member and MP Ritesh Pandey, in his dissent note, stated that the definition of a child should be anyone under the age of 14, so as to allow young users to benefit from innovative technologies without the onus of obtaining consent from their parent/guardian.
Does the Bill impose compliance burden on gaming companies?
Sudhakaran said that the revised Bill will require businesses to “revamp their existing data collection and processing activities into a ‘privacy by design’ concept”.
- Segregation of personal data: “Gaming companies will have to take technical measures to be able to segregate the personal data they collect into Sensitive Personal Data (SPD) and Critical Personal Data (CPD). They may also have to store each category separately, as they will have to comply with different obligations for each category,” she said. Sudhakaran suggested that the grounds for processing personal data should be expanded to include contractual purposes and legitimate business interests as well.
- Data localisation could prove costly: The Bill lays down several barriers for transferring data outside India and has provisions dealing with data localisation. Sudhakaran expressed concern about the cost of complying with data localisation provisions as the gaming industry forges strategic partnerships globally in order to develop a global ecosystem.
- Need clarity on implementation timeline: The JPC report offers companies and businesses 24 months to comply with the Bill once it becomes a law. Mainak affirmed that the JPC’s proposed timeline for implementation is “sufficient”, adding: “This period of two years will allow companies sufficient time to lay out their compliance strategies and put robust systems in place.” He suggested that he does not foresee any disruptions to MPL’s operations as the company has already implemented several data protection measures. Sudhakaran called for further clarity on the compliance timeline, bearing in mind that this is a nascent industry and over regulation can hamper innovation.
- Certification regime is not necessary: The JPC report advised the government to introduce a certification process for digital devices, and set up testing facilities across India to give such certifications given the privacy implications of data collection by hardware devices. The proposal to set up a certification and testing regime to prevent data leakage or threats to national security could lead to the creation of new hardware/software standards, in addition to existing local and global standards, Sudhakaran said. She added that the certification regime is futile and “needs to align with international standards”.
Concerns around algorithmic fairness
The proposed law requires entities to share information on the ‘fairness of algorithm’ with the Data Protection Authority under Clause 23. The recommendation was made in order to ensure transparency of algorithms used by various entities for processing of personal data and to prevent its misuse, as per the JPC report.
What does fairness mean?
Sudhakaran said that it is “unclear what ‘fairness’ means or how much information would be required to be disclosed”. She said that the move can carry implications for the IP rights of a business, especially if the algorithm is interpreted by the DPA to mean algorithmic source code.
She also highlighted that there is no way to figure out if this information will be disclosed only to the DPA or released publicly. “It has the potential to transform the manner in which the company and state regulates algorithms,” she added.
Data portability poses competition risks
Sudhakaran pointed out that the DPB 2021 allows an individual to request companies to transfer their personal data to themselves or to another company.
“The scope of personal data that can be transferred is wide as it includes data generated in the course of providing services to users and any data which forms part of any profile of users. This could include confidential business insights.” — Swati Sudhakaran
The JPC’s recommendation of removing the trade secret exemption for companies to deny data principal’s right to data portability may affect the competitive edge of gaming companies. “Removal of trade secret exemption may compel gaming companies to part with proprietary information which is critical to their business,” Sudhakaran cautioned.
Mainak revealed that MPL had no objections to the recommendation on algorithm fairness. “We will need clarity on how this will be implemented,” he said.
Inclusion of non-personal data affects regulatory clarity
The committee recommended that the legal framework on non-personal data must be a part of the Data Protection Act instead of any separate legislation. It also said that both personal and non-personal data will be regulated by one Data Protection Authority (DPA) to avoid confusion and mismanagement. The committee wrote that the government can draft separate provisions on non-personal data and include them in the Data Protection Act, as soon as they are finalised.
The JPC observed that it is not possible to differentiate between personal or non-personal data at any stage. It also revealed that “it is actually simpler to enact a single law and a single regulator to oversee all the data that originates from any data principal and is in the custody of any data fiduciary” as it will restrict grey areas in terms of anonymisation and re-identification.
‘May affect regulatory clarity’
Sudhakaran noted that clubbing both personal and non-personal data under the DPB 2021 within a short timeframe may not help achieve regulatory clarity.
“Non-personal data cannot affect privacy because an individual cannot be identified through the data. If an individual cannot be identified, her privacy cannot be affected. The only way this could happen was if the protocols for anonymisation are not strong enough thereby enabling re-identification,” Sudhakaran retorted in response to reasons offered by the JPC.
She stressed that the bill criminalises reidentification in Clause 82. “It is crucial to note that this is the only criminal offence in the entire bill showing how seriously everyone takes this issue,” Sudhakaran pointed out.
‘Expanded scope of DPB 2021 stands out’
Mainak said that the expanded scope of the bill stands out on account of including non-personal data under its ambit. “We expect the government to provide clear regulatory guidance in this regard to enable companies to build effective systems,” he said.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
What will be the future of gaming in India?
Do you want to keep track of real money gaming and gambling regulation in India but don’t have the time? Relying on scattered content from across the web makes it feel harder than it needs to be.
Subscribe to MediaNama and get crisp, timely updates on tech policy developments in India and across the world.
- Deep Dive: How India’s Data Protection Bill will impact online advertising
- IT minister confirms there are no plans to replace data protection bill with new draft: Report
- Deep Dive: How India’s Data Protection Bill impacts Social Media Platforms
Have something to add? Subscribe to MediaNama here and post your comment.