Ad: 
India’s Data Protection Bill is here, and your business needs to adapt. K&S Digiprotect, with its team of data protection experts, offers compliance services tailored to help you adapt to the new regulations, safeguard your data and build trust with your customers. Contact us now!
India’s latest version of the Digital Personal Data Protection (DPDP) Bill limits children’s access to the internet by defining a child as “an individual who has not completed eighteen years of age.” In doing so, it stays true to the 2022 version of the bill which was criticized for treating all individuals below 18 the same. It fails to account for the suggestions given by experts in reference to the 2022 data protection bill, who had urged for a graded approach where those between the ages of 13 to 16 are treated differently than those below 13 years of age.
Speaking about this at a MediaNama event last year, media professor at the London School of Economics Sonia Livingstone pointed out, “we begin with the idea that children have rights in the digital world and then we see the need for protection, we need some tailored regulation.” However, instead of tailored regulation for specific age groups, it clubs everyone from the age of 0-17 under the umbrella of “children”.
Read the Bill summary here.
Why is there a need to change the definition of a child?
Picture this: you are a 17-year-old trying to research which colleges to apply to on the internet. You want to look at a website like Collegedunia but to do so, you have to get your parents’ approval. Not only do you have to take their approval once, but also if you don’t find anything on collegedunia and have to look at another website say, Career360, you will yet again have to call a parent to give consent. This is effectively what the internet browsing experience would be for teenagers under the current iteration of the bill.
Pointing out the issues with the 2022 iteration of the bill the Software Freedom Law Centre had said, “There is a need to provide agency to children over different types of data at different ages to ensure their right to privacy and dignity are protected.” Besides, it could also lead to discrimination between male and female child, said Aparajita Bharti, co-founder of Young Leaders for Active Citizenship, and The Quantum Hub speaking at a MediaNama event last year. “I don’t think we have taken into account the kind of society we live in,” she said, adding that for example, if a boy goes to his parents and says that he wants to make an account on a social media vs when a girl asks for the same, “the girl is likely to face more resistance.”
Explaining how digital literacy needs to be factored into the arguments surrounding parental consent, she further pointed out “Many times, parents learn from their children how to use the internet as of today. So are parents able to make those decisions [of which website to access and which to avoid] for their children?”
How should websites get the consent of parents/guardians?
Both the current version of the bill and its 2022 iteration, require online platforms to take “verifiable parental consent” before processing the data of a child. This, experts believe, could mean anything from the use of facial recognition software to the submission of government documents (like Aadhaar) or even a combination of the two. But this verifiable consent leads to its own share of problems.
What one needs to understand here is that to find out who is a child and who isn’t, everyone would have to verify their age, leading to an unnecessary amount of public surveillance. Highlighting similar concerns in California’s Age-Appropriate Design Code, Evan Greer of Fight for the Future had said that age verification requirements make it nearly impossible to use online services anonymously, threatening the freedom of expression of human rights activists, whistleblowers, journalists, etc.
Discussing the issue of verifiable parental consent, Nikhil Pahwa says, “Every site/app used by Indians will have to do age verification/verify parental consent. See 9(1) Co’s/categories who want to be exempt will have to be whitelisted by Indian govt. 9(4), 9(5)”
Article continues below ⬇, you might also want to read:
- What companies can and can’t do under Data Protection Bill 2023
- Here’s when entities don’t need to ask for consent as per India’s Digital Personal Data Protection Bill
- Here’s How India’s Data Protection Bill Threatens Right To Information
- Data Protection Board named apex personal data compliance body
How does the bill protect children from harm?
The bill states that websites and online platforms are not supposed to process any children’s data that is likely to have “any detrimental effect on the well-being of a child”. The fact that the bill does not define a specific set of actions that would constitute this detrimental effect would allow the definition to be adjusted on a case-by-case basis. So everything from bodily harm to bullying and discrimination would all fall under the scope of detrimental effect and parents and guardians would be able to hold online platforms accountable for any harm their data collection activities may cause a child.
This version of the data protection bill notably lacks the term “harm” which was previously used to limit the scope of processing of children’s data. Earlier versions of the bill had been critiqued for the limited scope of harm (specifically: bodily harm, distortion or theft of identity, harassment, and prevention of lawful gain or causation of significant loss) that subsequently narrowed the scope of legal safeguards for children browsing the internet.
International regulations, such as the UK Data Protection Act, also factor in how children’s data is used by online platforms. But instead of labeling the harms, the UK uses the “best interests of a child” as the way to approach regulation. Livingstone explained that the Act requires an online platform that is likely to be used by a child to prioritize the best interests of a child and must not profile them or nudge them to act in ways that go against these interests.
Preventing the tracking of children’s behavior:
- What does the bill say on tracking: The bill prevents websites from tracking or practicing behavioral monitoring of children. Think of it this way, remember that one time you looked at a bag on Myntra, and now it pops up as an ad on your social media accounts? If you were a child, Myntra wouldn’t be able to send such ads to you.
- Is tracking always a bad thing? Certain websites, like the ones meant for academic purposes, can actually perform their functions better if they track the user. For instance, websites that offer performance-based assessments and periodic online testing for competitive exams could benefit from tracking students’ data by giving them tests that cater to their specific needs. By not allowing websites to track this data, the bill can end up discouraging companies from creating online services meant specifically for children.
- How does the bill tackle this issue? To solve this issue, the bill allows exemptions for certain websites. It says that if the central government believes that certain online platforms are processing data in a “verifiably safe manner” it can exempt them from seeking parental consent and also allow them to track children in a certain age group.
- What happens when companies fail to meet these requirements? Failure to meet any of the obligations towards children’s data can result in a fine of up to Rs.200 crore.
Note: The headline was changed on August 3 at 5:08 PM for clarity.
Note: The story was edited on August 21 at 4:52 to correct a typographical error.
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!
