General Studies Paper 2
- The Digital Personal Data Protection (DPDP) Bill, 2022 provides for mandatory parental consent for all data processing activities by children, defined as any person aged under 18 years.
- Background of data privacy law: Started in 2010 with the constitution of the Justice Srikrishna Committee.
Justice BN Srikrishna Committee Data Protection Report:
- The Committee was constituted by the union government in July 2017, to deliberate on a data protection framework.
- The Supreme Court in its Puttaswamy judgment, 2017: It declared privacy a fundamental right.
- Interests of citizens:The report has emphasized that interests of the citizens and the responsibilities of the state have to be protected, but not at the cost of trade and industry.
- It proposed a draft Personal Data Protection Bill.
New Data Protection Bill:
- Inclusion of the word “digital” in the Bill’s title speaks to India’s long-standing goal of being a digitally forward society.
- Bill has two major stakeholders:
- Data Principal
- Data Fiduciary.
- Data Principal: It refers to the subject whose data is being processed
- Data Fiduciary: It is an entity that processes this data.
- fiduciary” whilst referring to a data processor is significant.
- The relationship between the two is guided by:
- Trust, assurance and good faith.
- Data Fiduciary: It is responsible for safeguarding the interests of Data Principals.
- Bill describes:
- The obligations of the Data Fiduciaries towards Data Principals
- The rights and duties of the latter
- Regulatory framework through which data will be processed.
- Bill lists the “duties” of the Data Principals: these have no bearing on the realization of the rights provided by the Bill.
Important aspects of bill:
- In addition to the general obligations to prevent the misuse of the personal data of individuals
- The Bill has outlined a category of Significant Data Fiduciaries entities: that are required to comply with additional measures to safeguard the personal data of individuals.
- Only companies that process vast amounts of data or have a potential impact on the country’s sovereignty and integrity need to take such stringent measures.
- Such measures reduce the compliance cost of companies that are at a nascent stage.
- Data localisation” in the previous versions of the Bill, have been omitted:The reworked Bill permits the government to notify countries to which data transfers may be permitted.
The gaps in the Bill:
- The Bill relies on parents to grant consent on behalf of the child in all cases.
- In a country with low digital literacy, where parents in fact often rely on their children (who are digital natives)
- This is an ineffective approach to keep children safe online.
- It does not take into account the “best interests of the child”, a standard originating in the Convention on the Rights of the Child, 1989,to which India is a signatory.
- The Bill does not factor in how teenagers use various Internet platforms for self-expression and personal development and how central it is to the experience of adolescents these days.
- Bill does allow the government to provide exemptions in the future from strict parental consent requirements, profiling, tracking prohibitions, etc
- It does not acknowledge the blurring lines between what a platform can be used for.
- For example: Instagram is a social media platform, but is regularly used as an educational and professional development tool by millions of artists around the world.
- Each platform will have to obtain ‘verifiable parental consent’ in the case of minors.
- It can change the nature of the Internet
- It is not possible to tell if the user is a minor without confirming their age, platforms will have to verify the age of every user.
- Risk for citizens: The government will prescribe whether verifiability will be based on ID-proof, or facial recognition, or reference-based verification etc
- All platforms will now have to manage significantly more personal data than before
- Citizens will be at greater risk of harms such as data breaches, identity thefts, etc.
India laws for child Protection;
- Protection of Child Rights Act, 2005
- The Right of Children to Free and Compulsory Education Act, 2009
- Protection of Children from Sexual Offences Act, 2012.
- We need to shift our approach with respect to children’s data before this Bill is brought to Parliament.
- To avoid the folly of treating unequals equally and blocking off access to the Internet for teenagers these steps are needed.
- Move from a blanket ban on tracking, monitoring, etc. and adopt a risk-based approach to platform obligations.
- Platforms should be mandated to undertake a risk assessment for minors and not only perform age-verification-related corresponding obligations
- Design services with default settings and features that protect children from harm.
- This approach will bring in an element of co-regulation, by creating incentives for platforms to design better products for children.
- Relax the age of mandatory parental consent for all services to 13 years in line with many other jurisdictions around the world.
- It will minimize data collection, which is one of the principles that the Bill is built on.
- Experience and deliberations in the United Kingdom, and in the United States (California, New York, etc.) where age appropriate design codes have been introduced. To
- The government should conduct large-scale surveys of both children and parents to find out more about their online habits, digital literacy, preferences and attitudes.
- Design a policy in India that balances the safety and the agency of children online.
- We should not put the onus of keeping our young safe only on parents, but instead it should make it a society-wide obligation.
- Get the data protection framework right as India’s ‘techade’ cannot be realized without its youth.