Needed, a new approach to data protection for minors

General Studies Paper 2

Context:

• The Digital Personal Data Protection (DPDP) Bill, 2022 provides for mandatory parental consent for all data processing activities by children, defined as any person aged under 18 years.
• Background of data privacy law: Started in 2010 with the constitution of the Justice Srikrishna Committee.

Justice BN Srikrishna Committee Data Protection Report:

• The Committee was constituted by the union government in July 2017, to deliberate on a data protection framework.
• The Supreme Court in its Puttaswamy judgment, 2017: It declared privacy a fundamental right.
• Interests of citizens:The report has emphasized that interests of the citizens and the responsibilities of the state have to be protected, but not at the cost of trade and industry.
• It proposed a draft Personal Data Protection Bill.

New Data Protection Bill:

• Inclusion of the word “digital” in the Bill’s title speaks to India’s long-standing goal of being a digitally forward society.
• Bill has two major stakeholders:
• Data Principal
• Data Fiduciary.
• Data Principal: It refers to the subject whose data is being processed
• Data Fiduciary: It is an entity that processes this data.
• fiduciary” whilst referring to a data processor is significant.
• The relationship between the two is guided by:
• Trust, assurance and good faith.
• Data Fiduciary: It is responsible for safeguarding the interests of Data Principals.
• Bill describes:
• The obligations of the Data Fiduciaries towards Data Principals
• The rights and duties of the latter
• Regulatory framework through which data will be processed.
• Bill lists the “duties” of the Data Principals: these have no bearing on the realization of the rights provided by the Bill.

Important aspects of bill:

• In addition to the general obligations to prevent the misuse of the personal data of individuals
• The Bill has outlined a category of Significant Data Fiduciaries entities: that are required to comply with additional measures to safeguard the personal data of individuals.
• Only companies that process vast amounts of data or have a potential impact on the country’s sovereignty and integrity need to take such stringent measures.
• Such measures reduce the compliance cost of companies that are at a nascent stage.
• Data localisation” in the previous versions of the Bill, have been omitted:The reworked Bill permits the government to notify countries to which data transfers may be permitted.

The gaps in the Bill:

• The Bill relies on parents to grant consent on behalf of the child in all cases.
• In a country with low digital literacy, where parents in fact often rely on their children (who are digital natives)
• This is an ineffective approach to keep children safe online.
• It does not take into account the “best interests of the child”, a standard originating in the Convention on the Rights of the Child, 1989,to which India is a signatory.
• The Bill does not factor in how teenagers use various Internet platforms for self-expression and personal development and how central it is to the experience of adolescents these days.
• Bill does allow the government to provide exemptions in the future from strict parental consent requirements, profiling, tracking prohibitions, etc
• It does not acknowledge the blurring lines between what a platform can be used for.
• For example: Instagram is a social media platform, but is regularly used as an educational and professional development tool by millions of artists around the world.
• Each platform will have to obtain ‘verifiable parental consent’ in the case of minors.
• It can change the nature of the Internet
• It is not possible to tell if the user is a minor without confirming their age, platforms will have to verify the age of every user.
• Risk for citizens: The government will prescribe whether verifiability will be based on ID-proof, or facial recognition, or reference-based verification etc
• All platforms will now have to manage significantly more personal data than before
• Citizens will be at greater risk of harms such as data breaches, identity thefts, etc.

India laws for child Protection;

• Protection of Child Rights Act, 2005
• The Right of Children to Free and Compulsory Education Act, 2009
• Protection of Children from Sexual Offences Act, 2012.

Way Forward

• We need to shift our approach with respect to children’s data before this Bill is brought to Parliament.
• To avoid the folly of treating unequals equally and blocking off access to the Internet for teenagers these steps are needed.
• Move from a blanket ban on tracking, monitoring, etc. and adopt a risk-based approach to platform obligations.
• Platforms should be mandated to undertake a risk assessment for minors and not only perform age-verification-related corresponding obligations
• Design services with default settings and features that protect children from harm.
• This approach will bring in an element of co-regulation, by creating incentives for platforms to design better products for children.
• Relax the age of mandatory parental consent for all services to 13 years in line with many other jurisdictions around the world.
• It will minimize data collection, which is one of the principles that the Bill is built on.
• Experience and deliberations in the United Kingdom, and in the United States (California, New York, etc.) where age appropriate design codes have been introduced. To
• The government should conduct large-scale surveys of both children and parents to find out more about their online habits, digital literacy, preferences and attitudes.
• Design a policy in India that balances the safety and the agency of children online.
• We should not put the onus of keeping our young safe only on parents, but instead it should make it a society-wide obligation.
• Get the data protection framework right as India’s ‘techade’ cannot be realized without its youth.