By Kinjal Gupta, 5th year student B.A. LLB(Hons.) at Bennett University.
Introduction:
The entire debate around data protection started with the introduction of Personal Data Protection Bill, 2019 (“the Bill”) to deal with the complicated issues of sensitive and personal data. Recently, the government has withdrawn it after three years of legislative deliberations and white paper preparation. Although the Bill received criticism, one major concern remains that there were no specific provisions concerning educational institutions and stringent procedures to deal with children’s data. The questions that arise here are: Is it acceptable for schools to have no policy regarding processing children’s data? Is it permissible to keep and use a child’s data without their consent?
Factual Background:
The Personal Data Protection Bill, 2019was amended in 2021 and named ‘Data Protection Bill, 2021’(“DP Bill 2021”). The amendments were based on recommendations from the Srikrishna Committee Report, the White Paper of the Committee of Experts on a Data Protection Framework for India, and the Joint Committee Report. The DP Bill 2021 is relatively long – it includes regulations concerning personal data, collection of personal data, and the liabilities on data fiduciaries engaged in the collection of data of individuals. Although the legislation is still in the works, there are some loopholes in its practical application. Children below 18 are considered vulnerable; therefore, a high standard of protection is needed. The Bill was withdrawn in 2022 because it was not up to the mark and didn’t accommodate provisions relating to dealing with sensitive personal data. There were 81 proposed amendments and 12 recommendations for a complete legislative framework for the digital economy.
Critical Analysis:
As per the Children’s Online Privacy Protection Act 1998[1] of the USA and the General Data Protection Regulation2016[2](“GDPR”) of the UK, children must be 13 years old to agree to process personal data. The GDPR’s default rule is 16 years which can be reduced further. Meanwhile, in India, one is considered an adult depending on which legislation is referred to—the Indian Contract Act, 1872; the Protection of Children from Sexual Offences Act, 2012; the Hindu Adoptions and Maintenance Act, 1956; and the Juvenile Justice (Care and Protection of Children) Act, 2015, where the age ranges from 16 to 18 years. However, in the discussions concerning the DP Bill 2021, while considering the appropriate age for granting consent to a data controller/fiduciary, it was 18 years – which requires a much more heightened sense of protection[3].
Further, the Joint Committee Report, in Recommendation 38, observed that the personal and sensitive data of children is only to be processed in a manner that protects the children’s rights and is in their best interest. The term ‘best interest’ is subject to unlimited scope. India is a signatory to the UN Convention on the Rights of the Child, which states that safeguarding children’s best interests should guide statutory regulations. Henceforth, one must ensure the highest possible standards for safeguarding and protecting children. Without a clear definition of the term, this is open to different ideas and could be decided based on the situation and the reason for collecting the data.
The recommendations suggest heightened obligations towards children. In this light, the provisions concerning data fiduciaries engaged in collecting personal data of children below 18 include fiduciaries offering services primarily to children and social media services. Barred practices such as behavioral monitoring, tracking, targeted ads, or any processing not in a child’s best interests are prohibited; appropriate age verification mechanisms and parental consent must be taken before any data collection. But this provision doesn’t provide with the course of action when child aged 13 creates an account on Facebook using fake documentation and without any parental consent. How does one safeguard his rights then –simple, one cannot.
In addition, the clauses that mentioned ‘guardian data fiduciaries’ and ‘exempted data fiduciaries’ were earlier amended to include all ‘data fiduciaries’, which meant that while dealing with the data of children, the data processors have to carry out their work with the utmost caution. However, the DP Bill 2021was only applicable to entities incorporated in India or persons who are residents of India. The question that arises here is – what happens when a company engaged in the collection of data of Indians is registered in another jurisdiction? Or where such processing takes place in the cloud? Such questions were not answered and were left for judicial interpretation if needed.
Conclusion:
The future legislation should be more comprehensive and inclusive of vital digital privacy rules that suit current and future concerns. In this view, the numerous laws providing contradictory information on the subject are problematic, and a uniform age for children is essential. In the author’s opinion, this is a matter of desperate attention – since more children, young adults, and adults rely on online education platforms and digital entertainment. A provision must also be included regarding enterprises outside India operating through the cloud. India must buckle down and acknowledge that proper limits are needed to guarantee internet safety and prevent it from being exploited.
However, these are all empty and hollow promises of a better draft. In the author’s opinion, there was no need to discard the DP Bill 2021– the changes suggested were not so prominent. If this happens, how can one develop a better draft in a few months when the previous draft took three years and still failed? The regulation of data and sensitive personal data without any legally binding rules applicable to ensure its protection is inadequate to meet the technological advancements of the present times. There is an urgent need for consistent data protection and privacy legislation to be implemented to ensure that the data of individuals, especially children, is not exploited.
[1] Children’s Online Privacy Protection Act, 15 (1998) Page 6501.
[2] General Data Protection Bill, 679 (2016).
[3]Report of the Joint Committee on the DP Bill, Page 72, 08 December 2021.