By Vallari Dronamraju, Fifth Year Law Student, B.A. LL.B. (Hons.), The National University of Advanced Legal Studies, Kochi
The current digital ecosystem is so complex and intricate that neither adults nor children are fully aware of its potential risks and benefits. The fluidity of children’s attitudes, preferences, and identities, coupled with their tender age in decision making, have presented extreme challenges to children’s data security and privacy.
The principles of informational privacy have been salient in the past decade in India, further proved by the case of Justice K.S. Puttaswamy v. Union of India, wherein the right to privacy was included under the ambit of fundamental rights guaranteed under the Constitution. It went on to rule that children’s privacy will require special protection not just in the virtual space but also in the real world. In furtherance of this, although the Personal Data Protection Bill, 2019 (“PDP Bill”) has been thoroughly discussed and dismembered, provisions relating to the protection of children’s data have not been given due attention.
This article will discuss the need for an all-inclusive system under the PDP Bill that deals with delicate children’s data in a way that amplifies the nuances of children’s personal and non-personal data, along with protection from misuse. It will explore the challenges that the PDP Bill puts forth and suggestions for a global governance system in the years to come.
The Personal Data Protection Bill, 2019 and Protection of Children’s Data
Any data that has been de-identified, encrypted, or pseudonymised can be used to recognise an individual. This also falls under the scope of personal data[i]. For children’s personal data, the factors that will influence include informed consent of children, use of their data for marketing purposes and surveillance by state actors, and the right to have data erased or forgotten.
The unexplored areas of Indian privacy laws lie in mitigating information, and security risks, like offences of targeted behavioural profiling, identity theft and intimidation of children in the internet space by misuse of data. At the moment, the Juvenile Justice (Care and Protection) Act, 2015, Information Technology Act, 2000 and few sectoral laws address some aspects related to cybersecurity and its risks. The Indian Personal Data Protection Bill, 2019 (“PDP Bill”) is currently at the final stages of review and examined by the Joint Parliamentary Committee. It aims to protect children’s personal and sensitive data by considering the age of consent below which strict processing/monitoring conditions will apply.
Child safety provisions under Section 16, Chapter IV of the PDP Bill regulates the collection of children’s personal data. It prohibits commercial websites or online services directed at children to profile, track, behaviourally monitor or target advertisements, irrespective of a guardian’s consent. The provisions of this chapter further delve into how and when consent must be provided for handling data and who can provide this consent. The second part of the chapter explains particular types of processing data that will not be permissible for children. The Bill presupposes activities that are harmful to all persons under the age of 18 and provides for a blanket ban from giving consent. However, it fails to distinguish between the right to consent by a 17-year-old and a 13-year-old and offers the same rules for different age groups.
In addition to this, the labour laws in India have allowed children under 14 to work in non-hazardous industries. According to the PDP Bill, the same children cannot sign up for any online job without parental consent. This puts the burden into the hands of the employer (in this case) or the data controller, making them aware of their responsibility. Therefore, living in a time when access to information online has hastened growth in children, a regime strictly providing a benchmark for consent may prove to be regressive.
Further, the PDP Bill requires that data fiduciaries[ii] process the personal data of children in a way that gives protection to a child’s rights. They are to verify the age of the child, after which the consent of the parent is obtained. They are classified as guardian data fiduciaries that operate commercial websites or online services directed at children and are barred from engaging in profiling, tracking, behavioural monitoring of children, or targeted advertising.
Furthermore, the PDP Bill suggests the formation of a Data Protection Authority (“DPA”) that places an obligation on it to offer mechanisms for processing and age verification of children’s personal data. The DPA must strive to prevent the misuse of personal data and ensure compliance with the provisions of this Act. The PDP Bill also suggests that the DPA must promote awareness and understanding of the risks, consequences and rights that come with the protection of personal data amongst data fiduciaries and data principles. These functions include the concerns of children’s data, and the DPA must engage in resolving disputes with their best interests in mind.
In terms of the Non-Personal Data Protection Framework in India, non-personal data is data that is not personally identifiable information, like, data on weather conditions or public infrastructure. This framework at its nascent stages does not protect children’s non-personal data that may include their choice of video games, the information provided to schools and other such institutions, content on online video streaming platforms, social media, and more. As it is unique to India, a system that caters to the needs of a developing economy with an increasing youth population must be worked out, to prevent the misuse of children’s non-personal data.
Other Considerations for Children’s Data Protection System
In contrast to India’s framework, where the age of consent is 18, the US Children’s Online Privacy Protection Act has capped the age of consent at 13 and provided for verifiable parental consent for those who are younger. This law is narrower in its approach and requires mandatory age verification for only those websites that are directed at children.
In addition to this, the European General Data Protection Regulations (“GDPR”) states that children require specific protection concerning personal data. Due to their tender age, they are less aware of the risks and consequences of their internet usage. The GDPR suggests a range of 13 to 16 years, wherein approval is required for children below the age of 13. However, an issue faced here is that children may enter a misguiding year of birth during sign-up, making them vulnerable to internet security risks. Reasonable efforts such as the child’s consent verification, and parents will have to be engaged in the digital presence of children below the age of 16 (age limit as given by the relevant member state) has been suggested.[iii]
Civil society organisations and social media platforms may deploy ‘microtargeting’ to shape children’s beliefs on several issues regarding gender or political participation. The latter may also engage in group data profiling that will reveal characteristics, attributes, and locations of children, resulting in biases and discrimination.
Parents and guardians may override a child’s right to freedom of expression and participation. Under the PDP Bill, there lies uncertainty about whether data privacy restrictions for children are also applicable to state schools or state-run ed-tech interventions, in addition to those in the private sector. Several governments are collecting children’s biometric information for school records, health tracking systems, and national ID, making them susceptible to misuse of data.
According to the Annual Status on Education Report (ASER), 2020, more than 1/3rd of school children are pursuing digital education through online classes or recorded videos. During the pandemic, with school and every other activity taking place online for children, the Edtech sector has undergone several changes. This has brought forward and highlighted the challenges in the provision of personal details to companies and institutions that the child is a member of. For instance, in September 2019, the personal data of 68,000 customers, primarily school children of Vedantu, was compromised. In 2020, a database of around 22 million users of Unacademy with personal information was put for sale on the internet.
Suggestions and The Way Forward
When the world is changing to primary data-run economies, the PDP Bill has successfully included a chapter that protects children’s data rights. For instance, the PDP Bill states that consent from the child’s parents will not be required for counselling or child protection services. However, it needs an overhaul at the emerging stages to include the concerns of data protection for children, specifically in terms of the age of consent.
It is essential to have a threshold-based, graded approach towards the age of consent, considering the maturity levels of different age groups, similar to those defined in the GDPR. It may be burdensome to rely on parents/guardians for consent and this may be against the principles of the Justice SriKrishna Committee Report. Further, age verification for minors could lead to massive data collection, requiring platforms to take and store identity verification data, making it vulnerable to cybersecurity risks.
It is also necessary that the responsibility be shifted to the companies, governments, and the algorithms they use rather than the children themselves in cases of cyberbullying and online abuse. The consequences for failing to do so must be made harsh enough, which can help ensure that the internet is a safe place for children. School curriculums must be equipped with online safety measures, as our relationship with technology is closely tied with our daily lives. Children’s rights must be addressed and integrated into current and future mechanisms through evidence-based research.
Children are naturally more vulnerable than adults and fail to understand the implications of consenting to data collection. Several countries across the globe are rolling out their data protection regimes, ignoring or neglecting concerns surrounding children’s data. A better global data governance regime, along with clear duties, standards, and responsibilities, is critical to determine the data used for innovation and future purposes along with the enforcement of an efficient children’s data protection regime.