Children’s Data under The Digital Personal Data Protection Bill, 2022

Is the bill the way forward to ensure data protection for your little ones?

With over 760 million active internet users and a prediction that this number will rise to 1.2 billion shortly, India is amongst one of the highest consumers and producers of data per capita in the world. The core of this rapidly developing digital eco-system of digital services and products is data – more specifically – personal data. While the growth is positive, the protection of the rights of data principals contributing to the digital economy is fundamental to ensure advancement in the right course.

The Ministry of Electronics and Information Technology (“MeitY”) of the Government of India recently released the draft of the Digital Personal Data Protection Bill, 2022 (“DPDP Bill, 2022”), which seeks to replace the earlier Personal Data Protection Bill, 2019 (“PDP Bill”) and is currently subject to public consultations. One of the stated objectives of the DPDP Bill, 2022, is to provide for the processing of digital personal data in a manner that balances the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters incidental thereto. The DPDP Bill, 2022, has been drafted based on the following principles:

Sl.No. Principles of Personal Data

 

Explanation
1. Lawful, fair, and transparent The personal data used by organisations must be done in a lawful, transparent, and fair manner to the individuals concerned.

 

2. Purpose Limitation Personal information/data should be used for the purposes for which it was collected.

 

3. Data Minimisation It is required to collect only those items of personal data that is needed to attain a specific purpose.

 

4. Accuracy A reasonable effort should be taken to ensure that the individual’s personal data is correct.
5. Storage Limitation The amount of time that personal data is stored should be limited to such duration as is necessary for the stated purpose for which personal data was obtained.

 

6. Safeguards To ensure that there is no unauthorised collection or processing of personal data, reasonable precautions should be undertaken. This is done to prevent personal data breaches.

 

7. Accountability The person who selects the purpose and manner of processing personal data should be held responsible for such processing.

 

With the growth in digitisation, privacy risks are also increasing exponentially.  Even within those at risk, children are amongst the most vulnerable set of individuals, and therefore, it becomes pertinent to protect children’s privacy rights. The DPDP Bill, 2022 has added certain obligations and corresponding penalties with respect to processing of children’s data.

This note discusses 4 (four) conceptual points regarding children’s data:

  1. Definition of a child as per the DPDP Bill, 2022
  2. Obligations of a fiduciary in relation to processing personal data of children
  3. Comparison of the DPDP Bill, 2022 and PDP Bill, 2019 with respect to processing of personal data of children
  4. Penalty in case of non-fulfilment of additional obligations in relation to children

 

(1) Definition of a ‘child’ as per the DPDP Bill, 2022

The DPDP Bill, 2022, defines a ‘child’ as an individual who has not completed 18 (eighteen) years of age. Personal data of children means any data about a child who is identifiable by or in relation to such data. It could include their name, residential address, health, disability status, etc.

The threshold of 18 (eighteen) years is in consonance with the Indian Majority Act, 1875; Indian Contract Act, 1872; Juvenile Justice (Care and Protection of Children) Act, 2015 and Protection of Children from Sexual Offences Act, 2012. However, global standards differ. As per Article 8 of the General Data Protection Regulation (“GDPR”), the personal data of a child can be processed where the child is at least 16 (sixteen) years of age. In the US, as per the Children’s Online Protection Act, 1998 (“COPPA”), a child is defined as an individual under the age of 13 (thirteen) years. In a world where children from a very young age have access to the internet, this brings back to the fore the debate on the age of majority.

Some of the competing considerations are as follows:

  1. Business needs: Placing a complete bar on businesses from being able to process children’s personal data will likely be seen as restriction on companies’ ability to business, particularly those that targeted at children. In addition, while the DPDP Bill, 2022 does make reference to possible exceptions to this age threshold, it does not clarify what these exceptions are and leaves it to the ambit of delegated legislation. This creates even more ambiguity for businesses, particularly those targeted at children.
  2. High threshold: As stated above, the age of consent in the US is 13 (thirteen) years as determined by the COPPA. The COPPA provides safeguards for children’s privacy while allowing the children of 13 (thirteen) years and above to consent to processing of their data. Similarly, as per the GDPR, the threshold has been set to 16 (sixteen) years to process data. It is to be noted that the countries adopting the GDPR mandated by the EU can reduce the threshold to thirteen (13) years as per their national laws. Seemingly, these jurisdictions recognise that (a) the consent of a young child cannot be equated with that of a teenager, (b) that children and teenagers may benefit from their usage of the internet, and (c) that requiring parental consent in every situation may not be practicable. Having a high threshold of eighteen (18) years (like in India), means excluding approximately 41% of the population, which may have the unintended consequence of being inhibitive to the growth of their overall personality.

(2) Obligations of a fiduciary in relation to processing personal data of children

A data fiduciary is a person or an organization which decides the purpose and means of processing an individual’s personal data. Apart from their obligations towards data subjects (i.e., any living individual whose personal data is collected or processed by an individual/organization), they are also required to undertake certain additional obligations with respect to personal data of children. These are as follows:

  1. Obtain verifiable parental consent: It is mandatory to obtain verifiable parental consent before processing any personal data of a child.
  2. No behavioural tracking or targeted advertising: Tracking or behavioural monitoring of children or targeted advertising directed at children shall not be undertaken.
  3. No harm to children: No person or entity is permitted to process personal data that is likely to cause harm to a child. The DPDP Bill, 2022, defines ‘harm’ as any bodily harm, harassment, distortion, or theft of identity, and/or prevention of lawful gain or causation of significant loss.

The processing of a child’s personal data for any purposes that may be prescribed shall be exempted from the provisions of (a) obtaining verifiable parental consent and (b) behavioural tracking/ targeted advertising. As highlighted in the above, section, this poses challenges to businesses that are targeted at children because it is not clear as to what extent they can process such data, till the time these exceptions are carved out properly.

(3) Difference between the DPDP Bill, 2022 and PDP Bill, 2019 with respect to processing of personal data of children

Firstly, the DPDP Bill, 2022 in Clause 10 (1) has stated that ‘verifiable parental consent’ must be obtained. However, the PDP Bill, 2019 did not provide for any verification of parental consent.

Secondly, as per Clause 2(10) of the DPDP Bill, 2022, the definition of harm to a child has been narrowed down. The PDP Bill, 2019 in Clause 3(20) included harm as: blackmail, extortion, discriminatory treatment, loss of reputation, loss of employment, any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed, any observation or surveillance that is not reasonably expected by the data principal, etc. However, these are no longer included in the DPDP Bill, 2022.

Lastly, as per Clause 10 (3) DPDP Bill, 2022, all data fiduciaries are barred from monitoring the activities of children. However, Clause 16 (5) of the PDP Bill, 2019 stated that only guardian data fiduciaries (i.e., data fiduciaries operating commercial websites or online services directed at children or processing large volume of personal data of children) were barred from monitoring the activities of children. An example of such a site is Facebook Messenger Kids.

On the whole, as we will highlight below as well, while the DPDP Bill, 2022 is a step towards protecting children’s data, it continues to suffer from certain lacunae as well.

(4) Penalty in case of non-fulfilment of additional obligations in relation to children

Failure to comply with additional obligations in relation to processing children’s data may attract a fine up to INR 200,00,00,000 (Rupees two hundred crores) on the data fiduciary.

(5) Analysis-A mixed bag of proposals with regard to children’s data

Although the DPDP Bill, 2022 has widened the scope of protection of children by barring all data fiduciaries from tracking or behaviourally monitoring children (as against barring only guardian data fiduciaries), there still are concerns relating to the DPDP Bill. One, it still remains ambiguous on how the websites will verify the actual parents’ consent. Two, it has narrowed the definition of harm to children, which reduces the protections provided to them.

Children require specific protection while collecting and processing their data as they may not be aware of the risks involved. Processing children’s personal data should be focussed on adhering to the principle of fairness. When an individual or entity utilises a child’s personal information to conduct marketing campaigns or to develop profiles, they should be given extra protection. By safeguarding and regulating children’s data, a very secure environment is established both online and offline. The DPDP Bill, 2022, is definitely a positive move, but it needs to be more extensive in terms of personal data of children. The policy makers need to provide more clarity with respect to the ambiguities present in the term ‘verifiable parental consent’ and should also list out the exceptions properly with respect to the obligations mentioned above.

 

The Author would like to thank Amrut Joshi (Founder, GameChanger Law Advisors) and Saket Rachakonda (Associate, GameChanger Law Advisors) for their inputs.

Disclaimer: This post has been prepared for informational purposes only. The information/or observations contained in this post does not constitute legal advice and should not be acted upon in any specific situation without seeking proper legal advice from a practicing attorney.

Disclaimer

As per rules of the Bar Council of India, advocates are not permitted to solicit work or advertise. By clicking on the “I agree” button below and accessing this website, the User acknowledges that by accessing this website (www.gamechangerlaw.com):