PDPB and children’s data privacy in India
Children account for one-third of the global internet user base. In the eyes of the law, a child’s “consent” has often been insufficient. I am sure you have seen that most of the Indian websites do not consider a user’s age while asking for consent for their services. Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 requires body corporates to put up privacy policies for collection and disclosure of personal information. As of now, there is no legislation covering children’s data privacy online, but the Personal Data Protection Bill (PDPB) may turn the tables around.
Processing of personal data and sensitive personal data of children
Section 3(8) of the bill defines a child as a person who is below 18 years of age. The bill’s Chapter IV only focusses on children, processing of their data, and rights thereof. Before the bill came into shape, the Justice Srikrishna Committee mentioned in their report that differential treatment and increased rights are required as children are unable to justify their actions and they are excessively vulnerable. I believe that the bill incorporates this opinion very diligently in the fourth chapter.
Section 16 mentions that a data fiduciary must keep children’s best interest in mind and take all possible precautions to protect their rights. It also requires data fiduciaries to perform age verification and prescribes receiving consent from parents/guardians. As of now, parental consent must be in line with the requirements of Section 11. Many social media platforms’ minimum age requirement is 13 years, and the bill is a good reminder that their practices may soon become invalid.
Responsibility of the Data Protection Authority
Under Section 50(6)(h), the bill places an obligation on the Data Protection Authority to suggest mechanisms for age verification and processing of personal data of children. At this point, it becomes necessary to understand how the UK’s Age Appropriate Design Code and Children Online Privacy Protection Act of 1998 (US) require and regulate parental consent. The Indian DPA, whenever it comes into existence, must consider best practices from across the globe and explore their implementation in the Indian context. As per Section 16(3), it should consider the following factors while drafting a regulation:
- The volume of personal data being processed
- The proportion of personal data belonging to children
- Whether the processing of such data harms a child?
- Other factors, as prescribed
For entities that operate children-centric commercial websites or process large volumes of personal data of children, Section 16(5) designates them as guardian data fiduciaries. The bill bars such data fiduciaries from profiling, tracking, performing behaviour monitoring, or advertising targeted at children. It also prohibits guardian data fiduciaries from undertaking any processing activity that can cause significant harm to children. For data fiduciaries offering counselling or child protection services, the bill contains specific provisions under which they are not bound to take consent from a child’s parents.
Penalties
The bill imposes deterrent penalties for contraventions related to Chapter IV. For an entity, the maximum penalty can be ₹15 crores or 4% of global turnover, whichever is more. GDPR prescribes similar penalties to ensure that this issue is not taken lightly by covered entities.
Ending notes
The enactment of this bill will introduce new compliance requirements for existing companies. Many business owners would believe that it will increase their compliance costs. I think this is a necessary step to protect the privacy of children online. We need global efforts to ensure a safer cyber space for children. The bill’s implementation must not be lacklustre and remain unregulated. It is also pertinent to note that Chapter IV title mentions “sensitive personal data”, but Section 16 does not. Therefore, I believe the bill’s existing version lacks in explicitly mentioning restrictions on the sensitive personal data of children. Further, restrictions for guardian data fiduciaries are way lesser in scope as compared to significant data fiduciaries. Ideally, this should not be the case as guardian data fiduciaries will be processing children’s data on a large scale.
Interested in contributing to our blog and knowledge base? Write to us at [email protected] and elaborate on how you can help us in creating a safer cyber space.