The Data Protection Bill 2021 presented by the Joint Parliamentary Committee (JPC) has stated that data fiduciaries can process a child’s personal data only after verifying their age and obtaining the consent of their parent or guardian. Data fiduciaries are further barred from carrying out certain activities using children’s data.
Age of consent remains at 18
Multiple stakeholders had requested that the bill lower the age of consent to either the US standard (13 years) or GDPR standard (13-16 years), but the committee decided to leave the age of consent at 18 citing the Contract Act as the basis for this. “We are aware that from the perspective of the full, autonomous development of the child, the age of 18 may appear too high. However, consistency with the existing legal framework demands this formulation. Were the age of consent for the contract to reduce, a similar amendment may be effected here too,” the committee wrote.
Companies must protect child’s rights, age verification, and consent from parent or guardian required
“Every data fiduciary shall process personal data of a child in such manner that protects the rights of the child” and “the data fiduciary shall, before processing of any personal data of a child, verify his age and obtain the consent of his parent or guardian, in such manner as may be specified by regulations,” the Bill stated.
- Earlier draft: The Personal Data Protection (PDP) Bill 2019 stated: “Every data fiduciary shall process personal data of a child in such manner that protects the rights of, and is in the best interests of, the child.”
- Reason for change: The committee decided to remove the phrase “and is in the best interests of, the child,” because it felt “such qualifying phrases may dilute the purpose of the provision and give a leeway to the data fiduciary for manipulation.” The concept of the best interests of the child comes from the United Nations Convention on the Rights of the Child, but jurisprudence around this is still developing. The UK, for example, does not specifically reference this in its data protection rules but says that it is something that the Commissioner will take into account when considering compliance.
What companies dealing with children’s data cannot do?
“The data fiduciary shall be barred from profiling, tracking, or behavioural monitoring of, or targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child,” the Bill stated.
However, this provision shall apply in a modified form, which the Data Protection Authority will specify, for data fiduciaries offering counselling or child protection services to a child, the Bill added.
According to the Bill, “harm” includes:
- bodily or mental injury
- loss, distortion or theft of identity
- financial loss or loss of property
- loss of reputation or humiliation
- loss of employment
- any discriminatory treatment
- any subjection to blackmail or extortion
- any denial or withdrawal of a service, benefit or goods resulting from an evaluative decision about the data principal
- any restriction placed or suffered directly or indirectly on speech, movement or any other action arising out of a fear of being observed or surveilled
- any observation or surveillance that is not reasonably expected by the data principal
- psychological manipulation which impairs the autonomy of the individual
- such other harm as may be prescribed
“Signifiant harm” is further defined as harm that has an “aggravated effect having regard to the nature of the personal data being processed, the impact, continuity, persistence or irreversibility of the harm.”
- Earlier draft: Previously, the above provision only applied to guardian data fiduciaries and did not include the last two classifications under harm: psychological manipulation and any such other harm as may be prescribed.
- Reason for change: The committee found felt that the term “harm” needed to be widened considering its wide impact and “unrestricted horizon of interpretation.” Therefore, psychological manipulation has been included and an enabling sub-clause as well.
Concept of guardian data fiduciary removed
The concept of guardian data fiduciaries is absent in the Data Protection Bill 2021.
- Earlier draft: The PDP Bill 2019 stated that a data fiduciary will be classified as guardian data fiduciary if they:
- operate commercial websites or online services directed at children; or
- process large volumes of personal data of children.
- Reason for change: The committee explained that there is no advantage in creating a separate class of data fiduciary known as guardian data fiduciary and that “the concept of guardian data fiduciary may lead to circumvention and dilution of law.” The committee also observed that even those who are not guardian data fiduciaries have to be compliant with the rules concerning the personal data of children and so an exclusionary clause cannot be given. This thinking is in line with what several experts thought of the draft Bill. For instance, Rahul Narayan, an independent lawyer, pointed out in a MediaNama conference that if only GDFs are prohibited from profiling children using data, does this mean anyone who isn’t a GDF is allowed.
Consent for platforms providing exclusive counselling or child protection services
No exceptions for counselling or child protection services in the current draft. Instead, the Bill leaves it for the Data Protection Authority to specify modified regulations for data fiduciaries offering counselling or child protection services to a child.
- Earlier draft: A guardian data fiduciary providing exclusive counselling or child protection services to a child is not required to obtain the consent of the parent or guardian of the child.
- Reason for change: Not provided.
Age verification mechanism
The Bill does not provide a specific mechanism for verifying the child’s age, but says that any manner of verification must take into consideration:
- The volume of personal data processed
- The proportion of such personal data likely to be that of child
- The possibility of harm to the child arising out of the processing of personal data
- Such other factors as may be prescribed
What happens when a child attains the age of majority?
Upon noticing that there is no consent option available to the child with respect to their personal data when they attain the age of majority, the JPC recommended that consent options may be included as rules to be framed by DPA rather than an amendment in the Bill. The committee suggested the following may be incorporated in the rules:
- Data fiduciaries or data processors dealing exclusively with children’s data must register themselves with the Data Protection Authority
- With respect to any contract that may exist between a data fiduciary or data processor and a data principal who is a child, the provisions of the Majority Act will apply when he/she attains the age of 18 years
- Three months before a child attains the age of majority, the data fiduciary should inform the child for re-consent on the date of attaining the age of majority
- Whatever services the person was getting will continue unless and until the person is either opting out of that or giving a fresh consent so that there is no discontinuity in the services being offered.
What are some key issues concerning the rules for children’s data?
- Age-gating is required regardless of what your platform provides: Speaking at a MediaNama discussion held in December 2020, Sreenidhi Srinivasan of Ikigai Law said that websites that are not necessarily geared towards children, for instance about wars or world history or even MediaNama.com, would have to have age-gating mechanisms in place. “I’m not sure if you will require sophisticated, complex age-gating tools, but you will need something regardless,” she said. “It’s hard to do this in any foolproof manner without collecting more information, such as an Aadhaar-OTP, for instance,” she added
- Education and edtech businesses will be disproportionately affected: Speaking on edtech companies, Rajiv Chilaka, CEO of Green Gold Animation, admitted that their business model depends on their ability to track the progress of a child. Adding to this, Rahul Narayan, an independent lawyer, said there has to be a distinction between schooling and other activities. We have this one umbrella legislation that covers both education and non-educational institutions, which is not a particularly smart way to go about it, Narayan said. Instead, he argued for an activity-based approach to regulation: for instance, edtech companies or schools could be allowed to process children’s data, provided they adhere to higher standards than other institutions
- Will impact how child welfare communities work: Siddharth Pillai of Aarambh India commented that the current prohibitions will impact and complicate how child welfare committees (CWC) and NGOs work. He explained that CWCs, despite being a government body, work closely with NGOs on a regular basis. They often share children’s data with NGOs, which in turn use their resources to reach out to the children and help them.
- May take away agency from the child: Speaking at another MediaNama discussion, Aparajita Bharti, co-founder of Young Leaders for Active Citizenship, said that allowing parents to take decisions on behalf of their kids may also take away agency from a child — “many of the children who we work with, are struggling with their sexual orientation, and have started exploring it around the age of 15 or 16, and they may not want their parents to know about it right away.”
- May affect girl children more: Adding to what Bharti said, Pallavi Bedi, Senior Policy Officer at the Centre for Internet and Society commented that this problem can compound for girls, especially for those in homes which just have one smartphone. “A girl child in that household may have less access to that phone. When you’re depending on a parent giving consent in a patriarchal society like India, it will have an impact on the privacy of women,” Bedi added
Get our white paper on the Data Protection Bill 2021 in your inboxWe may also reach out occasionally with our coverage of the Data Protection Bill and more.
Update, January 17, 2022, 1:50 pm: Added definition of “harm” and “significant harm” under sub-heading “What companies dealing with children’s data cannot do?”
Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the JPC report: