In 2017, the Hon’ble Supreme Court of India declared privacy to be a encompassed as a component of Right to Life and Personal Liberty guaranteed under Article 21 of the Constitution of India. It also recommended the creation of a data protection regime to protect the privacy of individuals. Thereafter, the Union Government constituted a committee of experts under Justice (Retd.) B.N. Srikrishna (Srikrishna Committee). The Committee published its report, along with a draft of the data protection law in 2018. The Union Government, in 2019, presented the Personal Data Protection Bill, 2019 (“PDPB”) in the Parliament. Thereafter, it was referred to a Joint Parliamentary Committee (“JPC”). In December 2021, the JPC tabled the Report of the Joint Committee on the Personal Data Protection Bill, 2019 (“the Report”). The Report was a complete overhaul of the key provisions and it also changed the nature and the title of the PDPB. The PDPB became the Data Protection Bill, 2021 (“DPB”), as the JPC believed that it would be difficult to differentiate between personal and non-personal data and thus the new law needed to deal with both under one umbrella. The DPB aims to build a data privacy framework in the country in consonance with the European Union’s General Data Protection Regulation (“GDPR”).
However, the DPB not only deviates from the framework of the GDPR and ignores important recommendations of the Srikrishna Committee, but it also violates several enshrined principles of data protection and privacy.
In this blog, the authors will focus on the critical issues related to children’s consent in processing their data. These issues are very important in the light of Article 16 of the United Nations Convention on the Rights of the Child (“UNCRC”) which prohibits arbitrary or unlawful interference with a child’s privacy, family, home, or correspondence. Since India is a signatory to the UNCRC, it has agreed to incorporate its principles into its domestic legislations.
Draft Data Protection Bill, 2021 on Children
Keeping in line with the Indian Majority Act, 1875, the DPB defines children as anybody below the age of 18 years. It mandates that entities involved in the processing of data obtained from children must do it in a manner that protects the rights and interests of children. The Report seeks deletion of the earlier established concept of “Guardian Data Fiduciary”.A data fiduciary (the entity which has control over the storage and processing of the data) that manages commercial websites or online services geared towards children, or handles substantial amounts of personal data on children, is known as a Guardian Data Fiduciary. Under the PDPB, an exemption was granted to such a Guardian Data Fiduciary from the obligation to acquire the consent of the child’s parent or guardian. The Report proposed that the idea of a guardian as a different type of data fiduciary be dropped since it might weaken the goal of protecting minors. It was also recommended that all data fiduciaries should be barred from profiling, tracking, or behavioural monitoring of children. It also suggested prohibiting targeted advertising intended at children, as well as processing personal data that may cause serious harm to children.
However, it obligates any fiduciary dealing exclusively with data secured from children to be registered as a significant data fiduciary. This warrants the creation of additional safeguards on the part of the data fiduciary. The DPB establishes that age verification and prior parental consent is a necessity for the processing of data for children. The DPB also establishes that upon attaining the age of majority, data fiduciaries must obtain consent from the individual themselves within three months of them obtaining the specified age.
Setting a Higher Threshold
The DPB by restricting minors from sharing their data has drawn a parallel to the Indian Contract Act, 1872 which has barred minors from entering into any contract without parental guidance. In this day and age of increased exposure and varying levels of maturity in children, the DPB affixes the age of consent at a higher peg than that of its global contemporaries. The age of consent is also largely inconsistent with various laws in Indian Criminal and Labour Law jurisprudence. The criminal regime has undergone a major change in identifying varied levels of maturity for the determination of sentences in crimes committed by a minor. Child and Adolescent Labour (Prohibition and Regulation) Act, 1986, also iterates that any child above the age of 14 years can be employed in non-hazardous work. This highlights the concept of varied maturity of adolescents which could have been the path the DPB could have taken. The current stance would foster increased inhibitive online behaviour in young adults and would in turn have a chilling effect on public discourse.
The age of consent in the USA is governed by the Children’s Online Privacy Protection Act, 1998 (“COPPA”). The COPPA allows children 13 years of age and above to give their consent for processing their data while mandating safeguards for the privacy of children.Article 8 of the GDPR establishes the necessity of parental consent in the collection of data in children below the age of 16. Nevertheless, countries adopting the EU mandated GDPR can lower the same up to 13 based on their national laws. For instance, Article 13 of the Spanish Personal Data Protection Law lays down that, “data pertaining to data subjects over 14 years of age may be processed with their consent, except in cases when the law requires the assistance of parents or guardians.”
The Srikrishna Committee itself noted that since there are services online which are tailor-made primarily for children (Eg. YouTube Kids app, Hot Wheels, Walt Disney, etc.), some degree of autonomy can be granted to the children too. It highlighted the importance of principled considerations and comparison from relevant jurisdictions to fix the cut-off age for giving consent for sharing data. Comments submitted on the White Paper of the B.N. Srikrishna Committee also took cognizance of this. The majority of the commentators (who were also industry experts) felt that requiring the consent of parents in every situation where a minor’s data is involved would be too paternalistic and thus not desirable.
Mechanism for Age Verification
Despite setting a cut-off age for giving consent for processing one’s data, the DPB is entirely moot on the manner and method of age verification which should be implemented by the significant data fiduciaries.
However, two varying possibilities for the same are listed out:
- The first is a self-verification mechanism, identical to those of the social media sites like Facebook and Instagram. Although this can be easily circumvented as the users can easily lie about their age.
- The second method involves uploading personal data. However, this would be non-compliant with privacy guidelines and would also risk sensitive information of children (who are recognized as a vulnerable population) to be divulged online.
It fails to take into account the principles of data minimization that mandates limiting the collecting of personal data to what is directly relevant and required to achieve a certain goal. This principle is also enshrined in Article 8.2 of the GDPR.
It is also important to remember that age verification mechanisms are not easy to implement, especially in a country like India, where the IT infrastructure is still in a developing stage. In the United Kingdom too, various failures and setbacks led to a rollback of a proposed age-verification system. The DPB thus envisages a laid-back approach, as the onus will then fall on the data fiduciary to maintain a robust age-verification system.
The acquisition of the right to consent, upon attaining a mandated legal age to enter into contracts, remain overly protective and not in consonance with the existing literature and jurisprudence which takes note of varied mental and psychological maturity levels.
It is important to take a staggered approach to this issue. Many experts have also been proponents of a staggered and graded approach. In such an approach, children of different age groups (preferably between the ages 13/14-18 years) have the right to provide consent for collection and sharing of their data depending upon the nature of the data shared and the nature and purpose of the fiduciary. For instance, by setting a uniform cut-off age which is as high as 18 years, access to many educational and informational websites, which provide educational material for teenagers, would be restricted. This problem would exacerbate the already existing informational divide which already exists in the country. Many students, especially from impoverished backgrounds and marginalized areas, would lose access to content aimed at facilitating their learning as the parents and guardians of these children might be unable or unwilling to give consent for sharing the data of the children due to the inability of understanding the nuances and complexities of data privacy.
Thus, it is important to rethink the age of consent in this regard, and as the Srikrishna Committee Report itself noted, it might also require amendments in the relevant provisions of the Indian Contract Act, 1872. It is also important to develop a robust age verification mechanism, which does not violate the privacy of the individuals and has strong safeguards to prevent misuse of the shared data.
This article is authored by Shivang Mishra and Rahul Kumar Choudhary, students at National Law University and Judicial Academy, Assam.