The draft Digital Personal Data Protection (DPDP) Bill, 2022 currently provides for mandatory parental consent for all data processing activities by children, defined as any person aged under 18 years. This approach however misses the mark on two fronts.
Scope of Present Bill
- The DPDP Bill, 2022 applies to all processing of personal data that is carried out digitally.
- This would include both personal data collected online and personal data collected offline but is digitized for processing.
- In effect, by being completely inapplicable to data processed manually, this provides for a somewhat lower degree of protection as the earlier drafts only excluded data processed manually specifically by “small entities” and not generally.
- As far as the territorial application of the law is concerned, the Bill covers processing of personal data which is collected by data fiduciaries within the territory of India and which is processed to offer goods and services within India.
Major provisions of the revamped Bill
- High penalties:Companies dealing in personal data of consumers that fail to take reasonable safeguards to prevent data breaches could end up facing penalties as high as around Rs 200 crore.Penalties are expected to vary on the basis of the nature of non-compliance by data fiduciaries (entities that handle and process personal data of individuals).
- Companies failing to notify people impacted by a data breach could be fined around Rs 150 crore.
- Those failing to safeguard children’s personal data could be fined close to Rs 100 crore.
- In the previous version of the Bill, withdrawn earlier this year, the penalty proposed on a company for violation of the law was Rs 15 crore or 4 percent of its annual turnover, whichever is higher.
- The Data Protection Boar : It is an adjudicating body proposed to enforce the provisions of the Bill which is likely to be empowered to impose the fine after giving the companies an opportunity of being heard.
- Personal data: The new Bill will only deal with safeguards around personal data and is learnt to have excluded non-personal data from its ambit. Non-personal data essentially means any data which cannot reveal the identity of an individual.
The Gaps in the Bill
- First, instead of incentivising online platforms to proactively build safer and better services for minors, the Bill relies on parents to grant consent on behalf of the child in all cases.
- In a country with low digital literacy, where parents in fact often rely on their children (who are digital natives) to help them navigate the Internet, this is an ineffective approach to keep children safe online.
- Second, it does not take into account the “best interests of the child”, a standard originating in the Convention on the Rights of the Child, 1989, to which India is a signatory.
- India has upheld this standard in laws such as the Commissions for Protection of Child Rights Act, 2005, the Right of Children to Free and Compulsory Education Act, 2009, and the Protection of Children from Sexual Offences Act, 2012. However, it has not been applied to the issue of data protection.
- Thirdly ,The Bill does not factor in how teenagers use various Internet platforms for self expression and personal development and how central it is to the experience of adolescents these days.
- From taking music lessons to preparing for examinations to forming communities with people of similar worldviews, the Internet is a window to the world.
- While the Bill does allow the government to provide exemptions in the future from strict parental consent requirements, profiling, tracking prohibitions, etc.This whitelisting process does not acknowledge the blurring lines between what a platform can be used for.
- For example, Instagram is, strictly speaking, a social media platform, but is regularly used as an educational and professional development tool by millions of artists around the world.
Use of personal data
Issue of verifiable parental consent in the case of minors
- This provision, if enforced strictly, can change the nature of the Internet as we know it. Since it is not possible to tell if the user is a minor without confirming their age, platforms will have to verify the age of every user.
- The government will prescribe later whether verifiability will be based on IDproof, or facial recognition, or reference based verification, or some other means.
- Whatever form verifiability takes, all platforms will have to now manage significantly more personal data than before, and citizens will be at greater risk of harms such as data breaches, identity thefts, etc.
- We need to shift our approach with respect to children’s data before this Bill is brought to Parliament. To avoid the folly of treating unequals equally and blocking off access to the Internet for teenagers these steps are needed.
- First, we should move from a blanket ban on tracking, monitoring, etc. and adopt a risk based approach to platform obligations.
- Platforms should be mandated to undertake a risk assessment for minors and not only perform age verification related corresponding obligations but also design services with default settings and features that protect children from harm.
- This approach will bring in an element of coregulation, by creating incentives for platforms to design better products for children.
- Second, we need to relax the age of mandatory parental consent for all services to 13 years in line with many other jurisdictions around the world.
- By relaxing consent requirements, we will minimise data collection, which is one of the principles that the Bill is built on. This relaxation in age of consent in tandem with the risk mitigation approach elucidated above will achieve protection for children online while allowing them access.
- This solution draws on the experience and deliberations in the United Kingdom, and in the United States (California, New York, etc.) where age appropriate design codes have been introduced.
- To tailor this solution to the Indian context, the government should also conduct large scale surveys of both children and parents to find out more about their online habits, digital literacy, preferences and attitudes.
- We must design a policy in India that balances the safety and the agency of children online.
- We should not put the onus of keeping our young safe only on parents, but instead it should make it a society wide obligation.
- We have to get this part of the data protection framework right as India’s ‘techade’ cannot be realized without its youth.
Data is a new fuel in the modern world. There has been huge competition among companies to gain hegemony over citizens’ data. This can seriously enable the companies to manipulate the free will of the citizens. Therefore, the time calls for proper protection and processing of the data based on the prior information given to the user. The new data protection bill has to rise up to this expectation.