The Personal Data Protection Bill, 2019, which is likely to be tabled during the budget session next year, is currently being examined by the Joint Parliamentary Committee. The proposed legislation aims to protect children’s personal and sensitive data, by specifying the age of consent below which strict processing conditions kick in. The provision is much needed because it ensures that children’s inability to understand the risks on the internet does not make them vulnerable to exploitation. But given the dynamic nature of the world wide web, implementing these provisions might be a challenge.
The Personal Data Protection (PDP) Bill, 2019 classifies any person below the age of 18 as a child. His/her data cannot be processed without the consent of parents or a guardian and the verification of the child’s age. The Srikrishna Committee, which conceptualised the Bill, explained that the age of 18 was chosen in order to ensure consistency with other domestic laws. It agreed that the cut-off age may be too high and may need to be revised, keeping in mind a child’s development. In contrast to India’s approach, the United State’s Children’s Online Privacy Protection Act has capped the age of consent at 13, and verifiable parental consent is needed only for those who are younger. Europe’s General Data Protection Regulation suggests a range between 13 and 16 years.
Also read: Indian govt took first step to unlock value of non-personal data, must now bring in nuance
Consent and service provision
The age of consent has been at the centre of numerous discussions about the use of internet-based services. The child safety provisions in Chapter IV of the Bill prohibit commercial websites or online services “directed” at children, to profile, track, behaviourally monitor or target advertisements, irrespective of parent’s or guardian’s consent. In other words, the Bill presupposes that such activities are harmful to all those under the age of 18.
The video game industry is a good example of the dilemma of implementing consent-related provisions. Unless robust age verification measures are deployed, gaming platforms might have to entirely exclude under-age users, or incur significant costs to build separate child and adult versions of their products. Moreover, while platforms don’t process data to identify users, they track their behaviour to reward them in order to make gaming experience enjoyable and to correct software errors. This is an essential characteristic of gaming, which might be eroded if the provisions of this Bill are enacted. The Interactive Software Federation of Europe, which represents the European gaming industry, has raised similar concerns against the United Kingdom’s Age Appropriate Design Code. It restricts the use of nudge techniques, and brings in other prohibitions related to data of children below the age of 18.
The regulations will also affect the Edtech sector because many of its services are specifically customised for children aged between 13 and 18. Monitoring a child’s progress is an essential business strategy, one that is used to design age-appropriate products beneficial for children.
Also read: India’s digital workforce needs secure software. Testing, not banning apps, is the answer
Need to factor in different maturity levels of children
The PDP Bill, 2019 does not distinguish between a 17-year-old and a 13-year-old. It prescribes the same rules for different age groups, and no child under the age of 18 has the right to consent to processing their data. Such blanket restrictions could deprive children from meaningfully using the internet. We live in a time where information awareness has fastened the pace of mental growth in children, who now demonstrate the capability to become stakeholders in society building and can guide policymaking. Greta Thunberg, the 17-year-old Swedish environmental activist who uses social media to raise awareness about climate change, is a prominent example of this phenomena. There are others like the late Aaron Swartz, a computer programmer and internet freedom activist, who at the age of 14 exhibited a deep understanding of the internet and issues related to its access. The absence of a graded approach to consent may prompt service providers to take a risk-averse approach by simply excluding children from accessing internet-based services.
In contrast, threshold-based, consent-related provisions, which factor in the maturity levels of children of different age groups, can avoid creating impediments in their internet engagement. At the same time, a child’s access to specific online activities could be preconditioned on parental consent. The graded approach to immaturity can be seen in India’s Juvenile Justice Act, 2000, which distinguishes 16-18-year-olds as adults. The law factors in their mental and physical capacity to commit an offence, the ability to understand the consequences of the crime, and the circumstance in which it was committed. This is at variance with Shri Krishna Committee’s rationale of keeping the age at 18.
Also read: India has to toe a fine line in defining non-personal data — between public interest and IPR
Reimagining privacy and age verification
The PDP Bill, 2019 misses the point that privacy means different things for children of different ages. For a 17-year-old, privacy may mean privacy from parents as compared to a 13-year-old, who needs parental oversight. This may be even more important in conservative societies where the internet enables older and more mature children to help better understand their sexual orientation or explore questions of religion, among other sensitive issues that cannot be freely discussed. These considerations make it crucial for the law to consider different requirements of different age groups.
The Bill proposes age verification techniques as age-gating methods that help differentiate between adults and children. It brings within its fold almost every website, which will be required to collect more data about users than it does to carry out age verification processes. What and how this will be done can be difficult questions to answer. America’s Children’s Online Privacy Protection Rule Act, on the other hand, is a better example to follow. The law is narrower in its approach and requires mandatory age verification for only those websites that are directed at children, or have the actual knowledge that their services will be used by them. These online portals are required to ask for a parent’s government-issued ID, credit card details, provide a call-centre number, or use any other method as evidence to verify consent. Simple checkboxes will not do. In contrast, considering how the provisions of India’s proposed PDP Bill apply to all websites, it will be practically impossible or extremely expensive to implement similar verification methods.
The PDP Bill rightly pays special attention to the data protection of children, but it needs a deeper analysis of the needs and development of different age groups. If nuanced issues of maturity, consent, and privacy are factored in, they can bring the law at par with international standards and ensure that children are reasonably empowered to access the internet.
The authors work at Koan Advisory Group, a technology policy consulting firm. Views are personal.
This article is part of ThePrint-Koan Advisory series that analyses emerging policies, laws and regulations in India’s technology sector. Read all the articles here.