Indian perspective on protecting children’s privacy

By Aadya Misra and Tanvi Chaturvedi, Spice Route Legal
0
560
LinkedIn
Facebook
Twitter
Whatsapp
Telegram
Copy link

As access to internet and technology is increasingly pervasive, children emerge as significant stakeholders in the digital economy. Unfortunately, existing and proposed legal frameworks are not designed to protect children’s interests and are even less effective in child data protection and privacy.

Data protection compliance is governed by the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI rules). Under the SPDI rules, the threshold for the collection of sensitive personal data or information, including passwords, financial and health information, biometrics, and sexual orientation, is the written or electronic consent of data subjects.

Aadya Misra
Aadya Misra
Counsel
Spice Route Legal

As the SPDI rules do not explain how such consent may be given, the principles of contract law are used. Under the Indian Contract Act, 1872, those under the age of 18 are not competent to give consent in a contract. Consent obtained from a minor for the processing of their data is not valid. Businesses processing the personal data of minors usually structure legal terms and privacy notices in such a way that parents or guardians are deemed to have consented on behalf of their children or wards. Entities do not, typically, implement consent or implement practices that actually verify users’ ages or safeguard children’s interests.

The draft of the new data protection law, the Digital Personal Data Protection Bill, 2022 (DPDPB) offers little by way of protecting children. It prohibits the tracking and behavioural monitoring of children, targeted advertising directed at children, and any form of data processing likely to cause harm to children. Exceptions may be prescribed by the government. A child is defined as an individual below the age of 18. While penalties for non-compliance go up to INR2 billion (USD24.4 million), the general approach of the DPDPB is non-nuanced, with a blanket prohibition on the processing of children’s data, impractical in the current digital landscape.

Tanvi Chaturvedi
Tanvi Chaturvedi
Associate
Spice Route Legal

Other jurisdictions provide useful guidance for a more refined approach to the protection of children’s data. Many adopt a practical test of maturity to create different tiers, where individuals above a certain age but below the age of majority may give consent for the processing of their data. This test considers maturity levels and the ability to understand the legal rights and risks associated with processing and undue influence. A 17-year-old should not usually be treated the same as a young child. Criminal laws in India distinguish between children in different age groups based on their mental capacity and ability to understand the consequences of their actions. Given the emphasis on consent in the DPDPB, a similar tiered approach where children above a certain age can provide consent for the processing of their data could be incorporated in its next draft.

Missing are positive obligations on businesses to design processing activities that protect children, to conduct pre-emptive harm assessments and to implement risk mitigation based on the findings. Studies have found children to be especially susceptible to personalised advertising and behavioural monitoring. They are vulnerable users of online products, such as social media and e-learning platforms. Essential first steps in the proposed statutory measures should be requiring businesses in high-risk areas to conduct specific data protection impact assessments, adhere to data minimisation principles and publish risks and corresponding mitigation measures in a transparent manner, whether with the proposed Data Protection Board of India or on websites. Businesses should also create privacy notices that are easily understood by children, implement safeguard controls for parents to use and apply privacy through design and default principles in processing that involves children. They should educate children and encourage them to exercise their rights. Unfortunately, such aims are absent in the proposed framework.

Limiting or regulating the behavioural monitoring of children and imposing default obligations that limit data sharing outside specific and non-harm-based purposes are principles in many countries’ child protection laws. They are essential elements for the proposed law.

Aadya Misra is a counsel, and Tanvi Chaturvedi is an associate at Spice Route Legal.

Spice Route Legal
14th floor, Skav 909,
Lavelle Road, Ashok Nagar
Bengaluru, Karnataka 560025
Contact details:
E: contact@spiceroutelegal.com

LinkedIn
Facebook
Twitter
Whatsapp
Telegram
Copy link