Privacy and children's data - Issues and challenges in 2022
(Vikram Jeet Singh and Prashant Daga)
One of the biggest impacts of the COVID-19 pandemic has been on children, their education, and their playtime. Restrictions on physical gatherings mean that e-learning and edu-tech platforms have boomed. Simultaneously, online children's videos and casual online gaming platforms have grown exponentially, providing an alternative to in-person playdates. This means that children are online more than ever (sometimes by themselves), and their personal data is being accessed and used at increasingly greater rates.
Current data privacy law in India
As of now, Indian privacy law requirements for children's data are fairly straightforward, i.e. the law requires data controllers to, inter alia, disclose to the data subject (i.e. the person providing the data) the purpose of data collection, to obtain the consent of the data subject prior to collection and before sharing such data with third parties, not to retain the personal data longer than required, and to adhere to security standards. The current set of privacy laws in India data date back to 2011 and are more in the nature of online security mandates than data privacy rules.
Certain other Indian laws have a knock-on effect on data collection practices. Indian contract laws do not recognise minors, i.e. persons under the age of 18, as competent persons to contract with. Therefore, obtaining a child's consent has no legal validity, thereby making it necessary to obtain the consent of a parent/guardian to collect a child's data.
Current Indian child protection laws
An important point to keep in mind when dealing with children's data is that data privacy laws are not the primary form of regulation. Several Indian laws are drafted with an intention to protect children from abuse and obscenity, among others. The collection and handling of minors' data in India are also sensitive from a penal angle.
Representation of children in an indecent light, for example, can result in punishment under a number of other laws:
The Penal Code, 1860 ('the IPC'): The IPC is a comprehensive penal legislation that lays down punishments for criminal activities in India. Circulation of content that may be categorised as obscene is punishable with imprisonment and/or fine. Circulating obscene or harmful content directed towards children (or any person aged below 20 under law) is also a separately punishable offence. More pertinently, the online intermediary or platform acting as the data fiduciary for such data could also be held accountable and prosecuted for 'abetment' of offences.
The Information Technology Act, 2000 ('the IT Act'): The IT Act governs digital and cyberspace in India. It provides for the punishment of those who:
create, post, or share proscribed images of children; and
facilitate abusing children online.
If any child-related content stored on an electronic device is of such a nature that it sets off these provisions, the entity in charge of such device is punishable with imprisonment and/or a fine.
The Protection of Children from Sexual Offences Act, 2012 ('the POCSO Act'): Analogous to the foregoing laws, the POCSO Act is a specialised statute specifically aimed at protecting children from sexual offences. From a data protection perspective, businesses should be aware of the provisions pertaining to the circulation of proscribed content involving children, or the usage of children for indecent representation. The POCSO Act follows the principle of absolute liability, i.e. accountability irrespective of the intent/purpose per se. Committing or aiding the commission of an offence under the POCSO Act, as well as the storage of content prohibited under the POCSO Act, are penal offences. More pertinently, a failure to report the commission of an offence under the POCSO Act is punishable under certain circumstances. As such, in the event of a data breach where children's data is compromised (e.g. leaked photos of a child stored for identification purposes), a failure to notify law enforcement authorities in a timely manner may lead to criminal risk.
Forthcoming data privacy law
In contrast with current privacy laws, extensive privacy compliances are mandated for children's data under the new proposed data protection framework of the Personal Data Protection Bill, 2021 ('the Bill'). The Bill would bring Indian privacy laws in line with other Indian regulations, in that children are provided with additional safeguards.
The Bill is based on the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), with a move towards a risk-impact based regulation in that certain activities will be regulated more closely based on their potential impact. The Bill requires a data fiduciary to verify the age of a child before processing their data. It also requires that consent of the parent/guardian is obtained prior to the child's data being collected. There is also a prohibition on data processing activities that profile children, monitor their behaviour, or target advertisements towards children.
The increased regulation of data protection and privacy marks a change since the flow of data has largely been unregulated in India so far. The proposed privacy law's provisions (including those listed below) will substantially change the way data is dealt with in India:
a data protection authority ('DPA') will be established for the enforcement of data protection norms;
cross-border transfers of data will be undertaken only with the prior approval of the DPA;
a copy of sensitive personal data transferred outside India will have to be stored locally;
data subjects will have to be accorded rights, such as the right to data portability, the right to be forgotten, and the right to file complaints against a data fiduciary;
data breaches will have to be reported to the DPA;
data fiduciaries exclusively dealing with children's data will be classified as 'guardian data fiduciaries'; and
certain data fiduciaries will be regarded as 'significant data fiduciaries' ('SDFs') based on the volume of data they process, or the sensitivity of such data and the risk of potential harm.
Recently, a parliamentary committee (which has reviewed and finalised the Bill) proposed that data fiduciaries who handle children's data be classified as SDFs. SDFs are subject to additional compliances under the Bill, such as the requirement that they appoint data protection officers ('DPOs'), maintain processing records, and conduct independent data audits. The intention, therefore, seems to be to treat children's data, as well as data fiduciaries handling their data more restrictively than adults' data.
What this means for businesses
Accessing an online platform for study or play is much more commonplace in a child's life now, and so is the availability of their data on various platforms. Considering the proposed privacy law and the draconian criminal provisions under current laws, businesses that operate online platforms cannot afford any lapses in the handling of children's data.
In view of the proposed privacy law and the stringent legal environment surrounding children's data, businesses should start formulating operating procedures based on global best practices for its employees that clearly set out the manner in which such data will be dealt with, transferred, protected, retained, and destroyed.