Date: 25/01/2023
Relevance: GS-2: Government Policies and Interventions for Development in various sectors and Issues arising out of their Design and Implementation; Digital Personal Data Protection Bill 2022.
Key Phrases: Digital Personal Data Protection Bill 2022, Minor, Data Principal, Parental Consent, Youngest youth Demographics, Safety tools and Features, Societal cooperation, Public discourse.
Context:
- The Ministry of Electronics and Information Technology has been deliberating on various aspects of digital personal data and its protection, and has formulated a draft Bill, titled ‘The Digital Personal Data Protection Bill, 2022’.
- There are some provisions which are formulated for the data protection for minors but these provisions miss some important aspects which need to be corrected for achieving the digital ambition of India.
Key Highlights:
- India has one of the youngest youth demographics in the world and is among the most active online.
- The draft Digital Personal Data Protection (DPDP) Bill, 2022 currently provides for mandatory parental consent for all data processing activities by children, defined as any person aged under 18 years.
Issues related to Minor in the Draft Bill:
- Ineffective approach for Parental Consent
- Instead of incentivising online platforms to proactively build safer and better services for minors, the Bill relies on parents to grant consent on behalf of the child in all cases.
- In a country with low digital literacy, where parents in fact often rely on their children (who are digital natives) to help them navigate the Internet, this is an ineffective approach to keep children safe online.
- Missing the standard of “best interests of the child”
- The draft bill does not take into account the “best interests of the child”, a standard originating in the Convention on the Rights of the Child, 1989, to which India is a signatory.
- India has upheld this standard in laws such as the Commissions for Protection of Child Rights Act, 2005, the Right of Children to Free and Compulsory Education Act, 2009, and the Protection of Children from Sexual Offences Act, 2012. However, it has not been applied to the issue of data protection.
- No Clarity on the Use of Internet Platforms
- The Bill does not factor in how teenagers use various Internet platforms for self-expression and personal development and how central it is to the experience of adolescents these days.
- Use of Personal Data
- Another issue in the current draft of the DPDP Bill is that each platform will have to obtain ‘verifiable parental consent’ in the case of minors.
- This provision, if enforced strictly, can change the nature of the
Internet as we know it.
- Since it is not possible to tell if the user is a minor without confirming their age, platforms will have to verify the age of every user.
- The government will prescribe later whether verifiability will be based on ID-proof, or facial recognition, or reference-based verification, or some other means.
- Whatever form verifiability takes, all platforms will have to now manage significantly more personal data than before, and citizens will be at greater risk of harms such as data breaches, identity thefts, etc.
Draft ‘Digital Personal Data Protection Bill, 2022’
- About
- The purpose of the draft Bill is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes.
- Key Features
- Applicability:
- The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitized.
- It will also apply to such processing outside India, if it is for offering goods or services or profiling individuals in India.
- Consent:
- Personal data may be processed only for a lawful purpose for which an individual has given consent.
- A notice must be given before seeking consent.
- Consent may be withdrawn at any point in time.
- For individuals below 18 years of age, consent will be provided by the legal guardian.
- Rights and duties of Data Principal:
- An individual, whose data is being processed (data principal), will have the right to: (i) obtain information about processing, (ii) seek correction and erasure of personal data, (iii) nominate another person to exercise rights in the event of death or incapacity, and (iv) grievance redressal.
- Data principals will have certain duties. They must not: (i) register a false or frivolous complaint, (ii) furnish any false particulars, suppress information, or impersonate another person in specified cases.
- Obligations of data fiduciaries:
- The entity determining the purpose and means of processing, called data fiduciary, must: (i) make reasonable efforts to ensure the accuracy and completeness of data, (ii) build reasonable security safeguards to prevent a data breach and inform the Data Protection Board of India and affected persons in the event of a breach, and (iii) cease to retain personal data as soon as the purpose has been met and retention is not necessary for legal or business purposes (storage limitation).
- Transfer of personal data outside India:
- The central government will notify countries where a data fiduciary may transfer personal data.
- Exemptions:
- Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases including prevention and investigation of offenses, and enforcement of legal rights or claims.
- The central government may, by notification, exempt certain activities from the application of provisions of the Bill.
- These include: (i) processing by government entities in the interest of the security of the state and public order, and (ii) research, archiving, or statistical purposes.
- Data Protection Board of India:
- The central government will establish the Data Protection Board of India.
- Key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii) directing data fiduciaries to take necessary measures in the event of a data breach, and (iii) hearing grievances made by affected persons.
- The central government will prescribe: (i) composition of the Board, (ii) selection process, (iii) terms and conditions of appointment and service, and (iv) manner of removal.
- Applicability:
A New Approach to Data Protection for Minors:
- To avoid the folly of treating unequals equally and blocking off access to the Internet for teenagers, we need to shift our approach with respect to children’s data before this Bill is brought to Parliament.
- Following steps are suggested by the author:
- Adopt a Risk-based Approach
- We should move from a blanket ban on tracking, monitoring, etc. and adopt a risk-based approach to platform obligations.
- Platforms should be mandated to undertake a risk assessment for minors and not only perform age-verification-related corresponding obligations but also design services with default settings and features that protect children from harm.
- This approach will bring in an element of co-regulation, by creating incentives for platforms to design better products for children.
- Relaxation in the age of mandatory parental consent
- Further, we need to relax the age of mandatory parental consent for all services to 13 years in line with many other jurisdictions around the world.
- By relaxing consent requirements, we will minimize data collection, which is one of the principles that the Bill is built on.
- This relaxation in age of consent in tandem with the risk mitigation approach elucidated above will achieve protection for children online while allowing them access.
- Adopt a Risk-based Approach
Conclusion:
- A policy must be designed in such a way that balances the safety and the agency of children online. The onus of keeping our young safe should be a society-wide obligation.
Source: The Hindu
Mains Question:
Q. Highlights the critical issues regarding data protection of Minors in the draft digital personal data protection bill,2022. Also, suggest measures to resolve these issues. (250 Words)