1. Introduction

With the introduction of the Personal Data Protection Bill, 2019 ('PDP Bill'), there is a concerted effort by the government to overhaul the data protection framework in India. This need stems from the fact that the current data protection framework in India is in its nascent stage as compared to other developed jurisdictions such as Europe, with the General Data Protection Regulation (EU) 2016/679 ('GDPR').

The PDP Bill was introduced in the Lok Sabha in December 2019 and then referred to the Joint Parliamentary Committee for recommendations. The Committee is likely to submit its report in the forthcoming winter session of the Parliament.

Data protection laws are important as we are moving to a far more data-driven world with a lot of interaction occurring online. With many companies relying on data analytics and targeted advertising, protection of data is an important facet.

Children are an especially concerning demographic in this regard, as online interaction by children has increased exponentially over the last few years. The changes that are being brought about by this PDP Bill are especially important for those businesses that are engaged in providing services to children, such as e-learning platforms. In addition, social media platforms will also need to be aware of the implications of the PDP Bill, as a large number of children are increasingly online and using social media applications.

In this article, we examine the framework for data privacy of children in India, under the PDP Bill and its impact on new-age online businesses including the ed-tech sector.

2. Current regulatory framework

2.1 Classification of minors

Before we examine the current regulatory framework relating to the privacy of children, it is first important to understand the meaning of the word 'child' under Indian laws. Under the Indian Majority Act, 1875, the age of majority in India is 18 years. Under the age of 18 years, a person is considered a minor and it is the phrase 'minor' that is used in most legal concepts in India.

2.2 United Nations Convention on the Rights of the Child

India is a signatory to the United Nations Charter on the Rights of the Child ('UNCRC'). Article 16 of the UNCRC bars children from being subject to arbitrary or unlawful interference in their privacy, family, home, or correspondence. By virtue of India being a signatory to the UNCRC, it has agreed to reflect these principles in its domestic laws.

2.3 Privacy laws

There is not yet a comprehensive data privacy law in India. However, there are rules under the Information Technology Act, 2002, (i.e. the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ('SPDR')) which govern the sharing and processing of personal data, including sensitive personal data. The SPDR, when compared to other data privacy regulations such as the GDPR of the European Union, are comparatively not as comprehensive.

There are no specific provisions under the SPDR for the protection of sensitive personal information or personal information of children. There is thus a regulatory vacuum that the PDP Bill proposes to fill.

As it stands, businesses in India processing personal data or sensitive personal data of children are only required to comply with the provisions of the SPDR in this respect. As a consequence, businesses are able to indulge in targeted advertising to children – one particular example is e-learning businesses who are able to currently reach out to children to market specific courses that may be to their interest. Social media companies are also able to serve targeted advertising to young children and build a database of interests and track children's online habits.

2.4 Judgments

The most important judgment relating to privacy has been the judgement of the 9 (nine) judge bench of the Supreme Court of India in the case of Justice K. S. Puttuswamy (Retd.) and Anr. V. Union of India and Ors., decided on 24 August 2017, which upheld the right to privacy as a fundamental right. However, this judgement did not specifically address the right to privacy of a child. Further, fundamental rights are only guaranteed by the state and cannot be enforced against a private business. Accordingly, while this judgment is indeed important from the view of advancing the right to privacy in India, it has limited impact on private businesses in India. As EdTech businesses and social media websites are privately run enterprises and are not at par with the state or its instrumentalities, the right to privacy needs to be specifically legislated by means of an Act – it is for this reason that the PDP Bill is being proposed.

In another case, i.e., Justice K.S. Puttaswamy (Retd) v. Union of India, decided by the Supreme Court of India on 26 September 2018, the court evaluated the consent requirements for enrolment of children aged 5 to 18 under the Aadhaar scheme. The Supreme Court held that obtaining the consent of the parent/ guardian for it was a necessary requirement for upholding the constitutionality of the Aadhaar scheme. As set out below, we see that seeking the consent of a parent/ guardian is a necessary requirement under the PDP Bill for processing the data of minors, reflecting the consistency in judicial approach.

3. Provisions in the Bill

The PDP Bill has specific provisions for the protection of data relating to children, as set out in Chapter IV. The protection that is afforded to children under the PDP Bill is in addition to the general data privacy controls under the PDP Bill.

Under the PDP Bill, a data fiduciary is defined as a person who is in charge of determining the purpose and means of processing the personal data of another person. Under the provisions of the PDP Bill, data fiduciaries are regulated in respect of the personal data of children and the important protections afforded to children are set out below:

a, Interests of the children: The PDP Bill provides that the data fiduciary is required to process the personal data of a child in such a manner that protects the rights of, and is in the best interests of the child.

b. Consent: There is a requirement prescribed under the PDP Bill for a data fiduciary to obtain consent of the parent/ guardian of a child and verify the child's age before processing the personal data of the child. The manner of verification of the age of such child are required to be in accordance with the regulations to be prescribed.

c. Restrictions: The PDP Bill prohibits data fiduciaries from profiling, tracking, behaviourally monitoring children or subjecting them to targeted advertising. It also generally prohibits any other processing of personal data that can cause significant harm to a child. These restrictions under the PDP Bill shall also apply to a data fiduciary offering counselling or child protection services.

d. Guardian data fiduciary: The PDP Bill further states that a data fiduciary that operates commercial websites or online services directed at children, or processes large volumes of personal data of children, can be classified as a 'guardian data fiduciary'. Such a guardian data fiduciary that provides exclusive counselling or child protection services to a child is exempt from obtaining the consent of the parent or guardian of the child as required by other data fiduciaries.

4. Criticism and drawbacks

The provisions that have been included in the PDP Bill are appreciable, but do have some issues that would need addressing as set out below:

(a) The PDP Bill draws a distinction between minors and non-minors in terms of protecting the rights of the child. The PDP Bill has equated the concept of 'minor' with that of a child and hence there is no differentiation under the provisions of the PDP Bill between a toddler, a pre-teen and a young adult. Although this approach is in line with the UNCRC, which defines anyone younger than 18 as a child, may be a need to relook this approach in the context of today's digital world.

Under the GPDR, Article 8 provides that consent is required in case of processing the data of a child younger than 16 years, provided that the member states of the European Union may lower this age, to not less than 13 years.

Given that children in this day and age are engaged in many online activities, from social media to e-learning and other activities, seeking consent from their parent/ guardian may actually be a cumbersome process. E-learning businesses which focus on children as their target demographic will therefore need to have in place a robust control mechanism for seeking this consent and will likely need to implement this at the time of onboarding of new students/ customers.

One important consideration that businesses will need to keep in mind in this context is that this requirement will not only apply to new users but also existing users and accordingly, a one-time compliance exercise will have to be undertaken by businesses to ensure compliance with the provisions of the PDP Bill.

(b) The PDP Bill alludes to an age verification mechanism for children. While the specific process of age verification has not yet been prescribed, there will certainly be challenges in its implementation. For example, an age verification mechanism may require the submission of identity proof or other sensitive documentation, which will need to be secured online safely. There could be be security concerns around this, and businesses will need to demonstrate adequate safety measures to consumers in order to gain their trust. There have been many instances of online data breaches in the past, which could weigh on the minds of any parent/ guardian of a child.

Further, data fiduciaries may need to invest in resources to carry out this age verification either in terms of human resources or developing robust algorithms to achieve this automatically. As things stand currently, online businesses often include language in their terms of service putting the obligation on the user to confirm that they are of age. Further, children often wrongly provide their age online to gain access to services, given that there is currently no mechanism in place to verify the age of children. Another concern that business will have to keep in mind where there is human verification is the safety of children – the data of children is sensitive, and businesses will have to have a mechanism in place to prevent the data from being misused.

(c) The PDP Bill further places restrictions on processing of the personal data of children, however, the manner and extent of these restrictions will need to be ascertained. A blanket ban on all kinds of processing of data may cause difficulties in business, especially in those services aimed at children.

This requirement would mean that e-learning businesses may need to re-think their marketing strategies to keep in mind the provisions of the PDP Bill.

5. Conclusion

In light of the above, while the introduction of the provisions in relation the protection of data of children are indeed a natural evolution of the law of data privacy, their impacts on businesses are yet to be ascertained. This will be clear with time, but businesses might need to allocate additional resources to address these provisions once they come into effect.

Parents/ guardians are increasingly more concerned about the well-being of their children including their online presence and will likely be wary of providing consent and data of their children online once the provisions of the PDP Bill come into force. Businesses, especially in the EdTech and social media sector will need to be able to demonstrate significant trust to parents/ guardians to overcome this challenge.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.