Personal Data Protection Bill, 2019 – special provisions concerning data relating to children and their impact on EdTech and other online businesses

Introduction

The Personal Data Protection Bill (‘PDP Bill’) has been introduced to regulate the data protection framework in India and is currently referred to the Joint Parliamentary Committee who are likely submit their report in the forthcoming winter session.

The PDP Bill aims to bring the data protection laws in India in consonance with the data protection laws of developed nations such as the General Data Protection Regulation (EU) 2016/679. It focuses on providing a framework for data privacy for children in India. With the growing age of technology, increased online interactions and rise in the ed-tech sector, these particular provisions of the PDP Bill are the need of the hour.

Current regulatory framework

Under Indian laws, the age of majority is 18 years and under the age of 18 years, a person is considered a minor. The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 does not provide protection of sensitive personal information or personal information specifically for children because of which businesses such as e-learning and social media platforms are able to indulge in targeted advertising to children. The PDP Bill proposes to bring this within its ambit.

Various judgments by Supreme Court of India have talked about the right to privacy in India. In the case of Justice K.S. Puttaswamy (Retd) v. Union of India (2018), it was held that obtaining consent of the parent/ guardian of a child was a necessary requirement for upholding the constitutionality of the Aadhaar scheme. In line with the judicial precedents, the PDP Bill has made it mandatory to seek consent of the parent/ guardian before processing any personal data of a child.

Key provisions of the PDP Bill relating to children

PDP Bill through Chapter IV lays down specific provisions for protecting data related to children. Following provisions of the PDP Bill become specifically applicable to data fiduciaries, i.e. a person who is in charge of determining the purpose and means of processing personal data:

• Processing of any personal data of a child in such manner that protects the rights of, and is in the best interests of, the child.
• Obtaining consent of the parent/ guardian of a child and verify the child’s age before processing their personal data, in a manner specified by regulations.

Further, ‘guardian data fiduciaries’ i.e. data fiduciaries operating commercial websites or online services directed at children, or processing large volumes of personal data of children, are barred from profiling, tracking, behaviourally monitoring children or subjecting them to targeted advertising and processing personal data that could cause significant harm to the child. These restrictions will also apply to a data fiduciary offering counselling or child protection services. Although, these restrictions will not apply to those guardian data fiduciaries who exclusively offer counselling or child protection services.

Analysis

Few of the aspects to be considered in respect of the PDP Bill are:

• The PDP Bill draws no distinction between a toddler, a pre-teen and a young adult. A distinction maybe needed in the current evolving digital world.
• Seeking consent from parent/ guardian maybe a tedious process and thus a convenient mechanism will have to be implemented by various businesses, specially e-learning which focus on children as their target demographic, while enacting the provisions of the PDP Bill. One-time compliance to target new and old users may be a good exercise which could be adopted by such businesses.
• The process of age verification under the PDP Bill will be difficult to implement as there already exist concerns relating to security and data breaches which might make parents/ guardians hesitant in uploading required data. Extra resources will need to be invested by data fiduciaries to carry out this process such as human resources and developing algorithms. Business will need to take extra care to prevent the misuse of data related to children.
• Wariness of parents/ guardians maybe a challenge while obtaining consent and data of children in accordance with the PDP Bill. Businesses, especially in the EdTech and social media sector will need to gain significant trust of parents/ guardians to overcome this challenge.
• A complete ban on processing any kind of data related to children may cause difficulties for businesses focused on providing services specifically related to children. Therefore, manner and extent of restrictions put on processing such data will need to be ascertained.

This article first appeared in Financial Express (India).