Prelims: Personal Data Protection Bill, Justice B N Srikrishna, Convention on the Rights of the Child, 1989, Protection of Child Rights Act, 2005 etc
Mains GS Paper II and III: Government policies and interventions for development of various sectors and issues arising out of them etc
- The Digital Personal Data Protection (DPDP) Bill, 2022 provides for mandatory parental consent for all data processing activities by children, defined as any person aged under 18 years.
INSIGHTS ON THE ISSUE
Background of data privacy law:
- Started in 2010 with the constitution of the Justice Srikrishna Committee.
Justice BN Srikrishna Committee Data Protection Report:
- The Committee was constituted by the union government in July 2017, to deliberate on a data protection framework.
- The Supreme Court in its Puttaswamy judgment, 2017: It declared privacy a fundamental right.
- Interests of citizens: The report has emphasized that interests of the citizens and the responsibilities of the state have to be protected, but not at the cost of trade and industry.
- It proposed a draft Personal Data Protection Bill.
New Data Protection Bill:
- Inclusion of the word “digital” in the Bill’s title speaks to India’s long standing goal of being a digitally forward society.
- Bill has two major stakeholders:
- Data Principal
- Data Fiduciary.
- Data Principal: It refers to the subject whose data is being processed
- Data Fiduciary: It is an entity that processes this data.
- fiduciary” whilst referring to a data processor is significant.
- The relationship between the two is guided by:
- trust, assurance and good faith.
- Data Fiduciary: It is responsible for safeguarding the interests of Data Principals.
- Bill describes:
- the obligations of the Data Fiduciaries towards Data Principals
- the rights and duties of the latter
- regulatory framework through which data will be processed.
- Bill lists the “duties” of the Data Principals: these have no bearing on the realization of the rights provided by the Bill.
Important aspects of bill:
- In addition to the general obligations to prevent the misuse of the personal data of individuals
- The Bill has outlined a category of Significant Data Fiduciaries entities: that are required to comply with additional measures to safeguard the personal data of individuals.
- Only companies that process vast amounts of data or have a potential impact on the country’s sovereignty and integrity need to take such stringent measures.
- Such measures reduce the compliance cost of companies that are at a nascent stage.
- Data localisation” in the previous versions of the Bill, have been omitted: The reworked Bill permits the government to notify countries to which data transfers may be permitted.
The gaps in the Bill:
- The Bill relies on parents to grant consent on behalf of the child in all cases.
- In a country with low digital literacy, where parents in fact often rely on their children (who are digital natives)
- This is an ineffective approach to keep children safe online.
- It does not take into account the “best interests of the child”, a standard originating in the Convention on the Rights of the Child, 1989, to which India is a signatory.
- The Bill does not factor in how teenagers use various Internet platforms for self-expression and personal development and how central it is to the experience of adolescents these days.
- Bill does allow the government to provide exemptions in the future from strict parental consent requirements, profiling, tracking prohibitions, etc
- It does not acknowledge the blurring lines between what a platform can be used for.
- For example: Instagram is a social media platform, but is regularly used as an educational and professional development tool by millions of artists around the world.
- Each platform will have to obtain ‘verifiable parental consent’ in the case of minors.
- It can change the nature of the Internet
- It is not possible to tell if the user is a minor without confirming their age, platforms will have to verify the age of every user.
- Risk for citizens: The government will prescribe whether verifiability will be based on ID-proof, or facial recognition, or reference-based verification etc
- All platforms will now have to manage significantly more personal data than before
- Citizens will be at greater risk of harms such as data breaches, identity thefts, etc.
India laws for child Protection;
- Protection of Child Rights Act, 2005
- The Right of Children to Free and Compulsory Education Act, 2009
- Protection of Children from Sexual Offences Act, 2012.
- We need to shift our approach with respect to children’s data before this Bill is brought to Parliament.
- To avoid the folly of treating unequals equally and blocking off access to the Internet for teenagers these steps are needed.
- Move from a blanket ban on tracking, monitoring, etc. and adopt a risk-based approach to platform obligations.
- Platforms should be mandated to undertake a risk assessment for minors and not only perform age-verification-related corresponding obligations
- Design services with default settings and features that protect children from harm.
- This approach will bring in an element of co-regulation, by creating incentives for platforms to design better products for children.
- Relax the age of mandatory parental consent for all services to 13 years in line with many other jurisdictions around the world.
- It will minimize data collection, which is one of the principles that the Bill is built on.
- Experience and deliberations in the United Kingdom, and in the United States (California, New York, etc.) where age appropriate design codes have been introduced. To
- The government should conduct large-scale surveys of both children and parents to find out more about their online habits, digital literacy, preferences and attitudes.
- Design a policy in India that balances the safety and the agency of children online.
- We should not put the onus of keeping our young safe only on parents, but instead it should make it a society-wide obligation.
- Get the data protection framework right as India’s ‘techade’ cannot be realized without its youth.
QUESTION FOR PRACTICE
Q. What is the CyberDome Project? Explain how it can be useful in controlling internet crimes in India. (UPSC 2019) (200 WORDS, 10 MARKS)
Q. Examine the scope of Fundamental Rights in the light of the latest judgment of the Supreme Court on Right to Privacy. (UPSC 2017) (200 WORDS, 10 MARKS)