‘We should not put the responsibility of keeping our children safe on the parents only, but should make it the responsibility of the whole society’. Photo credit: Getty Images/iStockphoto
How freely should Indian teenagers use the Internet? And what are the responsibilities of the platform towards its minor users? These are important questions to get the right answers to achieve India’s digital ambitions. The draft Digital Personal Data Protection (DPDP) Bill, 2022 provides for mandatory parental consent for all data processing activities by children, currently defined as any person under the age of 18 years. This approach however misses the mark on two counts.
gap in bill
First, instead of encouraging online platforms to proactively build safer and better services for minors, the Bill relies on parents to give consent on behalf of the child in all cases. In a country with low digital literacy, where indeed parents often rely on their children (who are digital natives) to help them navigate the internet, this is an ineffective way to keep children safe online.
Second, it does not take into account the “best interests of the child”, a standard originating in the Convention on the Rights of the Child, 1989, to which India is a signatory. India has upheld this standard in laws such as the Commission for Protection of Child Rights Act, 2005, the Right of Children to Free and Compulsory Education Act, 2009, and the Protection of Children from Sexual Offenses Act, 2012. However, this has not been implemented on the issue of data protection. The bill does not take into account how teens use various internet platforms for self-expression and personal growth and how important this is to the teen experience these days. From taking music lessons to preparing for exams to building a community with like-minded people, the Internet is a window to the world. While the Bill allows the government to grant exemptions from strict parental consent requirements, profiling, tracking prohibition, etc. in future, this whitelisting process does not acknowledge what a platform can be used for. For example, Instagram is strictly a social media platform, but is used regularly by millions of artists around the world as an educational and professional development tool.
use of personal data
Another issue in the current draft of the DPDP Bill is that every platform will have to obtain ‘verifiable parental consent’ in case of minors. This provision, if strictly enforced, could change the nature of the Internet as we know it. Since it is not possible to tell whether a User is a minor without verifying their age, the Platform must verify the age of each User. The government will later specify whether the verification will be based on ID-proof, or facial recognition, or context-based verification, or any other means.
Whatever the form of verifiability, all platforms will now have to manage significantly more personal data than before, and citizens will be at greater risk of harm such as data breaches, identity theft, etc.
Thus, before this bill is brought to the Parliament, we need to change our approach regarding children’s data. These steps are needed to treat unequals equally and to avoid the folly of blocking access to the internet for teenagers.
First, we must move beyond a blanket ban on tracking, monitoring, etc., and take a risk-based approach to platform obligations. Platforms should be mandated to conduct risk assessments for minors and not only fulfill age-verification-related obligations but also design services with default settings and features that protect children from harm. This approach would bring an element of co-regulation by creating an incentive for platforms to design better products for children.
Second, we need to raise the age of mandatory parental consent to 13 for all services, in line with many other jurisdictions around the world. By relaxing the consent requirements, we will reduce data collection, which is one of the principles on which the bill is built. This relaxation of the age of consent in conjunction with the risk reduction approach outlined above will protect children while allowing them online access.
need survey
This solution is based on experience and deliberations in the United Kingdom and the United States (California, New York, etc.), where age appropriate design codes have been introduced. To tailor this solution to the Indian context, the government should conduct a large-scale survey to learn more about the online habits, digital literacy, preferences and attitudes of both children and parents.
We must have a policy in India that balances the safety and agency of children online. We should not put the responsibility of keeping our children safe on the parents only, but make it the responsibility of the whole society. We need to fix this part of the data security framework as India’s ‘technology’ cannot be realized without its youth.
Aparajita Bharti is a founding partner of TQH, a public policy consulting firm in Delhi. Nikhil Iyer is a senior analyst at public policy consulting firm TQH in Delhi