Reconciling a child’s right to privacy and autonomy
The draft data protection bill should reconsider seeking parental consent for all online activities of adolescents
It has been estimated that children and adolescents under the age of 18 account for one in three Internet users around the world. Adolescence is the transitional period during which children mature into young adults, and it is in this time that they acquire knowledge, develop attributes and skills, and, most important, learn to manage emotions and relationships. This also extends to their activity over the Internet and their digital identity. Most children and adolescents tend to use the Internet as a source for entertainment and information, and believe that they have a right to access it. In most cases, they are also aware of the risks of using the Internet, and have a level of consciousness about their right to privacy. However, they seem to be more concerned about their right to privacy being infringed upon by their parents or peers, rather than the State or commercial actors.
India alone has over 472 million children who are under the age of 18. With more and more of that number entering the digital environment, it has become all the more important to safeguard their right to privacy online. India needs to consider how it can enable their right to participation and afford them privacy from both sets of actors — parents and peers as well as the State and commercial institutions — without placing restrictions on their autonomy.
The Indian government introduced the Personal Data Protection Bill, 2019, in the Lok Sabha on December 11, 2019, and it has subsequently been sent for review to a joint parliamentary committee. Under Chapter IV, Section 16 of the bill deals with personal and sensitive personal data of children. It requires that a data fiduciary verify the age of a child and obtain the consent of his or her parent or guardian before processing their data. The bill follows the form of most Indian laws by classifying children as individuals who have not completed 18 years of age. The bill says that the manner of this verification process will be specified through regulations. An important point to note is that in the process of verifying a person’s age, a data fiduciary could end up collecting data about children. When formulating the regulation which prescribes the manner of verification, measures should be taken to ensure that this data is not used for any other purpose.
The requirement for parental consent needs to be looked at in terms of the overall societal context of the children. A person’s age doesn’t tell the entire story, hence we also need to look at sociological, physiological and other relevant factors when considering how to deal with children’s privacy. The current learning ecosystem has adopted technological tools that have enabled children to grow and gain a better understanding of the digital space. Adolescents who are generally termed as children between the ages of 16 to 18, often have a comprehensive understanding of their activities online that is comparable to that of adults. Regulatory frameworks, which do not take this into consideration, end up having a negative impact on the interests of people in this age group. In 2016, approximately 44 million children in India were between 16 and 18. It is important that our laws do not restrict their ability to make use of the digital resources available to them.
Around the world, different legal regimes provide for additional protections to maintain the privacy of children of varying ages in their jurisdictions. The European Unions’ General Data Protection Regulation holds that a child who is at least 16 years old can consent to their data being processed in relation to information society services being directly offered to them. It does, however, require that parental consent be obtained for any child under 16. However, in the United States, the Children’s Online Privacy Protection Act requires that operators of websites or online services provide notice of the fact they are collecting the children’s personal information and also collect verifiable parental consent. Even the Cyberspace Administration of China only requires parental consent for the processing of data belonging to children under 14.
There is a clear need for the development of appropriate legislation and policy frameworks that balance children’s rights to privacy with the need to protect their online activity. While the proposed Indian law does aim to safeguard the rights of minors, it should reconsider its approach of requiring parental consent for all the online activity of adolescents. Policymakers should take into account their special circumstances and needs, and possibly treat them as a class of individuals separate from both children and adults.