With the government planning to introduce the rules pertaining to the Digital Personal Data Protection Act (“DPDPA”), 2023 soon, it becomes imperative for the industry to step-up to the next phase i.e. adoption and implementation readiness of this compliance heavy law in a time/cost efficient manner. Amongst several compliances, a significant compliance that needs to be undertaken relates to governance of personal data of children and persons with disabilities.
THE LAW
The regulatory framework for processing of personal data is currently governed by the Information Technology Act, 2000, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”) and sector specific legislations e.g. health, telecom, insurance, securities, e-commerce. Once enforced by the Parliament, the DPDPA will supersede the SPDI Rules, 2011.
According to the DPDPA, a “child” means an individual who has not completed the age of eighteen years.[1]
Section 9 of the DPDPA prescribes added responsibilities for processing personal data of children or persons with disabilities. The data fiduciaries processing personal data relating to children or persons with disabilities shall have to obtain verifiable consent of the parent/guardian of such data principal in the manner prescribed. Any processing that is likely to cause any detrimental effect on the well-being of the child is prohibited. Further, tracking, behavioral monitoring and advertisements targeted on children is also restricted under the DPDPA. However, the government is empowered to exempt certain categories of data fiduciaries or classify certain specified purposes that will be exempt from the requirement of obtaining verifiable parental consent. The government can also exempt entities from the restrictions on tracking, behavioral monitoring and targeted advertising towards children, by way of notification. Further, the Central Government can, on a case-by-case basis, determine if the processing activity of a data fiduciary is “verifiably safe”, and exempt such fiduciary from the consent, targeting, behavioral monitoring and targeted advertising of children.
CONSENT PUZZLE
Processing of personal data relating to children comes with its own set of complexities with respect to implementation, especially considering the possibility of significant harm to children owing to such processing activities. Some of these challenges have been highlighted herein-
- Often companies are faced with the issue of how they should meet the threshold of obtaining verifiable parental consent vis. a vis. the risks involved in such processing. Determination of the risk involved in processing child personal data, which calls for a higher degree of verification/compliance standards, will be an assessment in itself, considering the broad nature of the restriction prescribed.
- Companies are further perplexed about filtering their users based on age or disabilities. This becomes more problematic based on the fact that monitoring children is not allowed as per the provisions of DPDPA. Without monitoring them, it becomes difficult for fiduciaries to profile such children and filter content that is feasible for them.
- Further, the level of diligence the fiduciaries should be maintaining, when confirming whether their user is a child or a person with disability, will be an added task for companies that are not regularly dealing in child personal data, but incidentally process it. For instance, e-commerce platforms that don't target children for their business, but incidentally collect their personal data when such children access these platforms. On the other hand, entities that regularly deal in child personal data e.g., gaming, ed-tech, healthcare, etc. will be at a higher cost of compliance as well as a higher risk for non-compliance.
- Since many jurisdictions categorize data relating to children as sensitive in nature, it is possible for the government to classify entities that primarily deal in children's personal data to be categorized as “significant data fiduciaries”.[2] This would entail higher compliance mandates for such fiduciaries.
- Section 9 of the DPDPA states that “before processing any personal data of a child or a person with disability” the fiduciary needs to obtain parental consent. Therefore, it appears that the fiduciary will have to obtain parental consent for any form of data processing relating to children. Stakeholders might be confused about relying on the 'legitimate use'[3] ground when processing child personal data. This would ideally defeat the purpose of legitimate use ground for processing personal data wherein it is not practical for fiduciaries to obtain parental consent for purposes like fulfilling legal obligations, disaster management, compliance of court orders, medical emergency, etc. Therefore, fiduciaries need to cautiously determine the ground for processing child personal data.
- Another major issue that is faced by the data fiduciaries is the assessment of an authentic guardianship relationship with the child before obtaining their consent for processing the child's personal data. Mechanisms which seek additional proof of guardianship may play a role here, essentially considering the different guardianship laws in the country.
- Excess authorizations and documentation required for obtaining verifiable parental consent tends to defeat the data minimization principle. It would be problematic for entities to draw a balance between the data minimization principle and the principle pertaining to lawfulness of data protection.
The government will be introducing rules that may provide some guidance to solve the above complexities. Reports suggest that the government is consulting stakeholders to find a solution to the above complexities and target solving these basis best available technologies like Aadhaar authentication, Digi-Locker or a one-time electronic token for age verification of the child.
Meanwhile, as we are aware that the requirement of obtaining verifiable parental consent is not new, we aim to highlight how different jurisdictions are complying with this requirement in practice to provide some direction to industry stakeholders in India.
PARENTAL CONSENT: INDUSTRY PRACTICES AROUND THE WORLD
The requirement of obtaining verifiable parental consent spans across multiple jurisdictions that have data protection laws in place. Practices followed by them can, therefore, act as a guidance for data fiduciaries in India. This is agnostic of the fact that different jurisdictions have different legal ages of childhood.
The General Data Protection Regulations, 2016 (“GDPR”) requires controllers to make reasonable efforts in verifying consent given by parents based on available technology.[4] The threshold of verifiable consent should be based on the inherent risk involved in processing children's personal data. For instance, verification through email may be sufficient for low-risk cases, incremental proof may be required e.g., by way of government ID's, or an €0.01 authentication through the parent's bank account in high-risk cases. Further, alternatives for authentication should be provided to avoid undue discrimination against people who do not have a bank account. Companies could also incorporate multi-factor authentication when the risk element is higher. The controller will only have to justify that it made reasonable efforts to obtain a valid parental consent considering the fact that sometimes, obtaining such consent can be challenging. Consent renewal may also be required once the child reaches the age of majority.[5]
In South Korea, a personal information controller shall have to obtain consent from the legal representative of the child and shall also have to confirm whether the legal representative has granted such consent.[6] The legal representative can indicate consent and the personal information controller may be required to inform and confirm such indication by[7]-
- confirming over a mobile text message that they have provided consent over the online platform;
- receiving credit, debit card information of the legal representative;
- verifying the identity of the legal representative via the identity verification process on the legal representative's mobile phone, etc.;
- conveying the consent form through email or fax, and having the representative sign or affix his seal over the consent items or responding to the email with his consent; or
- obtaining consent over a phone call or through a specified email or some web address where the legal representative can convey his consent.
The Singapore Personal Data Protection Act (PDPA), 2012 has no specific provisions for processing child personal data. However, it provides that an organisation may collect, use, or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances or basis consent. [8] The Personal Data Protection Commission (PDPC) in Singapore has accepted that child personal data is sensitive in nature.[9] In furtherance of the same, the PDPC has published certain guidelines[10] to provide guidance to organizations processing child personal data in a digital environment. The guidelines have categorized children in two categories i.e. (i) below 13 years of age and (ii) between 13 and 17 years of age. The latter can provide a valid consent if the privacy policies and consent requirements are readily understandable to them. Alternatively, the company may consider affixing a higher age, basis their business model and their prudence. The PDPC has adopted a principles-based approach to consider what is reasonable when collecting, using, or disclosing child's personal data. The Code of Practice for Online Safety[11] in Singapore provides further guidance on what shall be considered unreasonable processing of child personal data. The PDPC supports age assurance methods to be adopted by organisations like age verification and estimation processes. The PDPC agrees that profiles of children may have to be created to ascertain the age or age range of a child by means of behavioural or telemetry data but the same should be subject to data minimisation principles. Processing of such profiles should however only be limited to specified purposes.
Similarly, several other jurisdictions also provide for a parental consent requirement in different forms. For instance, China's Personal Information Protection Law (PIPL)[12] requires consent of the parent/guardian if the information of a child below 14 years of age is processed. Personal information processors shall be required to formulate special personal information processing rules for handling a child's personal data. Brazil's General Data Protection Law (LGPD)[13] requires a prominent consent from the parent or guardian when processing child personal data and the consent is to be obtained based on available technology.
COMPLIANCE: A NECESSARY EVIL
Many entities have been penalized, especially under the GDPR, for non-compliance of the children's data processing requirements. Penalties amounting to 750,000 Euros, 14,500,000 Euros and 345,000,000 Euros were imposed on TikTok by the Dutch[14], English[15] and Irish[16] Data Protection Authorities respectively for defaulting in the children personal data processing requirements. Similarly, the Secondary Education Board of the Skelleftea Municipality, Sweden was fined for SEK 200,000 for improper use of facial recognition technology to record attendance of children in a class.[17] The DPDPA in India imposes a penalty of up to 200 crores (~24 million USD) for non-compliance of additional obligations in relation to children. This also aggravates the situation for multi-nationals who might get penalized in multiple jurisdictions if their non-compliance comes to limelight. Therefore, it becomes particularly important for entities to comply with the requirements of processing children's personal data or disclaim and ensure that they do not process personal data relating to children.
Authors: Vikash Kukreti, Partner (vkukreti@luthra.com) and Gaurav Tiwari, Associate (gtiwari@luthra.com) At Luthra And Luthra Law Offices. Views are personal.
Section 2(f), Digital Personal Data Protection Act, 2023 ↑
Section 10, Digital Personal Data Protection Act, 2023 ↑
Section 4, Digital Personal Data Protection Act, 2023 ↑
Article 8; Recital 38 General Data Protection Regulation, 2016 (Europe) ↑
European Data Protection Board, Guidelines on Consent accessible here ↑
Article 22-2, Personal Information Protection Act, 2011 (South Korea) ↑
Article 17-2, Enforcement Decree Of The Personal Information Protection Act, 2011 (South Korea) ↑
Section 18 Personal Data Protection Act, 2012 (Singapore) ↑
Singapore Taekwondo Federation [2018] SGPDPC 17 at [21]-[27]. The PDPC considered the treatment of minors' personal data in other jurisdictions and concluded that, “[a]gainst this backdrop, minors' personal data would typically be of a more sensitive nature…” ↑
Advisory Guidelines On The PDPA (Singapore) for Children's Personal Data In The Digital Environment, 2024 accessible here ↑
Issued under the Broadcasting Act 1994 (Singapore) ↑
Article 13, Personal Information Protection Law, 2021 (China) ↑
Article 14, General Data Protection Law, 2018 (Brazil) ↑