Online privacy rights
Image Source - https://rb.gy/c4xajh

The article is written by Naman Sherstra from the Department of Law, University of Calcutta. The arising data privacy issues and the rights of children in the era of digitalization are discussed in the article.

Introduction

In recent years, India has witnessed many deaths of children due to online gaming like Blue Whale, Pubg, etc. The 21st-century era brought fast change in phones and internet connectivity, it came up with new social media sites where people can virtually connect and interchange their ideas. The internet world flooded with various kinds of social media apps like Facebook, Instagram, gaming apps like Pubg and entertainment apps like Tiktok. The disrupted high data speed of 4G (LTE) is responsible for all such changes. 

According to data published by the Internet and Mobile Association of India, children of age group 5-11 years accounts for 14 percent (71 million) of the total active user internet base in India. A total internet users between the age group 5-18 stand approx 472 million. However, new technologies always bring new threats. The children of such age groups undergo physical and mental development where they don’t have any idea about their data privacy rights and ongoing threats. The higher increasing internet use has exposed the children’s online privacy into cyber threats like bullying, fishing, and malware attacks. 

Download Now

Recently in Aadhar judgment, the Supreme Court recognised the “Right to Privacy” as an intrinsic part of the right to life and personal liberty provided under Article 21 of the Constitution of India. It argumentatively encompasses the “Online right to privacy” under the aforesaid article. Now, the major question arises: Does India have its online data privacy laws for children? The answer is no, except for the few provisions provided under the Information Technology Act, 2000. The State has the liability to ensure the protection of children’s right to privacy in the fast-growing world. The absence of such law shall expose the children’s right directly to the cybercriminals henceforth providing them a blanket safety. 

Children’s right in the age of digital media

Big data is a term that comprises information in the form of images, videos, statistics. The source of these data is news channels, online portals, social media platforms, satellite images, and the videos collected by different online portals like YouTube, Instagram, and other video channels. These data are not only generated by these techno giants, but different countries like India also release statistical data for different purposes. The use of data is not only restricted as a technological phenomenon but it is also related to the socio-cultural dimension, having its applicability in different domains from education, technology, work, and judicial system also. These data are stored by government or private institutions for different purposes like education, welfare, and comparative analysis. Technological companies like Google and Microsoft use customer data to improve their services. Online retail companies use the customer data for the promotion of their goods and services.

However, the storage of private data of anyone is subjected to freedom and privacy. The larger and reputable companies have privacy terms and conditions regarding the safety of such data.

The safety of these data depends upon the technical skills, safety concerns, and expertise of the agencies who store such data for their own purposes. There is an identity of a person over the internet which is called digital identity. The digital identity of a person comprises of his religious details, employment status, marital status, biometrics, sex, caste race, personal images, videos, and passwords too. So, the agencies might have your digital identities having more or more details mentioned above.

Children in the modern world are more exposed to the internet due to various activities essentially forming a part of their life. From online entertainment like gaming and web series platforms to online education and social media interaction, children leave their digital footprints everywhere unknowingly. Artificial intelligence and online websites encourage the participation of children accessing various services which even ease off their studies and projects. However, behind the digital world, the children are not mature enough to understand the broad term of “online privacy”. They deem online privacy a term to get enclosed and make a distance from their parents without letting them know the websites and the platforms they are using and visiting. Amidst such issues, legal complications also arise. The children are legally minors and hence are mentally prepared to provide consent to the big data stakeholders to store their “digital identities”. Parental consent is necessary for storing the children’s data. So the low consciousness, lack of knowledge about online data privacy let the children be exposed to cyber threats like data theft, cyberbullying, etc. In the growing digital environment and increasing participation of Children, it has become necessary to protect their “right to privacy”. Today, the state must ensure the right to participation of the children and ensure their right to privacy from commercial actors, peers without putting any kind of restrictions over them.

International legal provisions regarding protection of children’s internet privacy

Children’s Online Privacy Protection Act (USA)

Recently, in the United States, Youtube was fined 170 million dollars for illegally collecting children’s data without parental consent. The United States of America has enacted its children’s privacy protection laws back in 2000 namely Children’s Online Privacy Protection Act (COPPA). It empowered the Federal Trade Commission to make and enact regulations for the protection and enactment of the regulations dealing with Children’s online privacy. The COPPA regulates the collection of data from children who come under the age group of 13. The law protects the children’s privacy by restricting the operators of online websites and commercial service to collect any kind of data of the children coming under the age group of 13 without their parental consent. The said law also applies to the third-party advertising agencies when they have “actual knowledge” about the collection of personal data of children under age 13 from any other online websites or online services. However, the extent of COPPA does not directly apply to the non-profitable organisation and the education institutions directly. But it applies to the third party providing online support in education in schools. In such conditions, the schools play the role of parents and provide consent for the access of any kind of data on the terms and conditions of COPPA.

Cyber protection of Children’s Personal Information (China)

The Cyberspace Administration of China enacted a law called “Cyber Protection of Children’s Personal Information” for the protection of the online privacy of the children. There are provisions in the Act where the network operators shall have to maintain the righteousness, definite purpose and guaranteed security while collecting, transferring or disclosing any kind of data. The law is applicable only to children under the age group of 14 to the territory of mainland China. The “network operator” term used under the Act refers to all network operators, website, and app operators. Under Article 9 of the Act, the network operators shall have to obtain parental consent before collecting, using, and transferring any kind of children’s personal information. The guardian and the children are entitled to request the operator for deletion and change in any kind of data stored in case it is found erroneous. With the addition, the Guardian shall also have the right to withdraw consent altogether. In case of any kind of threat of data breach, the network operator shall notify the guardian regarding such threat through email, telephone or push notification. If the network operator violates any kind of provisions in the Act, it will attract several criminal penalties.

General Data Protection Regulation (GDPR) (EU)

General Data Protection Regulation or GDPR refers to the world’s strongest set of data protection laws which regulates the data shared by the people to the organisations and the safety, privacy, concern to be taken by them regarding such data. The US law COPPA and China’s children’s privacy protection laws are drawn on the basis of the GDPR. This regulation was enacted in the year across 28 European Union member states regarding the protection of data from any kind of breach. GDPR provides the citizens of the EU nations control over their data used for business purposes by the organisations so that the citizens can bloom with the businesses in the European Union. GDPR works on seven principles which are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability.[3] The GDPR sets the liability over controllers and processors of data of an organisation to collect the data from the data owner legally and secure it from any kind of data breach.

With regard to the right to privacy of children, the provisions of GDPR states that the processing of personal data of a child shall be legal where the children are aged 16. In case children are under 16, the processing of data shall be lawful only after the consent given by the parent or the authority. The lower age of the children under the law is 13 years.

Incidences in India that exposed the vulnerabilities of children’s data privacy

In recent years several incidents have happened in India that have exposed the online privacy of the children. Two years before havoc of Blue whale game had appeared in the online gaming world where several children had committed suicide in Indian states because it was a part of the task to be done in the game. The administrator extracted the digital identities of the children and threatened the children on any step they refused to fulfil the tasks. Due to lack of proper laws on the protection of online privacy, the Courts had to intervene in ordering the removal of apps from the Google play store. Recently a music and video creativity app, Tiktok was fined by the United States federation trade commission (FTC) for irregularities in collecting the personal data of Children under 13 years without parental consent. Once, the Madras High Court had asked the Central government to put ban on the above-said app due to allegations over spreading pornography and nudity content. Again, lack of cyber laws protecting the online rights of children put a blanket safety over the application, and Tik Tok was saved. A similar incident happened when Tik tok was again questioned by the National Commission for Women, a quasi-judicial body for promoting acid attack videos. Such incidents have exposed how the lack of appropriate laws have let the children’s right to online privacy succumb to such online applications.

UNICEF India’s Child Online Protection in India Report, 2016

In the year 2016, UNICEF released a report on the increasing internet users emphasizing the Children’ users, flagging the increasing threats of cybercrime and the lacunae in existing laws. UNICEF in its report cited the increasing number of children users in India and cited the need for cyber laws or any kind of law like COPPA and GDPR in the USA and EU respectively. The report included increasing crimes like cyberbullying, stalking, phishing, and data breach showing that the Indian administration is technically unequipped to deal with such kinds of crimes. The report also sought a stringent law to be brought by the government for the protection of children’s right to privacy.

The personal data protection bill 2019: provisions protecting children’s online data

The government after a long period of time, tabled its first The Personal Data Protection Bill, 2019  in the Parliament in December 2019. The personal data protection bill seeks to protect the personal data of the individual and establishment of a data protection authority for the same. Chapter IV of the Personal data protection bill provides provisions for the processing of personal data and sensitive personal data of the children. It further provides that the personal data processing shall be done by the government, companies incorporated in India and foreign companies dealing with the personal data, collectively known as “data fiduciary”. Section 16 of the bill lays down the grounds regarding the processing of data. It states that every fiduciary shall process the data in such a manner that serves the best interest of the children, protecting the rights of the children. The data fiduciary shall verify the age of the children and in case of minors shall obtain the parental consent before processing any kind of personal data. This regulation brings the data fiduciaries like online commercial service or website directed to children for educational or large data processing purposes as the “guardian fiduciaries”. The guardian fiduciaries providing counselling or child protection shall be exempted from obtaining parental consent. The provision shall bring the educational institutions and the counselling institutions within the ambit of “guardian fiduciaries”. The Data Protection Authority, a regulating body incorporated under the provisions of the Act shall have the right to protect the interest of individuals and prevent the misuse of data. In case the data fiduciary is found to have indulged in violation or irregularities while processing of data, it shall be punished with a fine of 15 crores or 4 percent of the total annual turnover whichever is higher.

Now, as the bill has struck due to the pandemic, and the bill passes and become a fully-fledged Act, the children’s right to privacy shall be protected under the provided provisions of the Act.  

Flaws in the bill

The government’s step of coming up with the bill protecting the right to the online privacy of individuals including the children is highly commendable but there are some lacunae in the provisions regulating the protection of “Children’s right to online privacy” provided under Part IV of the Act. The points which seem untouched under the aforesaid part are provided below:

  • Section 16(2) of the Act provides the age verification provision of the child for the purpose of obtaining parental consent. The section does in detail speak over the age verification mechanism that whether the age shall be verified by the parents or the child himself.
  • The classification of ”Guardian fiduciaries” as under the Act is interpreted as those data fiduciaries who will process the large data of children including the counselling and the protection service providing organisations. Such data fiduciaries shall have the obligation of protecting the children’s data having a bar on profiling, tracking or monitoring of, or targeted advertising towards the children’s data. The classification of the guardian fiduciaries is only limited to certain obligations as a bar over them. However, this bar is only limited to the “guardian fiduciaries” as provided under the Act. The restriction limited only to the guardian fiduciaries shows that the other data fiduciaries have been exempted from such kinds of acts which further may harm the right to privacy of the children.
  • The ways of protecting the rights of children have not been described broadly. As the Act provides that the data fiduciaries shall have to undergo the parental consent for processing the personal data of “minor”. The term minor is defined under the Indian Majority Act, 1875 as a child not completed 18 years of age. Now, the problem arises that the children at different ages have different concerns regarding parental consent. A 10 years old child may deem suitable to take the parental concern before processing any kind of data but with the growth of ages, the concern with regard to parental consent may change. 
  • Part IV of the Act speaks about the “sensitive” data of the children. However, section 16 under the said part stays silent over any kind of sensitive data.

Recommendations

The developed countries like the United States of America and the People’s Republic of China have their fully-fledged separate laws protecting the online privacy of children. However, the proposed bill has a limited part discussing the protection of the right to online privacy of the children. The above-discussed flaws need to be addressed before enacting the bills. Some of the suggestive measures are as follows-

  • The mentioning of proper age verification mechanisms used by the data fiduciaries for verifying the age of children needs to be addressed.
  • The data fiduciary must be brought under the ambit of Act where the guardian fiduciaries have been barred from profiling tracking or monitoring the children’s data.
  • The “sensitive data” used under part IV needs to be broadly defined under the Act.

However, it would have been a better step if the government would have proposed a separate bill on the protection of online privacy of the children.

Conclusion 

The rise of online internet activities in the modern time has brought a number of threats on the online privacy of the Children. In the absence of stringent legal provisions, the protection of such rights of children seems a daylight dream. However, after the increase in online crimes like cyberbullying, phishing, stalking and the data breaches the government became a little anxious and tabled a data protection bill for the protection of right to the online privacy of the individual, The provisions for the children’s online right was put under part IV of the Act having only one section. If bills seem too short to occupy the proper provisions for children’s online privacy protection, the government should have framed the separate fully-fledged bill like COPPA and CPCPI. The data protection bill was tabled in the parliament in December 2019 and in January the Covid19 pandemic hit the Indian territory, so the data protection bill is under isolation. It shall be again tabled before the “Parliament” followed by presidential assent to become a legislation. 

References


LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

LEAVE A REPLY

Please enter your comment!
Please enter your name here