NEW DELHI :
Industry experts prefer a graded approach to the ‘age of consent’ clause in the personal data protection (PDP) bill that is currently being reviewed by a joint parliamentary committee.
The PDP bill has put the onus of monitoring internet use by minors on companies providing internet-based services and products. But tech industry experts feel that a graded approach, which is followed in the UK, should be implemented instead of imposing a blanket age-restriction of 18 years.
The parliamentary committee, headed by the BJP’s Meenakshi Lekhi, was tasked with a short deadline to finalize the draft law before the budget session of 2020, and has sought more time to study the bill and consult stakeholders. According to policy experts who spoke to Mint, the language in the bill is often ambiguous, which will make it difficult for corporations to comply with its provisions.
Industry professionals feel that the bill in its current form could also end up significantly restricting online learning for children. “The proposed age of consent at 18 is far higher than what other comparable privacy laws across the world prescribe. And over reliance on parents’ or guardians’ consent is too burdensome and goes against the fundamental principles of what the Justice Srikrishna Committee said,” said a senior policy analyst, requesting anonymity.
The Srikrishna Committee said platforms must be responsible for making their privacy policies easy to understand for users.
The bill also asks for age verification for minors, which experts said could lead to massive data collection. They said this could require platforms to take and store identity verification data, which makes it vulnerable to cybersecurity risks. They said there needs to be guidance on how such data can be disposed of or used.
“If you look at laws like Europe’s General Data Protection Regulations (GDPR), it provides a sliding scale, where you need approval from your parents if you’re under the age of 13. For children between 13 to 16 years of age, countries have discretion for when they want to enforce restrictions,” said another policy professional from a big tech firm.
He explained that while this is usually enforced by asking users to enter their age during sign-up, children frequently don’t enter the right age. “This has been a problem for the internet but is also really hard to do without requiring age proof.”
Age proof could include things like Aadhaar card, and storing such data creates more security risks. He also pointed out that the UK had trouble implementing a nationwide age verification system online, and finally abandoned the system in 2019.
“The age limit of 18 will quite radically disrupt the internet ecosystem in India, because it simply has not been followed,” said the person mentioned above, citing that the bill wouldn’t just apply for new users but also existing ones who are under the age of 18. “At the moment, companies solve this problem by putting language in their terms and conditions, which passes the responsibility back to the user instead of the platform.”
Pallavi Bedi, senior policy officer at the Centre for Internet Society (CIS) and independent researcher and policy advisor Aakriti Gaur said putting the age restrictions at 18 likely links to India’s Contracts Act, which bars minors from entering into any contract without parental guidance.
“I think this is added to have some responsibility imposed on the data controller (the platforms), so that users know what they’re getting into,” Gaur said.
“There’s also a guardian data fiduciary provision in the PDP, which shows that the idea was to have platforms equip children with more tools than they do for adults,” Gaur added. The PDP bill defines guardian data fiduciaries as any organization that operates commercial websites and online services, or processes large volumes of personal data of children, which experts think is a very broad definition.
Bedi said that if the PDP is to take a new approach, the government might have to amend the Contracts Act too.