Privacy of children will require special protection not just in the context of the virtual world, but also the real world. The digital life of children gets created long before their birth and stay with through their life circle. Children often do not understand the principles and dangers of sharing personal information which often is the basis of seeking any digital service. This was rightly emphasized by the Hon'ble Apex Court, while declaring the Right to Privacy as a fundamental right in the case of K.S. Puttaswamy vs. Union of India.1
In today's rapidly evolving digital era, children's personal data has become a critical concern. With children increasingly using online services, their data is collected, processed and sometimes exploited without adequate protections, raising serious privacy issues.
The Digital Personal Data Protection (DPDP) Act, 2023 in India provides a comprehensive framework that seeks to protect personal data, including that of children. Recognizing that children are more vulnerable to privacy risks, the Act mandates special provisions to ensure their data is handled with utmost care and sensitivity.
Now, before delving into the specifics of the law's provisions for children's data, it is essential to define what is meant by "children's personal data" and what types of information's are included under this category.
What is Children's Personal Data?
Section 2(f) of the Digital Personal Data Protection Act, 2023 defines child meaning "an individual who has not completed the age of eighteen years."
Children's Personal Data refers to any information related to a child defined by law that can be used to identify them, either directly or indirectly. This include, but not limited to, information such as name, address, date of birth, biometric data, educational record, and any other data that could potentially identify a child or provide insight into their activities. Given the diverse nature of children's online activities, the types of data collected vary widely.
Understanding this DPDP law requires an in-depth analysis of three pivotal elements involved i.e., Data Principal, Data Fiduciary and Data Processor. Each of them plays a significant part in the lifecycle of personal data.
Data Principal
means the individual to whom the data relates. In the case of
children's data, the Data Principal is the child. However,
since children are often incapable of understanding the relevance
of data privacy concerns, their parents or legal guardian, as the
case may be, acts as Data Principal on their behalf.
For instance, when a child signs up for an online e-learning
platform, the parent/legal guardian acts as Data Principal, who
usually provides information like child's name, age or academic
performance and consent to the data being collected and used by the
platform.
Data Fiduciary
means an entity, typically an organisation or business that
determines the purpose and means of processing personal data. In
simpler terms, they are the ones responsible for collecting storing
and processing personal data.
For instance, when a child uses a social media app, in this case,
the social media company that collects and processes the
child's data is a Data Fiduciary. It is the responsibility of
Data Fiduciary to ensure that the limited data so collected is used
only for the specified purpose and is not misused, and that proper
consent is obtained from child's parent or guardian.
Data Processor
means any person or entity who processes the personal data so collected on behalf of Data Fiduciary. For instance, if the Edtech Company hires a third party service provider to manage its children's database, then the service provider so appointed acts as the Data Processor. It becomes the responsibility of the Data Processor to comply with the instructions of the Data Fiduciary.
Industries Handling Children's Data
Different industries deals with children's data in different ways such as
- EdTech Companies: A study commissioned by the National Commission for Protection of Child Rights in India 2021 found 30.2% of the children between the age group of 8-18 years used a smartphone or a device connected to the internet for online learning and classes. 2These Edtech companies collects extensive personal data of children, including academic records, learning patterns, personal information, etc. and process it to tailor personalized learning experiences. At the same, it also raises concerns about how these data collected is stored, shared and protected.
- Social Media and Gaming Platforms: Social media platforms often attract young users who may not fully understand the implications of sharing personal information online. Google and Facebook receive more than half of all data collected from children's apps, a study by data privacy services company Arrka has found.3 Google is the leading recipient, collecting 33% of the data collected from such apps, followed by Facebook at 22%, as per the study that covered 60 children's Android applications across nine categories including games, edtech, school, coding, and childcare. Further, 85% of the surveyed apps had accessed at least one "dangerous permission", or permission for collecting highly sensitive data, the misuse of which can cause harm to children.
- E-commerce: Websites targeting younger audience often collect data related to browsing history, purchasing patterns, etc. making it crucial to ensure robust data protection practices. According to a Harvard study, it has been found that social media platforms generated $11 billion in revenue in 2022 from advertising directed at children and teenagers, including nearly $2 billion in ad profits derived from users age 12 and under. 4
"Although social media platforms may claim that they can self-regulate their practices to reduce the harms to young people, they have yet to do so, and our study suggests they have overwhelming financial incentives to continue to delay taking meaningful steps to protect children," said one of the authors of the study and a professor of social and behavioral sciences at the Harvard T.H. School of Public Health.
Compliances for Children's Data
The DPDP Act seeks to address the unique challenges posed by industries collecting children's data, by establishing clear guidelines and obligations for the collection, processing and storage of children's data. Some key obligations have been outlined below:
- Verifiable Parental Consent: Under Section 9
of the DPDP Act, prior collecting or processing any personal data
related to a child, it is important to obtain verifiable parental
consent from the child's parent or legal guardian, as the case
may be. It is important to ensure that the consent given must be
free, specific, informed, unconditional and unambiguous with a
clear affirmative action.
It has been recently reported that the National Commission for Protection of Child Rights (NCPCR) is poised to address the Ministry of Electronics and Information Technology (MeitY) with a crucial recommendation concerning the upcoming DPDP Rules. According to the NCPCR Chairperson, the Commission plans to suggest that the draft rules include specific methods for verifying parental or guardian consent when utilizing children's data. 5
This move follows a recent meeting conducted on August 13, 2024 with social media executives, where NCPCR chairperson Mr. Priyank Kanoongo emphasized the necessity for implementing Know Your Customer (KYC) procedures for verifying the identity and age of children online. The Chairperson drew a parallel between the stringent verification processes in banking and those needed for social media platforms to ensure child safety.The NCPCR aims to submit a formal letter to MeitY by August 21, 2024 advocating for a KYC based system to enhance the protection of children's personal data in accordance with the DPDP Act.6 - Purpose Limitation: The data so collected should be used only for the specified purpose for which the consent has been obtained. No additional data should be collected unless absolutely required.
- Ensure Well-being:
It is the responsibility of the Data Fiduciary to ensure that it does not undertake processing of any personal data that is likely to cause any detrimental effect on the well-being of a child.7
On June 07, 2024, Governor of the State of New York celebrated the legislative passage of two nation-leading bills to protect kids online. One is the Stop Addictive Feeds Exploitation (SAFE) for Kids Act which aim to curtail a child's access to addictive feeds on social media, and the other being the New York Child Data Protection Act which seeks to protect children's personal data."Children are enduring mental health crisis, and social media is fueling the fire and profiting from the epidemic", as rightly remarked by the New York State Attorney General. To know more about this legislations, kindly refer to our article titled "SAFE for Kids Act: Protecting Young Users from harmful social media feeds."8 - No tracking or advertisement: Section 9(3) of
the DPDP Act explicitly prohibits Data Fiduciaries from undertaking
tracking, profiling or behavioral monitoring of children or
targeted advertising directed at children.
Case: The Google Chromebook case concerns with the children's data safety involving allegations that Google violated privacy laws by collecting and storing the personal data of students without obtaining parental consent, using its Chromebooks and G Suite for Education services. The issue began in 2019 when a concerned parent from Helsingor Municipality lodged a complaint, arguing that the school failed to implement adequate measures to protect their child's personal information while using these digital tools in classroom. 9In September 2021, the Danish Data Protection Authority (DPA) concluded that Helsingor Municipality had failed to adequately assess the risks associated with using Google Chromebooks in schools, particularly in regard to the personal data of children. As a result, an injunction was issued mandating the Municipality to conduct a thorough risk assessment of the data processing activities involved in the use of Google Chromebooks and Workspace. In a subsequent decision in July 2022, the DPA took further action by banning the processing of personal data within the Municipality. The prohibition would remain in effect until the Municipality provided sufficient documentation demonstrating that their data processing activities complied with the GDPR regulations.
In its latest decision on January 30, 2024 the DPA evaluated whether the Municipality had established the legal basis for sharing children's personal data with Google, as outlined in the data processing agreements and related commercial contracts. The DPA concluded that there was insufficient legal justification for the data processing activities in question. Consequently, the DPA ordered Helsingor Municipality to either establish a lawful basis for the processing of personal data or cease using Google Chromebooks altogether. Furthermore, the Municipality has been given a deadline of August 24, 2024 to comply with the injunction.10 - Retention: Children's data should be retained only for the period it is necessary to fulfil the purpose for which it was collected. Organisations must refrain themselves from storing data when it is no longer needed for the original purpose.
- Right to correction: Upon receiving a request for correction, completion or updating from a Data Principal, it is the responsibility of the Data Fiduciary to correct the inaccurate or misleading personal data; complete the incomplete personal data; and update the personal data. 11
- Right to Erasure: In case the Data Principal makes a request to the Data Fiduciary for erasure of his/her personal data, the Data Fiduciary, upon receipt of such request, shall erase the personal data unless retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force.
- Right to Withdraw: The Data Principal shall have the right to withdraw his/her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given. And, if the Data Principal withdraws her consent to the processing of personal data of a child, the Data Fiduciary shall within a reasonable time, cease and cause its Data Processors to cease processing the personal data of such Data Principal unless such processing without her consent is required or authorised under the provisions of DPDP Act or the rules made thereunder or any other law for the time being in force.
- Accuracy: The Data Fiduciary processing such personal data of a child shall ensure its completeness, accuracy and consistency.
- Security Measures: It is mandatory for Data fiduciaries to implement reasonable security, technical and organizational measures, particularly to prevent personal data breaches and security incidents in compliance with the data privacy policy in India.
Penalties
Failing to comply with the regulations on children's data may result in significant penalties for organisations, including:
- Monetary Penalty: Breach in observance of obligations in relation to children as specified above may result in hefty penalties which may extend to two hundred crore rupees.
- Reputational Loss: Data breaches and non-compliance can severely damage an organization's damage, leading to loss of trust, clients and business opportunities.
- Legal Consequences: Legal actions may be taken against the organisations for failing to protect the personal data of their child, resulting in litigation costs and damages.
Hence, it is essential for organisations dealing with children's data to comply with the data protection law to not only avoid legal penalties but also to build trust with customers and stakeholders. By adhering to these regulations, organisations can ensure that they respect children's privacy and safeguard their personal information from misuse.
Global Scenario:
The General Data Protection Regulation (GDPR), the EU's comprehensive data privacy law, has established a rigorous framework for data protection and has become a global benchmark. The GDPR imposes strict obligations on companies handling children's data and has not hesitated to levy substantial fines against those that fail to comply with its stringent requirements.
It was reported in the year 2023 that the European Union regulator had imposed a substantial fine of 345 million euros on a video sharing app for failing to adequately verify parental consent of users, and for violating the European strict data privacy rules, particularly pertaining to processing of children's personal data.12 This was not the first time that a social media platform was subject to penalty.
Similarly, on September 02, 2022, a heft penalty amounting to 405 million euros was imposed by the Irish Data Protection Commission (DPC) on a Meta-owned social media platform for contravening the privacy of children under GDPR law13. It was found that the platform did not implement sufficient measures to protect the data of minors, particularly with regard to public profiles and associated risks.
Case: Microsoft violating Children's Privacy
Recently, in 2024, Microsoft has been caught up in a controversy concerning the privacy of children.
Two complaints has been filed by the privacy advocacy group named None of Your Business,( noyb), against this big-tech company, alleging that it violated the privacy rights of school children with its Microsoft 365 Education offering to educational institutions on June 04, 2024.
It was alleged that Microsoft collected personal information from children without getting proper consent from their parents. When children sought to exercise their GDPR rights, Microsoft attempted to divert responsibility onto local schools by claiming that schools were the "controllers" of the data. However, schools have little to no control over the actual data processing systems managed by Microsoft. Instead, they often faced a "take-it-or-leave-it" situation, where all decision-making power and profits lay with Microsoft.
"This take-it-or-leave-it approach by software vendors such as Microsoft is shifting all GDPR responsibilities to schools," said a data protection lawyer at noyb. "Microsoft holds all the key information about data processing in its software, but is pointing the finger at schools when it comes to exercising rights. Schools have no way of complying with the transparency and information obligations."14
Another significant privacy issue is with regard to the installation of cookies by Microsoft, which track user behavior, collect browser data and use the collected data for advertising purposes. This tracking in fact occurs, despite the lack of consent from users and often without the knowledge of the schools involved. This practices enable invasive profiling, thereby violating GDPR regulations and are especially concerning given the vulnerable nature of the student population.
The data protection lawyer at noyb highlights this troubling nature of Microsoft's data handling practices which is likely to affect hundreds of thousands of students in the EU and European Economic Area (EEA). Hence, this calls for regulatory authorities to take decisive action to enforce the rights of minors and ensure compliance with GDPR provisions.
Given the widespread use of Microsoft 365 Education, noyb approached the Austrian Data Protection Authority (DSB) to conduct a thorough investigation into the data processing activities of Microsoft which includes analyzing what data is being collected, how it is being used and ensuring transparency in accordance with GDPR.
Footnotes
1. https://indiankanoon.org/doc/127517806/
2. https://timesofindia.indiatimes.com/blogs/voices/shepherding-children-in-the-digital-age/
7. Refer to Section 9(2) of the DPDP Act
8. https://ssrana.in/articles/safe-for-kids-act-law-protecting-young-users-harmful-social-media-feeds/
10. https://www.complycloud.com/blog-en/google-chromebook-the-case-that-became-a-saga/
11. Refer to Section 12 of the DPDP Act
12. https://ssrana.in/articles/tiktoks-liability-violation-of-childrens-data/
13. https://www.nytimes.com/2022/09/05/business/meta-children-data-protection-europe.html
14. https://thecyberexpress.com/european-center-for-digital-rights-microsoft/
For further information please contact at S.S Rana & Co. email: info@ssrana.in or call at (+91- 11 4012 3000). Our website can be accessed at www.ssrana.in
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.