Data Protection of Children in India: A Policy Review

Children constitute a major part of users on the internet today (1/3)[1]. They being minors do not understand the importance of protecting their data as they wish to follow the latest trend online. Therefore, parents and guardians all around the globe are concerned about their children’s data and the data that is given to data fiduciaries which may negatively impact the privacy of their children.

Schools and colleges are engaged in the admission process where they collect the data of the students and storing it. Moreover, platforms like YouTube, Facebook, and Instagram are some commercial websites which process the data of children as from a very young age children are inclined to be present on these social media platforms. Therefore, they all can be understood as data fiduciaries according to Personal Data Protection Bill, 2019

Therefore, this article tries to analyze that how the schools and colleges are to be understood as data fiduciaries and the obligations incorporated in the Personal Data Protection Bill, 2019 as school are a starting point of processing of an individual’s data.

India presently does not have any data protection laws for protecting children’s data, but the Information Technology Act 2000 puts some restriction on processing of personal data of the principal. The Personal Data Protection Bill, 2019 is the first which specifically lays down provisions to protect data of children[2]. It is important to define children; the Indian Contract Act specifies the age to become a major as attaining the age of 18 and before that for all acts a guardian is present for the minors. The SriKrishna committee report also states that till the child attains the age of 18 their consent in regard to privacy would be given by their parents or guardian. There is less doubt that the schools and colleges are to be considered as data fiduciaries as per the definition under section 2(13) of the bill. Section 2(31) which defines processing of data, Schools and colleges fit perfectly in the definition of the section as they collect, record, organize and store the data of all the application forms they receive after which they use it to give admissions to the students. Moreover during the entire period students’ study in the school, they collect their academic, medical and other records continuously. The schools hence will be obligated to fulfill the obligations of the data fiduciaries provided under section 4-11 in the bill that is to take proper consent before of the principal, and to maintain accountability and transparency as provided under section 22 to 32.

The Data Protection Authority can grant the status of a Guardian Data Fiduciary to a school under section 16(4) as they process large volumes of data of children. As a guardian data fiduciary, the schools are to be barred from profiling, tracking or behaviorally monitoring or targeted advertising directed at children[3]. This although prevents the gaming and the commerce sector from exploiting the children but it will also hamper the educational growth of children as the educational institutions will not be able to get the benefit of online advertisements which at times opens a plethora of choices. This also stops the school from tracking what the student has been doing on the school computer which at times also may have a negative impact as students at times may indulge in activities online which are unpleasant.

Moreover, there is still ambiguity as to how the guardian data fiduciary will apply to the child counseling or child protection services as the DPA will specify such regulations therefore even after the implementation of the act begins counselors and child protective agencies may be exempted till the rules are specified.

With this change the schools and colleges will have to change their admission process and the way the data of their students is stored with them as they will be obligated to fulfill all requirements under the bill.

The schools in their admission form will have to state the purpose as to why they require the information and require consent for the same in clear and simple language. Although a notification[4] by the DoE for the same has been issued as to what information is to be taken by the schools during admissions but it has been challenged in the high court and has still not been decided. The burden of proof of informed consent is on the school to prove. The question remains that if the parents or the guardians during the admission process deny giving their consent or want changes in the details can the school deny admission to those students.

Schools and Colleges will also require a policy of updating the data [5]and complete erasure [6]of the data once the students have graduated or the purpose of collecting the information has been fulfilled. Moreover, the students who are not admitted their data should also be erased or destroyed within a reasonable period of time. It raises another question as a student’s data will be continuously be collected and during the transfer of student from one school to other will all the data be transferred or the child or their parents will have a right to erase certain aspects of information from such transfer? Although this should not be allowed as the students will try to remove disciplinary actions against them which is unethical but according to the bill the data belongs to the data principal therefore debate is required on this question.

Schools and colleges also collect and store students’ medical records, but they are not allowed to process and share such data as it may cause significant harms to the child. But still during a medical emergency and for the public good such medical data of children can be shared with the government[7].

With the rise of online education and use of more online platforms for education there is a much required need for such a bill where the privacy and data of children can be protected. Though there are ambiguities in the bill, but it still tries to inculcate many important guidelines and standards for processing of children’s data.

References [1] Dorde Krivokapic and Jelena Adamovic, Impact of General Data Protection Regulation on Children's Rights in Digital Environment, Year LXIV(3) Belgrade Law Review 3 (2016) referring to S. Livingstone et al., One in three: internet governance and children's rights, The Global Commission on Internet Governance, Paper Series No. 22 (2015); further, see The State of the World‘s Children 2017: Children in a Digital World, UNICEF (2017). [2] Section 16, Personal Data Protection Bill, 2019. [3] Section 16(5), Personal Data Protection Bill, 2019. [4] http://www.edudel.nic.in/upload/upload_2017_18/29777_788_dt_27112018.PDF [5] Section 18, Personal Data Protection Bill, 2019. [6] Section 20, Personal Data Protection Bill, 2019. [7] Section 12(e), Personal Data Protection Bill, 2019.

About Author

Nishant Goyal

A final year law student at OP Jindal Global University.