Rooting for stringent safeguards around children's personal data, the Justice Srikrishna panel has suggested that data collectors or users capable of causing "significant harm" to children be identified as 'guardian data fiduciaries' and be barred from any profiling, tracking, targeted advertising or processing of personal information that can be harmful for them.
Rooting for stringent safeguards around children’s personal data, the Justice Srikrishna panel has suggested that data collectors or users capable of causing “significant harm” to children be identified as ‘guardian data fiduciaries’ and be barred from any profiling, tracking, targeted advertising or processing of personal information that can be harmful for them.
These and other recommendations pertaining to protection of children’s personal data will have wide ramifications for companies that offer services targeting kids. They will also put a stop to unbridled, and often opaque, practices of collection and processing of data by companies. As per the Justice Srikrishna committee, an individual below the age of eighteen years will be considered a child for the purpose of data protection.
Together, the recommendations of the committee along with the provisions of the draft personal data protection Bill seek to tackle the data-related issue concerning children, who interestingly account for a third of the total internet users, as per the report.
“Guardian data fiduciaries shall be barred from profiling, tracking, or behavioural monitoring of, or targeted advertising directed at, children and undertaking any other processing of personal data that can cause significant harm to the child,” the draft Bill proposes.
The ‘harm’ may be tangible, that is physical or reputational harm, or intangible, in terms of loss of autonomy, the panel noted. It said that planned Data Protection Authority of India (DPA) should be armed with powers to notify data fiduciaries who operate commercial websites or online services directed at children, or those who process large chunks of personal data of children as ‘guardian data fiduciaries’.
Explaining the realm of data fiduciaries (loosely, data collectors) who have access to children-related information, it said, “At present, the Committee understands that there are two categories of data fiduciaries who may be processing personal data of children: first, services offered primarily to children (eg YouTube Kids app, Hot Wheels, Walt Disney); second, social media services (eg Facebook, Instagram).”
The panel underscored the need for greater protection of personal data of children, saying that the justification for such differential treatment arises from the recognition that children are unable to fully comprehend the consequences of their actions, and that matters are further compounded by complex consent forms and non-transparent data collection practices that occur in the digital world.
“All data fiduciaries (including guardian data fiduciaries) shall adopt appropriate age verification mechanism and obtain parental consent. Furthermore, guardian data fiduciaries, specifically, shall be barred from certain practices. Guardian data fiduciaries exclusively offering counselling services or other similar services will not be required to take parental consent,” it said.
Data fiduciaries have a general obligation to ensure that processing is undertaken keeping the best interests of the child in mind, the report added.