One of the more vexing concerns in this age of ubiquitous and unrelenting data collection is figuring out what should be done to safeguard the privacy of our children online. The draft Personal Data Protection Bill prepared by the Justice Srikrishna Committee attempts to address this issue by requiring those who collect data from children to implement mechanisms for age verification and parental consent. While on the face of it, both these measures seem perfectly reasonable, there are practical problems inherent in each of them that must be carefully considered before the government commits to implementing either.
In the first place, when it comes to age verification, the only reliable method is to check a person’s identity documents. That being the case, it seems inevitable that once the Bill becomes law, internet companies will demand proof of identity from all their users—young and old—before signing them up. This is a fundamental change to the way things are currently done and will radically transform the basis on which much of the internet, as we know it, functions. Today your online identity can, for the most part, be appropriately dissociated from your real world identity. However, once the law requires internet companies to verify the age of all their users, the basic anonymity we have come to cherish will quickly disappear.
What makes this somewhat worse is the fact that the Bill presumes that anyone below the age of 18 is a child. The decision to adopt the age of majority as the threshold seems to have been based solely on the fact that, under law, children below that age have no capacity to contract. It is unfortunate that the committee has seen fit to conflate the legal capacity to contract with the protection of children’s privacy—as if that is the only way in which interactions with the online world can be regulated. Studies have shown that as early as by the age of 4, children both have an awareness of self and an ability to reason and compare themselves with others. By the age of 13, they have well-developed opinions about their own personal space and their boundaries. Why then should they have to wait till they are 18 to take decisions about their privacy? The decision to apply the age of majority in this manner is, in my view, ill-advised and just one more unfortunate consequence of the committee’s over-reliance on the edifice of consent.
The deeper consequences of this decision will only be understood when examined in the context of the second stipulation set out in the Bill—that parental consent should be used as an additional measure to protect the privacy of children. Parents are the legal guardians of their children, and it seems reasonable to assume that they will always act in their best interests. In the online context, however, evidence has shown that this is not always the case.
Parents regularly post photographs of their offspring on their own social media streams, usually with the well-meaning intention of sharing their accomplishments with friends and family. In many instances, these posts inadvertently expose their children to significant privacy harms that are next to impossible to subsequently unwind. A study by the University of Michigan has revealed that as many as 56% of the parents surveyed shared potentially embarrassing information about their children online while 51% shared information that could lead to potentially identifying the location of the child. There have even been instances of parents sharing photographs and videos of their children being disciplined in the hope that public shaming will get the recalcitrant child to obey.
Apart from the trauma that must inevitably accompany any public shaming on a medium that never forgets and the fact that location information recklessly shared will likely expose the child to the risk of kidnapping and stalking, even something as innocuous as basic personal information revealed through self-congratulatory posts can be fodder for data brokers eager to build profiles of children for sale in the lucrative child merchandising market. A study by AVG indicated that 81% of two-year-olds already have a social media presence with the average “digital birth" taking place at the age of six months. Parents are almost always oblivious to the consequences of their actions but their well-meaning posts create indelible digital back stories that will haunt their children for the rest of their lives. How much worse will this be in India if parents continue to exert control over their children’s digital lives well beyond the age when they ought to be able to make their own decisions about their privacy?
There is no doubt that the current suggestion that children should remain under the supervision of their parents till the age of 18 must go. However, even if we reduce the age to 13—as is the case in many countries—what is to be done about parents who unknowingly jeopardize their children’s privacy from an early age? It would be paternalistic to suggest that the state should intervene where the actions of parents are likely to cause their children harm. However, the long-term consequences of these actions on the future well-being of the child are hard to ignore.
As much as I dislike the European articulation of the right to be forgotten, perhaps something along those lines is necessary to allow children to unwind the harm that their parents inadvertently inflict on them.
Rahul Matthan is a partner at Trilegal and author of Privacy 3.0: Unlocking Our Data Driven Future. Ex Machina is a column on technology, law and everything in between. His Twitter handle is @matthan.