Big Tech, data privacy rules differ over online tracking of children on net

New Delhi: Meta Platforms Inc and Google’s parent Alphabet Inc have raised concerns about Indian rules barring tech giants from monitoring internet browsing by children under 18 as it will make safety filters ineffective, according to three executives privy to the discussions.

“The DPDP Act’s rules include an exemption that allows social media intermediaries to use the age of a user as part of the data that the platform can use to identify them. But, simply using age would not be enough to enforce safety filters, such as preventing unrelated adults from contacting underage users online," a senior executive at a top Big Tech firm told Mint, requesting anonymity.

“While the aspect of respecting a user’s privacy is necessary, there needs to be some form of risk- or harm-based approach to regulating children’s sanctity online—which is one of the biggest challenges that India’s privacy law will pose," the executive said.

Google, Meta and the ministry of electronics and information technology (Meity) did not immediately respond to emailed queries.

Also read | Privacy law: Under-18s to be defined as minors in gaming

The response during the consultation process to formulate rules for the Digital Personal Data Protection (DPDP) Act, 2023 signals lack of consensus even two years after the Indian Parliament passed the law. The Act, aimed at safeguarding the personal data of India’s 1.4 billion-plus citizens, is still to be enacted as the final rules are being drafted.

The draft rules of the Act were published at the start of this year. Public consultations began in January and were scheduled to end on 15 February, but were extended until Wednesday.

“We’re not looking to extend the consultation period any further and will take all the feedback we have received to process the required information now," a senior government official said on the condition of anonymity. “If the overall consultation necessitates any changes to the rules of the Act, we’ll then take it to all involved ministries, before notifying them and enforcing the Act."

Three officials with direct knowledge of the matter, including the one cited above, said that the entire process, including any tweaks to the privacy law rules, will take “about two to three months".

AI training, data localization worries

Deliberations, including questions about the government being granted blanket exemptions to track users without disclosing it to them in the name of national security, have drawn the discussions out for long.

Meta and Alphabet have also expressed reservations about data localization and limiting the use of publicly available personal information to train artificial intelligence (AI) models—a key part of operations for technology firms today.

The Big Tech executive quoted earlier cited the example of Wikipedia, which holds personally identifiable data of various personalities. “Under the tenets of the current law and its proposed rules, Wikipedia—which is a venerable resource for anyone training AI models—will be banned as an information source since no company can access its information without gaining express consent from the users themselves."

Another executive working with a different Big Tech firm stressed on revisiting India’s ‘whitelisting’ approach to data localization. “It’s important to note that imposing mandatory localization by policymakers may not fully appreciate the technical challenges associated with the process," the executive said.

Also read | Telecom Bill: Experts seek clarity amid privacy worries

Besides, the rules necessitate that only an individual can share their own data with technology companies. “This essentially means that an individual would not be legally permitted to share their aging parents’ contact information with an online platform—which is a necessity in today’s fragmented society," the executive said. “This, once the law is enforced on ground, would mean that e-commerce platforms would not be able to allow users to place online shopping orders for any other individuals."

According to this executive, by structure, seeking consent every time from every user would vastly add to liability, and is also not permitted as per the current Act and its rules. “This could be a big detriment—one that the IT ministry will likely need to look into imminently."

Legal view

Lawyers, too, view child safety as the biggest challenge that India’s privacy law has left unanswered.

“Many platforms deploy online safety technologies that protect against real-world harms caused by digital interactions, such as ‘text classification systems’ to detect predatory behaviour and cyber bullying. The mechanism of child safety systems often involves monitoring online user activity, flagging, and content classification without immediately preventing ‘access to information’," said Dhruv Garg, partner at Delhi-based think-tank India Governance and Policy (IGAP) Project.

While such technologies and systems demonstrably enhance user safety, they may not precisely align with the limited exemptions under Rule 11 of the DPDP Act, he said. “The Act’s prohibition on processing that may have a ‘detrimental effect on the well-being of a child’, under Section 9(2), lacks clarity."

Concerns regarding child safety filters emerged as the focal point in submissions made by various stakeholders to Meity, which will now take all feedback into consideration before the rules are notified, and India’s first data privacy law is brought into effect.

Also read | Data privacy rules in limbo, tech industry on edge

A senior partner at a top law firm, which advises both Google and Meta, said that concerns around breaking child safety filters “is by far the biggest point of contention that has so far been raised in the DPDP rules’ consultation process".

“The blanket ban on behavioural monitoring is a problem because it is also a positive obligation for technology platforms, which employ child safety tools online. The issue here is that this is an aspect of the principal legislation itself, which cannot be amended right now. This makes the blanket ban on behavioural monitoring a problem point—instead, a risk or harm-based approach to regulation could have been one way forward," the partner said, requesting anonymity.

According to Garg, in the absence of guidance or illustration on what amounts to a detrimental effect, tech firms may struggle to anticipate intangible “detriments, such as behavioural or psychological impacts, of their data processing in relation to children".

In an earlier iteration of the draft law, a related concept of ‘harm’ in relation to users was defined under Clause 2(10)—to include bodily harm, identity theft, harassment, and significant loss, Garg said.

“The rules may allow for purpose-based exemption for tracking and behavioural monitoring that serve beneficial functions in the interest of online safety without creating risks of harm," he said. “Such an exemption should enable data processing which mitigates a ‘detrimental effect’ on a child. Further, a clear and specific definition or illustration may be incorporated within the rules for ‘detrimental effect’ in relation to children to reliably guide personal data processing."

Also read | Data privacy rules to be issued for consultation shortly: Rajeev Chandrasekhar