December 9, 2022
Ashwini Vaishnaw
Minister
Ministry of Electronics and Information Technology
Electronics Niketan, 6, CGO Complex
Lodhi Road, New Delhi 110003
New Delhi 110003
India
cc: Minister of State, Rajeev Chandrasekhar
Secretary, Alkesh Kumar Sharma
Additional Secretary, Amit Agrawal
Re: Protect Children in the Digital Personal Data Protection Bill, 2022
Dear Minister Vaishnaw,
I write on behalf of Human Rights Watch in response to the Ministry of Electronics and Information Technology’s invitation to submit comments regarding the Digital Personal Data Protection Bill, 2022 (the “Bill”).[1] While the Ministry has recognized that children are entitled to special protections of their data,[2] we believe that the Bill has missed a critical opportunity to effectively protect India’s children in complex digital environments.
Human Rights Watch is an independent, international non-governmental organization that monitors human rights in more than 100 countries globally. We regularly investigate the rights of children around the world, including in India.
We urge you to incorporate robust child data protections in the Bill that would protect the best interests of children. We also urge you to fulfil India’s treaty obligations to protect the right to privacy, and to protect and promote children’s rights.[3] This submission follows our 2020 submission regarding the Bill’s predecessor draft, the Personal Data Privacy Bill, 2019.
I. Protect the best interests of the child
The Bill removed all references to protecting a child’s best interests, which had been previously included in the 2019 version of the Bill.[4] This was replaced with new language that “a Data Fiduciary shall not undertake such processing of personal data that is likely to cause harm to a child, as may be prescribed,” in which ‘harm’ was defined as bodily harm; distortion or theft of identity; harassment; or prevention of lawful gain or causation of significant loss.[5]
The United Nations Committee on the Rights of the Child has emphasized that:
States parties should ensure that, in all actions regarding the provision, regulation, design, management and use of the digital environment, the best interests of every child is a primary consideration.
In considering the best interests of the child, [States parties] should have regard for all children’s rights, including their rights to seek, receive and impart information, to be protected from harm and to have their views given due weight, and ensure transparency in the assessment of the best interests of the child and the criteria that have been applied.[6]
In the event that there are conflicting interests between, for example, commercial[7] and political[8] motivations and children’s rights to privacy or to their freedom of expression, the government should ensure that the best interests of children are a primary consideration.
The Bill’s definition of harms is overly limited in scope and does not encapsulate the known and emerging risks facilitated by technology. Exploitation may occur in many forms through a child’s use of technology; harms relating to the misuse of a child’s personal data may be diffuse, difficult to articulate or trace given opaque business and algorithmic operations, and impact children at later stages of their lives.
But protecting a child’s best interests encompasses more than protecting them from harm. Children are entitled to special protections for all their rights, and the government should recognize and protect children’s data and their use of technology to empower children to realize the full range of their rights, including those to privacy, expression, thought, association, and access to information.
Simultaneously, the Bill’s vague granting of latitude for the government to define harms to children “as may be prescribed,” in the absence of defined legislative protections or safeguards, may result in the violations of the rights of society as a whole through the use of misleading or false claims relating to the protection of children from ‘harm.’[9]
We recommend that the Ministry remove clause 10(2) from the Bill and restore the text from clause 16(1) of the 2019 Bill, to state that all data fiduciaries must process children’s data in ways that protect the rights of, and promotes the best interests of, the child. We also recommend that the Ministry include language that covers the protection of children from harm, in which harms are to be defined and assessed in relation to children’s rights.
II. Recognize children’s right to, and the limitations of, consent
Clause 10(1) of the Bill states that data fiduciaries should obtain verifiable consent from parents and legal guardians before processing children’s personal data.[10]
Children’s data should be protected for their benefit, and to empower them to exercise their rights in the digital environment.[11] The UN Committee on the Rights of the Child has stated that governments “should ensure that consent is informed and freely given by the child or, depending on the child’s age and evolving capacity, by the parent or caregiver, and obtained prior to processing those data.”[12]
While consent from children or their guardians is an important consideration in the protection of children’s data, it should not be used to undermine a child’s rights.
In some contexts, a child or their guardian cannot give meaningful consent to the processing of a child’s data. A global investigation by Human Rights Watch found that an overwhelming majority of education technology (EdTech) products endorsed by 49 governments during the Covid-19 pandemic enabled the surveillance of children.[13] This data surveillance took place in educational settings where children or their guardians could not reasonably object to such surveillance.[14] Most EdTech products did not allow their students to decline to be tracked; most of this monitoring happened secretly, without the child’s knowledge or consent. In most instances, it was impossible for children to opt out of such surveillance without giving up on formal learning altogether during the pandemic.
In India, Human Rights Watch examined eight EdTech products authorized by the government, including Diksha, an app built and used by the education ministry as its primary means of delivering online education to students in grades 1 to 12. To drive adoption, some state education ministries set quotas for government teachers to compel their students to download the app.
Human Rights Watch found that Diksha had the capacity to collect children’s precise location data, including the date and time of their current location and their last known location. Diksha was also found collecting and transmitting children’s personal data to Google for advertising purposes.[15]
Children could not give valid, meaningful consent for the processing of their data by government-mandated EdTech platforms such as Diksha—even if they had been asked—because they could not refuse to use them freely without detrimental effect, as there were no alternative means to access their education.
In addition, the Bill does not explicitly affirm the right of children to delete their data or withdraw their consent at any time, and in ways that are easy to access and understand. Clause 13(2)(d) of the Bill only allows for the erasure of data that is “no longer necessary for the purpose for which it was processed,” not on the basis of a child’s exercise of their rights.
We recommend that the Ministry amend clause 10(1) of the Bill to state that data fiduciaries should obtain a child’s informed, freely given, and unambiguous consent, prior to the processing of their data, or, depending on the child’s age and capacities, by their parent or guardian. We further recommend that the Ministry include language in clause 10 to note that such consent cannot be used to undermine a child’s rights. We urge that the Ministry remove references to parents or guardians from the definition of ‘data principal’ in clause 2(6), and instead draft a new clause recognizing that if a child cannot exercise her own data rights, due to her age and capacities, a parent or guardian may exercise these rights on her behalf and in her best interests.
We further urge the Ministry to amend 13(2)(d) to permit the erasure of personal data, upon request of a data principal. We recommend that the Ministry draft a new clause that requires data fiduciaries that process children’s data to provide information to children on their data rights and the complaint and reporting mechanisms and remedies available to them, in child-friendly language and in prominent, accessible formats.
III. Protect children’s privacy, by design and by default
The Bill contains a single reference to privacy, in which it proposes the removal of the sole reference to privacy in another law, the Right to Information Act, 2005.[16]
The right to privacy is a fundamental right guaranteed by article 21 of the Constitution of India, as affirmed by the Supreme Court in Puttaswamy v. Union of India.[17] For children, their privacy is vital to ensuring their safety, agency, and dignity.[18] As children spend increasing amounts of their lives online, international human rights bodies have recognized that even the mere generation, collection, and processing of a child’s personal data can threaten their privacy, because in the process they lose control over information that could put their privacy at risk.[19] Any restriction upon a child’s privacy is only permissible if it meets the standards of legality, necessity, and proportionality.[20]
The UN Committee on the Rights of the Child has urged all governments to take “legislative, administrative and other measures to ensure that children’s privacy is respected and protected by all organizations and in all environments that process their data.”[21] Reflecting this, the Bill should require all data fiduciaries and processors to apply the highest levels of privacy protections to children’s data by default and by design, so that technical and organizational measures embed maximal privacy for children throughout the design, development, and practices of the data processor’s systems or service.[22] The Bill should also prohibit any digital surveillance of children or automated processing of their data that is “conducted routinely, indiscriminately, or without the child’s knowledge or, in the case of very young children, that of their parent or caregiver… [or] without the right to object to such surveillance.”[23]
We recommend that the Ministry amend clause 10 to require all data fiduciaries and processors to apply the highest levels of privacy protections to children’s data by default and by design. We also urge the Ministry to require that any processing of children’s data meet strict requirements of necessity and proportionality, regardless of consent, and that digital surveillance or automated processing of children’s data not be conducted routinely, indiscriminately, and without the child’s knowledge or right to object and refuse.
IV. Guard against exemptions without protections or oversight
Clause 10(4) of the Bill grants sweeping latitude to the government to exempt agencies or entities from compliance with the provisions of the Bill with respect to children’s data protections, “as may be prescribed.”[24]
In the digital age, mass surveillance is routinely practiced by private, commercial, and state actors alike.[25] Absent any safeguards, transparency, independent oversight, or due process mechanisms that would provide access to an effective remedy, clause 10(4) enables both deliberate violations and unintentional infringements of children’s rights. The lack of specificity in this clause does not meet the standard for an invasion to the right to privacy under Puttaswamy, nor is it consistent with international and child rights laws.
We recommend that the Ministry remove clause 10(4) from the Bill. We also recommend that the Ministry amend clause 2(16) to extend its protections to all personal data, including non-digital data.
We further urge the Ministry to request the government to establish effective remedial judicial and non-judicial mechanisms for the violations of children’s rights relating to the digital environment.
***
As more children spend increasing amounts of their childhood online, safeguards are urgently needed to protect their data and meaningful, safe access to the connected world. We strongly recommend that the Ministry consider these recommendations to ensure that India’s data protection framework protects all children, and hold all actors accountable if they fail to do so.
Please do not hesitate to contact us if we can provide further information. We appreciate your attention to this important matter.
Sincerely,
Hye Jung Han
Researcher and Advocate, Children’s Rights and Technology
Human Rights Watch
[1] The Digital Personal Data Protection Bill, 2022, https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf (accessed December 6, 2022).
[2] Government of India, Ministry of Electronics and Information Technology, “Explanatory note to Digital Personal Data Protection Bill, 2022,” https://drive.google.com/file/d/1OIPABLLMQVAc91nuOOq-JDOZHQX79jnr/view (accessed December 7, 2022), para 12.
[3] International Covenant on Civil and Political Rights (ICCPR), adopted December 16, 1966, 999 U.N.T.S. 171, entered into force March 23, 1976, ratified by India on April 10, 1979, art. 19(3), available at https://www.ohchr.org/en/professionalinterest/pages/ccpr.aspx (accessed December 7, 2022); Convention on the Rights of the Child, November 20, 1989, 1577 U.N.T.S. 3, ratified by India on December 11, 1992, art 16, available at https://www.ohchr.org/en/instruments-mechanisms/instruments/convention-rights-child (accessed December 7, 2022).
[4] Government of India, “The Personal Data Protection Bill, 2019,” Chapter IV, 16(1): “Every data fiduciary shall process personal data of a child in such manner that protects the rights of, and is in the best interests of, the child.” http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf (accessed December 7, 2022).
[5] The Digital Personal Data Protection Bill, 2022, clauses 2(10), 10(2).
[6] Committee on the Rights of the Child (CRC), General Comment No. 25, Children’s Rights in Relation to the Digital Environment, U.N. Doc. CRC/C/GC/25 (2021), paras. 12-13.
[7] Ibid, paras. 40-42.
[8] Ibid, paras. 60-61.
[9] See, for example, Letter from Human Rights Watch to US Senate Judiciary Committee, “Reject the EARN IT Act, S.3398,” June 1, 2020, https://www.hrw.org/news/2020/06/01/letter-us-senate-judiciary-committee-reject-earn-it-act-s-3398; Human Rights Watch, No Support: Russia’s “Gay Propaganda” Law Imperils LGBT Youth (New York: Human Rights Watch, 2018), https://www.hrw.org/report/2018/12/11/no-support/russias-gay-propaganda-law-imperils-lgbt-youth.
[10] The Digital Personal Data Protection Bill, 2022, clause 10(1).
[11] CRC, General Comment No. 25, paras. 12-13, 16-20.
[12] Ibid, para. 71.
[13] Human Rights Watch, “How Dare They Peep into My Private Life?”: Children’s Rights Violations by Governments that Endorsed Online Learning During the Covid-19 Pandemic (New York: Human Rights Watch, 2022), https://www.hrw.org/report/2022/05/25/how-dare-they-peep-my-private-life/childrens-rights-violations-governments.
[14] Regarding the processing of children’s data in online educational settings, the Council of Europe has noted: “[A]s the education is compulsory and refusal or withdrawal of consent could be detrimental to the development of the child, children would not be in a position to consent freely, irrespective of the assistance by parents or legal representatives.” See “Contribution prepared by the Secretariat of the Council of Europe on the subject of the right to privacy of children, in response to the consultation carried out by the UN Special Rapporteur on the right to privacy (UNSRP),” October 5, 2020, https://www.ohchr.org/Documents/Issues/Privacy/SR_Privacy/privacy-child/Regional-Org-and-UN/1-CoE.docx (accessed August 3, 2021), pp. 3-4.
[15] Detailed information and technical evidence relating to the EdTech products authorized by the Indian government for children’s online learning during the Covid-19 pandemic can be found at: Human Rights Watch, “StudentsNotProducts,” 2022, https://www.hrw.org/StudentsNotProducts#explore; Human Rights Watch, “Diksha,” 2022, https://features.hrw.org/features/StudentsNotProducts/files/privacy_snapshots/Privacy%20Snapshot%20-%20India%20Diksha.pdf.
[16] The Digital Personal Data Protection Bill, 2022, clause 30(2); The Right to Information Act, 2005, https://rti.gov.in/RTI%20Act,%202005%20(Amended)-English%20Version.pdf (accessed December 9, 2022), clause 8(1)(j).
[17] Justice K.S. Puttaswamy (Retd) v. Union of India, AIR 2017 SC 4161, Supreme Court of India, August 24, 2017, https://indiankanoon.org/doc/91938676/ (accessed December 7, 2022).
[18] Convention on the Rights of the Child, art. 16; CRC, General Comment No. 25, para. 67; UN Human Rights Council, Report of the United Nations High Commissioner for Human Rights on the right to privacy in the digital age, U.N. Doc. A/HRC/39/29, August 3, 2018, para. 11.
[19] CRC, General Comment No. 25, paras. 67-68; UN Human Rights Council, Report of the United Nations High Commissioner for Human Rights on the right to privacy in the digital age, U.N. Doc. A/HRC/39/29, August 3, 2018, para. 7; UN Human Rights Council, Report of the United Nations High Commissioner for Human Rights on the right to privacy in the digital age, U.N. Doc. A/HRC/27/37, June 30, 2014, para. 20; UN Human Rights Council, Report of the Special Rapporteur on the right to privacy on artificial intelligence and privacy, and children’s privacy, A/HRC/46/37, January 25, 2021, para. 71.
[20] UN Human Rights Council, Report of the United Nations High Commissioner for Human Rights on the right to privacy in the digital age, U.N. Doc. A/HRC/27/37, June 30, 2014, para. 23; UN Human Rights Council, “Resolution adopted by the Human Rights Council on 23 March 2017,” Resolution 34/7, U.N. Doc. A/HRC/RES/34/7, para. 2; CRC, General Comment No. 1: The Aims of Education, U.N. Doc. CRC/GC/2001/1 (2001). CRC, General Comment No. 25, U.N. Doc. CRC/C/GC/25 (2021), para. 69.
[21] CRC, General Comment No. 25, para. 70.
[22] Ibid.
[23] Ibid, para. 75.
[24] The Digital Personal Data Protection Bill, 2022, clause 10(4).
[25] CRC, General Comment No. 25, para. 68.