Data Protection Bill: IAMAI wants age of consent to be lower than 18

Also wants verification of age, parental consent removed

The Internet and Mobile Association of India (IAMAI), which represents domestic and global companies such as Meta, Google, Disney Star, Dell and Reliance Jio, has opposed 18 as the age of consent for child­ren under the proposed Per­sonal Data Protection Bill 2021.

The age requirement will impede the growth of industries that offer tailored knowledge as well as entertainment products and services for children, IAMAI says.

Instead, it has suggested that the definition of a “child” should be reduced from 18 years, based on global norms, and it seeks a “risk-based approach” for the consent age, depending on the nature of the services provided.

The IAMAI has also said the requirement of a “data fiduciary” to verify the age of children should be removed to avoid cre­ating new privacy risks thro­ugh the collection of potentially sensitive information. A data fiduciary is an entity that decides the means and purpose of processing personal data.

Rather, argues IAMAI, age verification should be a self-declaration and the onus of its veracity should lie with the data principal.

The association was resp­o­nding to the submission made by the Joint Parliamentary Committee on the proposed Bill suggesting changes to the draft Bill to the Ministry of Electronics and Information Technology. The committee’s changes include putting non-personal data within the Bill’s ambit and removing the word “personal” from the Bill’s name.

The association has also delved into how other countries have handled the age of consent issue. For instance, in the US, the Children’s Online Privacy Protection Act pegs the age threshold at 13. In the European Union under the EU Data Protec­tion Regulation, it is 16, and many European states such as Belgium (13), Austria (14) and France (15) have lowered it even further.

IAMAI argues that fixing it as 18 may result in a very large number of users being denied access to services, which will impact their overall well-being — an argument some observers say is a contentious liberalisation of the Bill.

It is also lobbying for the parental consent mechanism not to be “prescriptive” as it creates practical challenges and could result either in a “chilling effect” or in children simply being discouraged or inhibited from exercising their legal rights owing to the threat of legal action.

Instead, IAMAI suggests that the guidelines should focus on empowering young users and their parents to engage with “transparency and privacy tools” and leave “the service provi­ders to consider a broader range of technical solutions to ensure it”.

One of its suggestions is removing the requirement for parental consent. Even if it is retained, any change requiring parental consent to process data for users under the age of consent (verified or not) should be applied on an ongoing basis.

In other words, the association says a user who has legally consented to the data processing typical for an account before the enactment of this legislation, should be able to use that account as agreed without additional parental consent.

The proposed Bill has also imposed prohibitions on processing children’s data, an issue that has been debated globally. It states that every data fiduciary is barred from profiling, tracking, from behavioural monitoring, and from directing advertising directly at children and undertaking any other processing of personal data that can cause significant harm to the child.

IAMAI has pointed out that the underlying rationale behind a complete ban on data fiduciaries targeting advertisements directly at children assumes that all of them are harmful to the child.

This is untenable, it says, and such a prohibition deprives children of services that are related to education and their emotional and physical well-being.