As we step into 2025, India demands a present that paves the way for a future where young digital citizens are not just participants but pioneers, harnessing the power of their online presence for learning, growth, and innovation. Every educational app installed, every game played, and every video watched leaves behind a trail of data that could shape their futures in ways society is only beginning to comprehend. The advent of India’s Digital Personal Data Protection Act (DPDPA) in 2023 and followed by the recently released accompanying draft rules almost acknowledges what has long been evident: children’s digital privacy isn’t just another compliance checkbox – it’s a fundamental right that demands robust protection.
The draft rules’ recognition of children as a vulnerable group requiring special safeguards marks a crucial step forward in India’s digital governance framework. These provisions could potentially realign how digital platforms interact with young users, creating a protected yet enabling environment for their growth and development. The introduction of age-verification mechanisms, parental consent requirements, and restrictions on data processing signals a significant shift from the unrestricted data collection practices that have dominated the digital landscape over the past decade.
However, with critical examination of these rules coming from policy experts and society alike reveals that despite their promising foundation, several gaps remain untouched. The ambiguous definitions of “verifiable” consent, the absence of specific standards for age verification, and the brow-raising exemptions for certain sectors represent pressing oversights. More concerning is how it might inadvertently create a digital environment that’s either overly restrictive or deceptively permissive – neither of which serves the best interests of India’s young digital citizens.
Role Of Verifiable Parental Consent
The draft rules introduce several crucial protective measures, with verifiable parental consent taking center stage. Data fiduciaries must obtain explicit permission from parents or legal guardians before processing children’s personal data, establishing a critical first line of defense. However, the framework becomes more complex when we examine the exemptions. While seemingly logical at first glance, these carve-outs for schools, hospitals, and childcare providers warrant closer scrutiny. The rules allow these institutions to process children’s data without parental consent for “specific activities” related to education, healthcare, and safety. This is where clarity begins to fade.
Exemption In Education: A Risk For Exploitation
The draft mentions the term “educational activities”, a potential landmine and particularly problematic given India’s booming ed-tech landscape. Recent developments over the years have highlighted concerning practices within this sector. The exemption for educational institutions could inadvertently create a gateway for ed-tech companies to process children’s data under the guise of “educational activities.” In 2023, Lok Sabha MP Karti P Chidambaram’s letter to the Advertising Standards Council of India (ASCI) brought these issues into sharp focus, pointing out how ed-tech companies exploit through aggressive marketing tactics and questionable data practices.
This concern is not unfounded – a global Human Rights Watch (HRW) investigation conducted in 2022 revealed how educational technologies, often government-endorsed, have been compromising children’s privacy rights globally. The investigation, covered by prominent media outlets including the Daily Telegraph and Washington Post, documented how these technologies remained entrenched in educational systems post-pandemic, along with their problematic data practices.
Digital Identity Verification & Ambiguity With Terminologies
The draft rules’ emphasis on restricting access to harmful content is commendable, as is the stipulation that even exempted entities must limit data processing to specific purposes. However, several critical concerns remain unaddressed.
The mandatory reliance on DigiLocker for identity verification, while secure, raises questions about accessibility and inclusion. What happens to families without access to such digital infrastructure, or those who choose NOT to subscribe to DigiLocker?
Moreover, the broad terminology used in defining exemptions – “educational activities” and “safety monitoring” – leaves considerable room for interpretation. This ambiguity could potentially enable excessive surveillance or data collection under the pretext of safety or educational necessity.
ASCI has repeatedly flagged a significant percent of all objectionable and misleading advertisements coming from the education sector, primarily ed-tech companies, highlighting the industry’s problematic track record.
It can be deeply concerning that exemptions are granted to entities with a well-documented history of manipulative practices, and allowing such entities to process children’s data, albeit moderated, without stringent oversight risks under the guise of education, further exposing young users to unchecked digital exploitation.
Are These Draft Rules Enough?
While these draft rules represent progress, they underscore the need for a more comprehensive approach to children’s online safety. Can India have its own dedicated Online Children Safety Act that can address the complexities of the evolving digital landscape? Or are the current provisions enough to cover every evolving lacuna that presents itself with the issue? The answer lies with the government in power. For now, the current regulatory framework, while well-intentioned, may struggle to keep pace with rapidly advancing technology and increasingly sophisticated data collection methods.
The protection of vulnerable groups in the digital age requires more than just rules – it demands a robust, adaptable framework that can anticipate and address emerging challenges. The path ahead is clear: while these draft rules lay important groundwork, they should be viewed as a stepping stone toward more comprehensive protection measures. The digital landscape’s rapid evolution demands nothing less than a dedicated framework that can effectively safeguard the rights and interests of children in our increasingly connected world.
The author is MP, Rajya Sabha.
