white_paper_on_data_protection_in_india_171127_final_v2
an age-limit, below which a parent‘s consent is necessary, in order to protect very young children from privacy harms. Similarly, a variable age limit can be drawn (not necessarily 18- which is the generally accepted age of majority in India) below which parental consent is to be mandatory. Methods for effectively ensuring parental consent must be considered, either for certain categories of services or through certain processes that may be onerous for the child to circumvent. 3. In addition, or in the alternative, perhaps distinct provisions could be carved out within the data protection law, which prohibit the processing of children‘s personal data for potentially harmful purposes, such as profiling, marketing and tracking. Additionally separate rules could be established for the manner in which schools and other educational institutions that collect personal information about children as part of their regular activities need to collect and process this data. Similarly, regulations should be prescribed as to the manner in which the government collects and processes data about children. 2.5 Questions 1. What are your views regarding the protection of a child‘s personal data? 2. Should the data protection law have a provision specifically tailored towards protecting children‘s personal data? 3. Should the law prescribe a certain age-bar, above which a child is considered to be capable of providing valid consent? If so, what would the cut-off age be? 4. Should the data protection law follow the South African approach and prohibit the processing of any personal data relating to a child, as long as she is below the age of 18, subject to narrow exceptions? 5. Should the data protection law follow the Australian approach, and the data controller be given the responsibility to determine whether the individual has the capacity to provide consent, on a case by case basis? Would this requirement be too onerous on the data controller? Would relying on the data controller to make this judgment sufficiently protect the child from the harm that could come from improper processing? 6. If a subjective test is used in determining whether a child is capable of providing valid consent, who would be responsible for conducting this test? Alternatives: a. The data protection authority b. The entity which collects the information c. This can be obviated by seeking parental consent 90
7. How can the requirement for parental consent be operationalised in practice? What are the safeguards which would be required? 8. Would a purpose-based restriction on the collection of personal data of a child be effective? For example, forbidding the collection of children‘s data for marketing, advertising and tracking purposes? 9. Should general websites, i.e. those that are not directed towards providing services to a child, be exempt from having additional safeguards protecting the collection, use and disclosure of children‘s data? What is the criteria for determining whether a website is intended for children or a general website? 10. Should data controllers have a higher onus of responsibility to demonstrate that they have obtained appropriate consent with respect to a child who is using their services? How will they have ―actual knowledge‖ of such use? 11. Are there any alternative views on the manner in which the personal data of children may be protected at the time of processing? 91
- Page 49 and 50: that the information is not in the
- Page 51 and 52: CHAPTER 4: SENSITIVE PERSONAL DATA
- Page 53 and 54: protection. Subject to an evaluatio
- Page 55 and 56: South Africa The POPI Act defines p
- Page 57 and 58: a. All personal data processed must
- Page 59 and 60: an employee of the controller who g
- Page 61 and 62: . Clear bifurcation of roles and as
- Page 63 and 64: 7.2 Specific Exemptions and Interna
- Page 65 and 66: In India, collection of statistical
- Page 67 and 68: of imposition of similar nature.‘
- Page 69 and 70: mechanism to provide prior approval
- Page 71 and 72: 1. What are your views on including
- Page 73 and 74: To facilitate the cross-border tran
- Page 75 and 76: (ii) Binding Corporate Rules BCR ar
- Page 77 and 78: individual to take action to enforc
- Page 79 and 80: CHAPTER 9 : DATA LOCALISATION 9.1 I
- Page 81 and 82: (iii) IT-BPO/BPM Industrial Growth
- Page 83 and 84: amounts of computer hardware, they
- Page 85 and 86: In Indonesia, the regulation regard
- Page 87 and 88: Distribution of Insurance Products)
- Page 89 and 90: Another advantage of relying on con
- Page 91 and 92: individuals may find it impossible
- Page 93 and 94: that the collection is reasonably n
- Page 95 and 96: CHAPTER 2: CHILD’S CONSENT 2.1 In
- Page 97 and 98: the cloud service provider as to st
- Page 99: The PIPEDA does not specifically de
- Page 103 and 104: mechanism still continues to play a
- Page 105 and 106: 3.3 International Practices Despite
- Page 107 and 108: (CALOPPA) 466 and the GLB Act requi
- Page 109 and 110: CHAPTER 4: OTHER GROUNDS OF PROCESS
- Page 111 and 112: This ground covers two types of sce
- Page 113 and 114: that there may be certain situation
- Page 115 and 116: CHAPTER 5: PURPOSE SPECIFICATION AN
- Page 117 and 118: collected for more than one purpose
- Page 119 and 120: enable data controllers to understa
- Page 121 and 122: CHAPTER 6: PROCESSING OF SENSITIVE
- Page 123 and 124: may instrumentally be caused if the
- Page 125 and 126: PIPEDA does not specifically deal w
- Page 127 and 128: CHAPTER 7: STORAGE LIMITATION AND D
- Page 129 and 130: solely for archiving purposes in th
- Page 131 and 132: 2. Data Quality: The principle of d
- Page 133 and 134: data protection laws across jurisdi
- Page 135 and 136: The requirement to be provided the
- Page 137 and 138: Information Act, 1982 or other appr
- Page 139 and 140: CHAPTER 9: INDIVIDUAL PARTICIPATION
- Page 141 and 142: . the processing is unlawful and th
- Page 143 and 144: such a right may be unsuitable in t
- Page 145 and 146: from being taken solely on the basi
- Page 147 and 148: CHAPTER 10: INDIVIDUAL PARTICIPATIO
- Page 149 and 150: emove data for ―the processing of
an age-limit, below which a parent‘s c<strong>on</strong>sent is necessary, <strong>in</strong> order to protect very<br />
young children from privacy harms. Similarly, a variable age limit can be drawn (not<br />
necessarily 18- which is the generally accepted age of majority <strong>in</strong> India) below which<br />
parental c<strong>on</strong>sent is to be mandatory. Methods for effectively ensur<strong>in</strong>g parental c<strong>on</strong>sent<br />
must be c<strong>on</strong>sidered, either for certa<strong>in</strong> categories of services or through certa<strong>in</strong> processes<br />
that may be <strong>on</strong>erous for the child to circumvent.<br />
3. In additi<strong>on</strong>, or <strong>in</strong> the alternative, perhaps dist<strong>in</strong>ct provisi<strong>on</strong>s could be carved out with<strong>in</strong><br />
the <strong>data</strong> protecti<strong>on</strong> law, which prohibit the process<strong>in</strong>g of children‘s pers<strong>on</strong>al <strong>data</strong> for<br />
potentially harmful purposes, such as profil<strong>in</strong>g, market<strong>in</strong>g and track<strong>in</strong>g. Additi<strong>on</strong>ally<br />
separate rules could be established for the manner <strong>in</strong> which schools and other<br />
educati<strong>on</strong>al <strong>in</strong>stituti<strong>on</strong>s that collect pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong> about children as part of their<br />
regular activities need to collect and process this <strong>data</strong>. Similarly, regulati<strong>on</strong>s should be<br />
prescribed as to the manner <strong>in</strong> which the government collects and processes <strong>data</strong> about<br />
children.<br />
2.5 Questi<strong>on</strong>s<br />
1. What are your views regard<strong>in</strong>g the protecti<strong>on</strong> of a child‘s pers<strong>on</strong>al <strong>data</strong>?<br />
2. Should the <strong>data</strong> protecti<strong>on</strong> law have a provisi<strong>on</strong> specifically tailored towards protect<strong>in</strong>g<br />
children‘s pers<strong>on</strong>al <strong>data</strong>?<br />
3. Should the law prescribe a certa<strong>in</strong> age-bar, above which a child is c<strong>on</strong>sidered to be<br />
capable of provid<strong>in</strong>g valid c<strong>on</strong>sent? If so, what would the cut-off age be?<br />
4. Should the <strong>data</strong> protecti<strong>on</strong> law follow the South African approach and prohibit the<br />
process<strong>in</strong>g of any pers<strong>on</strong>al <strong>data</strong> relat<strong>in</strong>g to a child, as l<strong>on</strong>g as she is below the age of 18,<br />
subject to narrow excepti<strong>on</strong>s?<br />
5. Should the <strong>data</strong> protecti<strong>on</strong> law follow the Australian approach, and the <strong>data</strong> c<strong>on</strong>troller<br />
be given the resp<strong>on</strong>sibility to determ<strong>in</strong>e whether the <strong>in</strong>dividual has the capacity to<br />
provide c<strong>on</strong>sent, <strong>on</strong> a case by case basis? Would this requirement be too <strong>on</strong>erous <strong>on</strong> the<br />
<strong>data</strong> c<strong>on</strong>troller? Would rely<strong>in</strong>g <strong>on</strong> the <strong>data</strong> c<strong>on</strong>troller to make this judgment sufficiently<br />
protect the child from the harm that could come from improper process<strong>in</strong>g?<br />
6. If a subjective test is used <strong>in</strong> determ<strong>in</strong><strong>in</strong>g whether a child is capable of provid<strong>in</strong>g valid<br />
c<strong>on</strong>sent, who would be resp<strong>on</strong>sible for c<strong>on</strong>duct<strong>in</strong>g this test?<br />
Alternatives:<br />
a. The <strong>data</strong> protecti<strong>on</strong> authority<br />
b. The entity which collects the <strong>in</strong>formati<strong>on</strong><br />
c. This can be obviated by seek<strong>in</strong>g parental c<strong>on</strong>sent<br />
90