On Online Safety of Children, Age Verification, and India
What’s Happening?
In the last couple of months, there has been a global rise in the number of policies aimed at keeping children safe from potential online harms. More than 60 bills were introduced in the US alone which sought to regulate access to social media for users below the age of 18. The UK successfully enacted the Online Safety Act 2023. China introduced the ‘Minors’ Mode Guidelines’ which propose strict limits on the screen time and mobile internet usage of children. Australia has been looking into an age-verification law for restricting access to porn and adult content online by minors for some time now. Following similar trends, the Canadian parliament is also currently debating the Online Harms Act which proposes digital IDs to verify the age of young people.
India, however, has not followed suit, and is yet to introduce a law specifically aimed at ensuring the online safety of children. Regardless, two recently-introduced laws, namely, the Digital Personal Data Protection (DPDP) Act, 2023, and the IT Rules (Intermediary Guidelines and Digital Media Code) of 2021, amended as of April 2023 (Amended IT Rules 2021) contain a few provisions pertaining to verifying the age of users and safeguarding against harm to children in the online environment. While it was reported in November last year that the Government was working out a risk-based framework for age-gating to be implemented by internet and social media intermediaries under the DPDP Act, such a framework is yet to be made public.
More recently, it was reported that, pursuant to a directive from the Prime Minister’s Office (PMO) to the Department of Telecommunications (DOT) asking to “incorporate parental controls in data usage” by 31st July, 2024, government departments such as the Department of School Education and Literacy (DSEL), and the Ministry of Electronics and Information Technology (MeitY) had been instructed to undertake relevant measures under their respective domains. For example, the MeitY is funding, at-least in part, the development of a controversial parental-control App called ‘SafeNet’ which permits parents to monitor a wide range of activities on their children’s devices, as well as enable content filtering settings.
What’s the Policymaker’s Rationale?
The policymaker’s rationale for protecting children online via age-gating and content-monitoring is based on the following (reasonable) assumptions. One, access to a certain category of online content or services is inherently harmful to children below the age of 18. This assumption forms the basis for laws in the physical world too. Take access to alcohol, tobacco, and A-rated movies in theatres, as examples. It’s also important to note that while in India, age-gating is prescribed for those under the age of 18 (or ‘Minors’ under Indian law), the laws on online safety of children in other jurisdictions sometimes have lower or even graded age-thresholds based on the type of harm. Two, children are a lot more vulnerable to harm than adults, and less likely to understand the full range of what they might be consenting to. This is why children are considered to be in the care of stakeholders such as their parents, guardians, and the welfare State. We see this be the case under the Indian contract law where despite a minor being deemed incompetent to enter into legally-enforceable contracts, if the contract is for the benefit of the minor, it can be entered into on behalf of the minor such that the minor can claim said benefit but cannot be held liable under the contract.
These two assumptions can be traced back to the age-specific provisions of the Amended IT Rules and DPDP Act.
India — The DPDP Act and the Amended IT Rules
Section 9 of the DPDP Act requires all ‘data fiduciaries’ to obtain a “verifiable parental consent” prior to the processing of personal data of a user who is under the age of 18. The section further prohibits data fiduciaries from data processing that is detrimental to the well-being of a child, and specifically prohibits activities like tracking and behaviour monitoring, and the use of targeted advertisements for children. However, it also states that the Central Government can make exceptions to these obligations under Section 9 in accordance with prescribed conditions, and can modify the age-threshold of 18 for data fiduciaries that satisfy that the processing of data is taking place in a manner that is “verifiably safe” – a phrase in need of some clarification.
The Amended IT Rules, on the other hand, contain a couple of provisions relevant to age-gating and preventing harm to children. First, Self-Regulating Bodies (SRBs) — who are required to verify online real money games (RMG) as legally permissible — can only deem permissible RMGs from ‘online gaming intermediaries’ (OGIs) who are in compliance with the age competency threshold of contracting under Indian law. This simply means that under the law as it stands presently, those below 18 years of age in India cannot contract with OGIs offering online RMGs, and therefore cannot play such games. (The prohibition is via the default course of action where one registers with the gaming platform, makes an account, and plays. Children can still play via their parents’/guardian’s account).
Second, OGIs cannot host any games that can cause user harm; a term defined to include “any effect which is detrimental to a user or child.” (A child is, again, someone below 18 years of age). Third, SRBs are to lay down frameworks for safeguarding children including measures for parental or access control. Fourth, OGIs that offer online real money games are required to identify users and verify their identity as per India’s Central Bank; RBI’s Know Your Customer (KYC) norms, upon the commencement of an “account-based relationship” with such users. Fifth, and found under the chapter titled ‘Code of Ethics,’ every publisher of online curated content providing access to ‘A’ rated content has to take “all efforts” to restrict access to such content by a child by using “appropriate” ‘access-control measures’ — defined as “any measure including a technical one, through which access to online-curated content is restricted based on verification of identity or age of a user.”
What Needs Clarification?
When it comes to the DPDP Act, the term ‘verifiable parental consent’ – which is currently left undefined in the law must be clarified in precise terms. It has been noted by others that this provision will inevitably require three steps — verifying the age of the user, establishing a legitimate relationship between the user and the parent in case the user is below 18 years of age, and finally documenting evidence of parental consent. For this purpose, some form of age-verification mechanism will have to be implemented by all data fiduciaries upon the collection of data under the Act since the very question of parental consent first requires a determination of whether the user is a child.
Unlike self-declaration, age-verification necessitates the use of a system that externally verifies a person’s age. Age-verification can, therefore, take many forms. For example, it can be on the basis of State-issued ID verification, traditional third-party verifications like credit or debit cards, or biometric data like facial images, fingerprints, or iris scans. An evaluation of all existing age-verification methods concludes that, at present, the use of any one method involves a tradeoff between user rights, data privacy, and security. Additionally, these methods also involve tradeoffs between efficiency, invasiveness, privacy-protection, cost-effectiveness, and risk-appropriateness. In light of this, a risk-based framework for prescribing age-gating mechanisms in India is a welcome step.
Still, the nature of age-verification mechanisms that will be made permissible under the DPDP, through its forth-coming Rules, will have to establish a clear nexus between the purpose for which the information is sought from users (i.e. to verify age) and the amount of information collected. It would also have to meet the test of proportionality and least-restrictiveness in that there must not be a less-restrictive but equally effective alternative to the age-verification mechanism proposed.
In the case of the Amended IT Rules, for better or for worse, it is clear that those under 18 years of age are entirely precluded from even signing up to play online RMGs. What is not as clear are the intended thresholds for the term ‘harm’ which has been referred to in varied contexts. For instance, at what point can games be deemed ‘addictive’ or ‘psychologically harmful’ for a child, and what is the threshold of harm below which an OGI would have to ensure its games are?
Age Verification Need Not Mean Identity Verification
The scope of age-verification under the DPDP Act and the Amended IT Rules is different. In order to comply with Section 9 of the DPDP Act, in ascertaining the age of users, data fiduciaries need not identify users. However, under the Amended IT Rules, OGIs are required to identify and verify the identity of all users interested in entering into an account-based relationship with the platform. Combined with the necessary compliance with RBI’s KYC norms which involve the collection of details such as PAN Card, Address Proof, Mobile Number — the purpose of which is to have a paper trail in the case of money laundering — under the Rules, age-verification would in any case take place when the user is identified and such identity is verified by the OGI.
However, in order to comply with Section 9 of the DPDP Act, in ascertaining the age of users, data fiduciaries need not carry out identity verification. This is significant because age-verification methods that rely on State-issued IDs being checked through third-party services give rise to fears of data leaks and the loss of online anonymity. In this regard, one possible third-party verification tech solution that is garnering attention is that of Zero-Knowledge Proofs (ZKPs) — cryptographic protocols that allow one party to prove to the other party that a piece of information is true without revealing any information about it beyond that it is true. While the outcome of a ZKP verification sounds ideal for balancing safety and user interests, its execution may be technically complex. Yet, in June 2022 France’s privacy regulator CNIL’s Digital Innovation Laboratory (LINC), along with researcher Olivier Blazy demonstrated the feasibility of a system based on a secure protocol using ZKPs. However, while there is a lot of talk about ZKPs being one of more promising age-verification solutions for safeguarding privacy online, it seems to be a relatively unexplored option by policymakers in the context of age-gating and safety of children online. To this end, India could greatly benefit from investing in a study aimed at evaluating the technological feasibility, scalability, and cost-effectiveness of a ZKP solution under the DPDP Act.
That’s all for this week. Have a great weekend, and please do not hesitate to write to us at digitalrepublic@evamlp.com for questions, suggestions, or a small chat.
Best,
Shruti Mittal