The Digital Personal Data Protection Act, 2023[1] (“Act”) has, at long last, been past before both houses of Parliament and been published in the official Gazette upon receiving Presidential assent.
The Act is intended to provide legislative expression to the contours of the right to privacy as outlined by the Supreme Court of India in the Puttaswamy Judgements[2] and since then, by other constitutional Courts. The principle, which now stands more or less crystallized, is that the autonomy of a person is inalienably linked to their autonomy over their personal data. Therefore, in a regime which continues to be firmly consent based, the questions of who is a child, who can consent to allowing their personal data to be collected, as well as what can and cannot be done with it, are key to their status as ‘Digital Nagariks’ in years to come.
In continuation of our series on the Act, we now examine the treatment of children under the Act, as well as some comparative global positions.
Children and Consent
The draft Digital Personal Data Protection Bill, 2022 (“Draft”)[3] that was published for consultation on November 18, 2022 specified the age of majority as 18 years[4], and imposed onerous and inviolable restrictions prohibiting various widely defined actions.[5] However, it has become evident over the course of more than 20,000 consultation submissions,[6] and several dozen in-person consultations that this position needs some nuancing.
In a digital economy which is increasingly focused on the young for services ranging from education to entertainment and a young population which is increasingly online, the offering of products and services to children, and to the appropriate extent, ensuring that certain types of material is focused on them, is not only practical, but also a necessity. This is even more evident for other types of quasi and non-commercial processing for age gating, filtering adult material and interaction, and offering protective and mental health services to children.
India has long followed, with certain exceptions, the approach of treating all persons below the age of majority (firmly fixed at 18 since 1875[7]), as children. These individuals are deemed incapable of contracting,[8]and consent from parents or guardians is relied on for most types of interactions with them. While limited exceptions exist, such as for contracting or partnerships for their benefit,[9] neither they, nor one-time parental consent, form a robust, or even functional means to enable engagement with persons below the age of 18 by interactive platforms.
The Act, similar to the Draft[10] hard codes that anyone below 18 years of age would be a child.[11] Global standards such as Europe’s General Data Protection Regulation[12] and the California Consumer Privacy Act[13] provide for graded approaches.[14]
Similarly, like the Draft,[15] the Act continues to require that consent from a parent or a legal guardian (hereinafter “Parent”) be taken for all processing of personal data[16] relating to a child in a verifiable manner which will be prescribed under rules (hereinafter, “Consent”)[17]. However, the Act expands the obligation on Data Fiduciaries[18] to obtain verifiable consent of the parent or lawful guardian and requires such consent to be obtained prior to the processing of personal data of a person with disability for whom a guardian has been appointed.
Further, in a welcome move to enable flexibility the Act allows the government to provide:
- an exemption for processing of personal data of a child by specific classes of Data Fiduciaries, or for specific purposes, each in accordance with specific conditions (hereinafter the “Class Exemption”)[19]; and
- where it is satisfied that a Data Fiduciary has ensured that its processing of personal data of children is verifiably safe, a lower age for requiring mandatory parental consent for such processing (“Safety Dilution”)[20].
A Difficult Balance
Like the Draft,[21] the Act continues to deem that parents and legal guardians will also be ‘data principals’ for their child.[22] While it is common for parental consent to be needed for use of minor’s personal data,[23] introducing the possibility of entirely substituting the child’s autonomy with that of the parent creates unique problems, particularly if there are differences between parents and children in relation to consent, exercise of Data Principal rights, or grievance redressal.
While the new language potentially leaves open the option for a child to try and exercise rights in parallel with their Parent, the widely defined definition of ‘processing’,[24] and the fact that all processing of children’s personal data clearly requires ‘verifiable parental consent’[25] may be sought to be relied on by the Data Fiduciary in refusing such requests. Further, given the age of majority under the Act, and the absence of any consideration for capacity, which finds place even in existing penal laws in India,[26] the Act still leaves open the interesting question of what rights, if any, children have over their personal data dehors their parents. Some guidance on this, either through rulemaking, decisions of the DPB, or FAQ, may be beneficial.
Restrictions on Processing
The Draft proposed to prohibit Data Fiduciaries from processing of personal data in a manner likely to cause harm to a child,[27] and explicitly defined harm as bodily harm or distortion, theft of identity, harassment, prevention of any lawful gain, or causation of any significant loss.[28]
Under the Act, the definition of ‘harm’ has been removed, and Data Fiduciaries are prohibited from undertaking such processing “that is likely to cause any detrimental effect on the well-being of a child”.[29] This will mean that Data Fiduciaries have to truly act in a fiduciary capacity in relation to children and anticipate any detrimental effect that may occur from their processing.
Similarly, the Act[30] (like the Draft[31]), imposes a prohibition on “tracking or behavioral monitoring of children”, and “targeted advertising directed at children”. Again, absent clear definitions of these terms, these restrictions can extend to age gating solutions, as well as filtering mechanisms which ensure appropriate advertising or content.
Fortunately, unlike the Draft, the Act allows for the Class Exemption and Safety Dilution to be extended to this restriction as well.[32] One hopes that the clear use cases which are protective of children (such as age gating and intelligent age verification) are exempted from these restrictions clearly, and that a Safety Dilution is brought to allow for services and advertising (such as age appropriate educational or entertainment content) to be directed at children who are in their teens.
In light of the above, the rules issued under the Act become crucial to clarify the classes of Data Fiduciaries and purposes for which the obligations in relation to obtaining verifiable consent as well as the ban on tracking, behavioral monitoring and profiling do not apply. Similar to the Draft, the specific penalty for breach in observance of additional obligations in relation to children of up to two hundred crore rupees has been retained.[33] Therefore, clear cut delegated legislation clarifying legislative intent and providing certainty to businesses on compliance is crucial in relation to the personal data of children.
Overall, the position under the Act is a welcome move for sectors, both where the key demography for receipt of services is children and entities looking to market their products to children. The creation of enabling exemptions for classes and purposes, as well as the lowering of the age of consent for certain kinds of verifiably safe processing will help enable businesses to engage with children in manner which is safe for them, and protective of their interests.
[1] The Digital Personal Data Protection Act, 2023 (“Act”), available here.
[2] Justice K. S. Puttaswamy v. Union of India (2017) 10 SCC 1 (Puttaswamy-I); Justice K. S. Puttaswamy v. Union of India (2019) 1 SCC 1 (Puttaswamy-II).
[3] The Digital Personal Data Protection Bill, 2022 (“Draft”),
available here.
[4] Section 2(3), Draft.
[5] Section 10, Draft.
[6] International Association of Privacy Professionals, Government receives more than 20K submissions on India’s proposed DPDPB, May 1, 2023, available here.
[7] The Indian Majority Act, 1875.
[8] Section 11, The Indian Contract Act, 1872.
[9] See: Section 30, Partnership Act, 1932.
[10] Section 2(3), Draft.
[11] Section 2(f), Act.
[12] Article 8, GDPR: follows a graded approach for processing of personal data of children, and the valid age for consent ranges from 13 to 16 years depending on Member State, subject to a
minimum age of 13 years.
[13] Section 1798.120, California Consumer Privacy Act: provides that businesses can sell personal information of a child under the age of 16 years if they get affirmative authorization and under the age of 13 with opt-in consent of the parent or guardian.
[14] However, this is not true globally, for instance, the Singapore Personal Data Protection Act, 2012 (here) does not specifically call out obligations in relation to children, and the Personal Data Protection Commission of Singapore’s ‘Advisory Guidelines on Key Concepts in the Personal Data Protection Act’ (May 16, 2022, available here), state that a “child or young person” is defined as someone below 18 years of age.
[15] Section 10(1), Draft.
[16] Section 2(t), Act: “personal data” means any data about an individual who is identifiable by or in relation to such data.
[17] Section 9(1), Act.
[18] Section 2(i), Act: “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
[19] Section 9(4), Act
[20] Section 9(5), Act.
[21] Section 2(6), Draft.
[22] Section 2(j), Act.
[23] Article 8, GDPR.
[24] Section 2(x), Act.
[25] Section 9(1), Act.
[26] Section 82, Indian Penal Code, 1860.
[27] Section 10(2), Draft.
[28] Section 2(10), Draft.
[29] Section 9(2), Act.
[30] Section 9(3), Act.
[31] Section 10(3), Draft.
[32] Sections 9(4), 9(5), Act.
[33] Entry 3, Schedule, Act.
