The DPDP Bill 2023 mandates that the age of children for whom parental consent is required as 18. Given the widespread use of Information and Communication Technology, this is likely to lead to implementation problems. The Bill has however carved out some exceptions and has given the leeway to regulators to navigate these issues. It remains to be seen whether the deft use of these provisions will ensure that young India continues to seamlessly benefit from the internet.
The Digital Personal Data Protection Bill,2023 hereinafter referred to as “DPDP Bill, 2023” has taken a one size fits all approach to age of consent and pegged it at 18. Section 2 (f) of the bill defines “child” as an individual who has not completed the age of eighteen years, same as the previous versions of the Bill. Section 9 (1) of the recently introduced Bill stipulates that processing of personal data of children requires “verifiable parental consent”. However, the Bill also states under Section 9 (4) & (5) that certain “classes of data fiduciaries” can be exempted from the provisions and can process the data without parental consent and can also do behavioral monitoring which is otherwise restricted under clause (1) & (3) of section 9. This will leave a lot to the way the regulators interpret and implement the provisions.
The threshold of 18-year-old has been criticized as being too high, and not in line with international standards. The practices followed in other geographies are as under:
- EU-GDPR < 16 years,
- USA - CPRA and COPPA, 13 years to 16 years where the children can opt in and give consent them self,
- UK – DPA < 13 years,
- Korea - PIPA < 14 years,
- Japan - APPI 12 to 15 years
- India - DPDP Bill,2023 < 18 years,
If we view international practices, we notice that the maximum threshold has been kept at 16. Numerous stakeholders have also raised concerns about how a high threshold (18 years) can be detrimental to children by restricting their access to the internet.
- As under the provisions of the DPDP Bill, 2023 the Central Government shall notify the class of data fiduciaries who will be allowed to process the data of children without parental consent. This gives rise to a wide interpretation as to which category of data fiduciaries or which class of services will be considered eligible to allow behavioral monitoring, or even processing.
- Let us examine how this could play out in some sectors like Education, Health, Finance and Hospitality.
- The education sector can get an exemption on the grounds of legitimate use of children’s data for the development of children by providing study material and monitoring the behavior of children for the purpose of academic and psychological progress. But as we know, the young adults around the age of 17-18yrs get into college. Therefore, getting consent from parents at each step will not be a feasible option. For example, a student applying for an internship on multiple platforms will have to provide consent of parents before applying for each application.
- The hospitality sector doesn’t really collect or process the children’s data, unless and until provided to them by the lawful guardian somewhere does protect the data fiduciary.
- In the case of the financial sector all the data is collected under lawful guardian ownership and the age of minor is stated as 18years.
- The health care sector too can show legitimate use for the purpose of treatment of the disabled children and multiple other causes and can very easily take consent from the parents as well.
The areas which could face challenges could be online gaming platforms, shopping platforms, social media platforms, entertainment platforms etc. They may not play a role in the growth or development of children but have become a major part of their lives. Imagine a young individual wanting to purchase a gift online for his parents for their anniversary but is forced to seek parental consent! There are many such examples. Young adults definitely need their own space and freedom on the internet. There are multiple platforms which are now being used by teenagers not just for e-learning but also for showcasing their views and talent.
India is the world’s most populated country having an estimated 430 million individuals below the age of 18. We need to understand that the young minds don’t rely only on books for knowledge but also seek an understanding through internet. If the rules are not practical and not easy to follow, young adults will find a way to bypass them. We therefore expect the Data Protection Board to come up with workable models around the age of consent for children.
Summary
Eighteen years as the age of parental consent is too high by global standards. Given the widespread use of the internet by children, the regulator would have to come up with a series of measures to make the rules business and young adult friendly.