The upcoming data protection Bill could empower the central government to lower the age of consent from 18, and also exempt certain companies from adhering to additional obligations for protecting kids’ privacy if they can process their data in a “verifiably safe” manner, The Indian Express has learnt.
The change is a major departure from the draft Digital Data Protection Bill, 2022 that was floated last November, under which the age of consent was hardcoded at 18 years – meaning that for processing data of individuals below the age of 18, companies were required to seek their parents’ consent. The upcoming Bill, it is understood, will take a graded approach to defining the age of consent on a case-by-case basis.
This had been a key ask of the industry, especially social media companies, as a hardcoded age of consent would have meant business disruptions for them on account of setting up new systems for obtaining parental consent for users under 18 years of age — a key demographic for such services. However, it is in line with data protection regulations in the Western world, with regions like the European Union and the United States prescribing a lower age of consent.
ADVERTISEMENT
The change was made on account of considerations that children can be independent stakeholders on the Internet, and might want to access services without always needing their parents’ consent, a senior government official told The Indian Express.
Must Read | Data Protection Bill approved by Cabinet: Content, concerns
Under the data protection bill that is expected to be tabled in Parliament’s Monsoon session, the definition of a child is understood to have been changed to an “individual who has not completed the age of eighteen years or such lower age as the Central Government may notify”. In the 2022 draft, the definition of a child was an “individual who has not completed eighteen years of age”.
Certain entities that deal in collecting and processing children’s data can also be exempted from seeking parental consent if they can ensure that the “processing of personal data of children is done in a manner that is verifiably safe”.
The central government can issue such exemptions to entities through a notification, and the Women and Child Development Ministry, along with the IT Ministry, is expected to assess a platform’s privacy standards for children for granting them exceptions.
ADVERTISEMENT
“The changes will allow platforms that develop strong, proven and verified safeguards for children an option of dealing with children’s data without parental consent, for instance, online education related services,” the official said.
Also Read | Express View on data protection Bill: Personal is private
Under the European Union’s General Data Protection Regulation (GDPR), age of consent has been kept at 16, but it allows member states to lower it to as much as 13. The United States’ Children’s Online Privacy Protection Act (COPPA) has capped the age of consent at 13, and verifiable parental consent is needed only for those who are younger.
Other key changes to the upcoming Bill include further relaxations to cross-border data flows to international jurisdictions – by moving away from a whitelisting approach, to a blacklisting mechanism, as reported earlier by this newspaper.
ADVERTISEMENT
Contentious clauses in Bill, such as wide-ranging exemptions to the Central government and its agencies and a diluted data protection board are learnt to have been retained in the final version of the Bill that was approved by the Union Cabinet on Wednesday (July 5)