Published on: 11 July 2023 at 13:40 IST
According to a draft of the Digital Personal Data Protection Bill, 2023, the Indian government may have the power to lower the age at which users can give consent for data processing to as low as 14 years. However, companies seeking consent for processing children’s data must demonstrate that they handle the information in a “verifiably safe” manner.
This marks a change from the previous draft that proposed 18 years as the minimum age for consent and required explicit parental consent for children’s data usage. Internet companies like Facebook and Google have been advocating for a lower age requirement as it significantly impacts their business operations in India.
The updated draft also introduces a shift from whitelisting to blacklisting of geographies where the data of Indian citizens cannot be processed. Additionally, it imposes additional obligations on “Significant Data Fiduciaries” based on the nature and volume of data processed by a company.
A senior government official stated that the provision in the updated draft would only allow the processing of personal data of children in specific circumstances where the child is the ultimate beneficiary. The official emphasized that under no circumstances would this data be used for personalized advertisements or harmful content.
The updated draft of the Bill has been cleared by the Union Cabinet and is likely to be introduced in the upcoming monsoon session of Parliament, starting on July 20.
The provision allowing the processing of children’s data in certain circumstances deviates from the draft released in November. In the updated draft, the government retains the concept of cross-border data flow but adopts a “blacklisting” approach to restrict data flow to specific countries rather than the previous “whitelisting” approach.
The updated draft also provides for the powers and composition of the data protection board in more detail, while eliminating the digital office included in the earlier draft.
Additionally, the government introduces the “legitimate business interest” clause under deemed consent. Details regarding timelines for notifying data principals of data breaches and the absence of criminal penalties are still awaited, potentially allowing non-compliance or lapses to be resolved with monetary penalties for global big tech companies.
Moreover, the government imposes the responsibility on data fiduciaries to obtain clear and absolute consent from data principals. The updated draft requires consent requests to be accompanied or preceded by a clear and plain language notice, describing the purpose, processing, storage, and potential implications of data processing on the data owner.
In cases where the owner of personal data provided consent before the bill’s passage, the data fiduciary must explain within a reasonable timeframe why the data was collected and how it was processed thus far. The data fiduciary must also comply with requests to delete the data from its database if the data principal desires so.