The upcoming data protection Bill could empower the Central government to lower the age of consent from 18, for accessing Internet services without parental oversight. It could also exempt certain companies from adhering to additional obligations for protecting kids’ privacy if they can process their data in a “verifiably safe” manner. This marks a key departure from the previous data protection Bill that was floated in 2022 where the threshold of children’s age was hard-coded at 18 years. The change, however, is in line with data protection regulations in the Western world, with regions like the European Union and the United States prescribing a lower age of consent. Lowering the age of consent under the 2022 draft had been a key ask of the industry, especially social media companies, as a hard-coded age of consent would have meant business disruptions for them on account of setting up new systems for obtaining parental consent for users under 18 years of age — a key demographic for such services. The final change in the Bill that is headed to Parliament marks a series of twists and turns as a number of stakeholders attempted to prescribe what the age of children should be in India's data protection law. Journey of a clause: How the definition of a child kept changing Justice BN Srikrishna committee report: The committee, which was set up by the Centre months before the Supreme Court's landmark decision of upholding privacy as a fundamental right, submitted its report to the government in 2018. The report relied on the definition of majority under the Contract Act where the age of majority is 18 years and recommended that for individuals under 18 years, entities will have to seek parental consent. However, the report also flagged that “from the perspective of the full, autonomous development of the child, the age of 18 may appear too high”. It said were the age of consent for contract to reduce, a similar amendment may be effected here too. Personal Data Protection Bill, 2019: The Justice Srikrishna committee report served as the precursor to the Personal Data Protection Bill, 2019 (PDP Bill, 2019) which retained its recommendation and defined a child as an individual under the age of 18. Joint Committee of Parliament recommends lowering the age of consent: The PDP Bill, 2019 was referred to a Joint Committee of Parliament, which in late December 2021 came up with its final set of recommendations and proposed that the definition of children should be restricted to 13/14/16 years of age and be reduced from 18 years. Digital Personal Data Protection Bill, 2022: After the Centre withdrew the earlier version of the data protection Bill from Parliament in August 2022, the IT Ministry came up with a new draft, called the Digital Personal Data Protection Bill, 2022, last November, under which children were defined as those under 18 years of age. The Bill proposed that for children, companies will have to seek “verifiable parental consent”. But social media companies were unhappy with the clause. Final change: Under the data protection Bill that received Cabinet’s nod earlier this month and will be tabled in Parliament’s Monsoon session, the definition of a child is understood to have been changed to an “individual who has not completed the age of eighteen years or such lower age as the Central Government may notify”, The Indian Express had earlier reported. Certain entities that deal in collecting and processing children’s data can also be exempted from seeking parental consent if they can ensure that the “processing of personal data of children is done in a manner that is verifiably safe”. While the Central government can issue such exemptions to entities through a notification, the Women and Child Development Ministry, along with the IT Ministry, is expected to assess a platform’s privacy standards for children for granting them exceptions. How the world defines children in data protection regulations In data protection legislation globally, the definition of children varies from 13 to 16 years of age. In some regions like Australia, there is currently no set age for defining a child, however, a recommendation has been made in the country to set the age at 18 years. EU’s General Data Protection Regulation (GDPR): Under the GDPR, the age of consent has been kept at 16, but it allows member states to lower it to as much as 13. The law affords specific protection to children’s personal data since they “may be less aware of the risks, consequences and safeguards concerned and their rights”. Such protections apply to the use of the personal data of children for the purposes of marketing or user profiles. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child, as per the GDPR. USA’ Children's Online Privacy Protection Act (COPPA): The COPPA defines children as being under 13 years of age – and parental consent is needed for processing the personal data of those under that age. The law requires entities to provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information of children below the age of 13. It also prohibits entities from conditioning children’s participation in activities on the collection of more personal information than is “reasonably necessary” to participate in such activities. Australia’s Privacy Act, 1988: It protects an individual’s personal information regardless of their age, and doesn’t specify an age after which an individual can make their own privacy decision. For their consent to be valid, an individual must have ‘capacity to consent’. The law says that an organisation handling the personal information of an individual under the age of 18 must decide if the individual has the capacity to consent on a case-by-case basis. In Australian jurisprudence, an individual under the age of 18 has the capacity to consent if they have the maturity to understand what’s being proposed. If they lack maturity it may be appropriate for a parent or guardian to consent on their behalf. However, under a review of the Privacy Act, 1998 by the Attorney-General of Australia, a recommendation has been made to clearly define the age of a child as an individual under 18 years. China’s Personal Information Protection Law (PIPL): Under the PIPL, entities handling personal data of individuals younger than 14 years must obtain their parents' or other guardians' consent before processing their data. The law counts children’s data under the “sensitive” category and requires entities to provide a specific privacy policy if they process children's personal information.
