Data protection Bill may lower age of consent, ease related norms

This had been a key ask of the industry, especially social media companies, as a hardcoded age of consent would have meant business disruptions for them on account of setting up new systems for obtaining parental consent for users under 18 years of age — a key demographic for such services. However, it is in line with data protection regulations in the Western world, with regions like the European Union and the United States prescribing a lower age of consent.

The change was made on account of considerations that children can be independent stakeholders on the Internet, and might want to access services without always needing their parents’ consent, a senior government official told The Indian Express.

Under the data protection bill that is expected to be tabled in Parliament’s Monsoon session, the definition of a child is understood to have been changed to an “individual who has not completed the age of eighteen years or such lower age as the Central Government may notify”. In the 2022 draft, the definition of a child was an “individual who has not completed eighteen years of age”.

Certain entities that deal in collecting and processing children’s data can also be exempted from seeking parental consent if they can ensure that the “processing of personal data of children is done in a manner that is verifiably safe”.

The central government can issue such exemptions to entities through a notification, and the Women and Child Development Ministry, along with the IT Ministry, is expected to assess a platform’s privacy standards for children for granting them exceptions.

“The changes will allow platforms that develop strong, proven and verified safeguards for children an option of dealing with children’s data without parental consent, for instance, online education related services,” the official said.

Under the European Union’s General Data Protection Regulation (GDPR), age of consent has been kept at 16, but it allows member states to lower it to as much as 13. The United States’ Children’s Online Privacy Protection Act (COPPA) has capped the age of consent at 13, and verifiable parental consent is needed only for those who are younger.

Other key changes to the upcoming Bill include further relaxations to cross-border data flows to international jurisdictions – by moving away from a whitelisting approach, to a blacklisting mechanism, as reported earlier by this newspaper.

Contentious clauses in Bill, such as wide-ranging exemptions to the Central government and its agencies and a diluted data protection board are learnt to have been retained in the final version of the Bill that was approved by the Union Cabinet on Wednesday (July 5)