The government might get the power to to reduce the age restriction for users under the proposed Digital Personal Data Protection Bill to as low as 14 years
A company seeking consent for processing children’s data will have to demonstrate that it uses the information in a ‘verifiably safe’ manner, as per the updated draft
Last April, the IAMAI had also called for reduction in the age of consent and sought a ‘risk-based approach’ to the age of consent
Inc42 Daily Brief
Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy
The Centre might reportedly get the power to reduce the age restriction for users who can give consent under the proposed Digital Personal Data Protection Bill to as low as 14 years.
However, in such cases, the company seeking consent for processing children’s data must demonstrate that it uses the information in a ‘verifiably safe’ manner, ET reported citing the latest draft of the Digital Personal Data Protection Bill, 2023.
Last week, the Union Cabinet approved the Bill and it is expected to be tabled in the upcoming Monsoon Session of the Parliament.
The earlier draft of the Bill, released by the Ministry of Electronics and Information Technology (MeitY) in November last year, proposed a minimum age of consent of 18 years for data processing. It also mandated that data of children below this age be used only with explicit parental consent.
A senior government official told ET that the updated provision would empower the government to allow the processing of personal data of children only in circumstances where the child is the ultimate beneficiary, such as healthcare and education.
Incidentally, companies like Meta and Google have been demanding that the age of consent be reduced as their business depends heavily on the ability to process user data.
Last year, the Internet and Mobile Association of India (IAMAI) also called for lowering the age of consent and sought a ‘risk-based approach’ for it in the Bill.
Interestingly, the European Union pegs the age of consent at 16 years, while it is at 13 years in the US under the Children’s Online Privacy Protection Act. The likes of France, Austria and Belgium have the age of consent of 15, 14 and 13 years, respectively.
Meanwhile, the government has also changed its approach to cross-border data processing. Now, the draft Personal Data Protection Bill includes blacklisting geographies where data of Indian citizens can’t be processed. The draft has also reportedly introduced additional obligations for significant data fiduciaries, depending on the volume of data processed by a company.
The government has also placed the onus on data fiduciaries for seeking clear and absolute consent from the data principal. In the updated draft, the government has mandated that any consent sought from the users should either be accompanied or preceded by an itemised notice in clear and plain language.
The notice should describe why the data is being collected, how it will be processed, where it will be stored and the possible implications of the processing of the data on the owner.
Note: We at Inc42 take our ethics very seriously. More information about it can be found here.