Globally one in three people who use the internet is a child. The UN Convention on the Rights of the Child states that all decisions made by state or private entities must consider the “best interests of the child”. While the internet may amplify the risk of physical, sexual and psychological harm to children, it is also the primary technology through which children enjoy their information and communication rights. Therein lies the dichotomy at the heart of regulating for children’s online safety.

However, what is in the best interest of the child, has often been construed through a paternalistic lens, neglecting the wide variance in age between infancy to adulthood. Scholars have pointed out that over-emphasising the child’s right to protection leads to an insufficient recognition of “children’s evolving capacities”, as well as their intrinsic right to be heard, and to participate in decision-making pertinent to them.

The Digital Personal Data Protection Act, 2023 (DPDP Act) defines a ‘child’ as an individual below 18 years. Where a data principal is a child, the Act considers the parents or lawful guardian of the child to be included. Section 9 places an obligation on the data fiduciary to obtain verifiable consent of the parent or lawful guardian before processing personal data of a child.

Further, Section 9(4) allows certain classes of data fiduciaries to be exempt from various obligations of verifiable consent, prohibitions on tracking, monitoring, and targeted advertisements. This is subject to any conditions that may be prescribed.

Data fiduciaries

Subsequently, sub-section (5) of Section 9 empowers the Centre to notify the age above which certain data fiduciaries will be exempt from these obligations, upon satisfaction that the processing of children’s personal data is carried out by a data fiduciary in a ‘verifiably safe’ manner. This is a significant legislative carve-out, which has enriched the discourse on governance of children’s personal data in India. Even though the definition of child under the Act has adhered to the traditional 18-year benchmark a possible graded approach to children’s privacy has found home in the law, which is key to secure children’s autonomy and independence.

It takes into account the varying levels of maturity of children, thus upholding the right of young persons to make decisions with respect to their personal data. This has important implications for children’s autonomy in accessing mental healthcare services, medical treatments, and decisions with respect to their own choices.

The carve-out also fosters trust and cooperation between the regulator and industry. It nudges data fiduciaries to institute robust systems that ensure that such processing is done in a ‘verifiably safe’ manner. It also incentivises such entities to institute self-regulation mechanisms to uphold privacy safeguards for children that could help them accrue the benefit of being exempt from the underlined obligations.

The next frontier in protection of children’s personal data lies in breaking the shackles of the paternalistic model which considers anyone below the age of 18 to be a child. The DPDP Act has adopted a progressive stance, in comparison to previous versions of the legislation, by acknowledging that such a rigid ceiling may not be desirable.

Recognising that children have evolving capacities, varying maturity levels across the spectrum, and a right to participate in decision-making, could help in refining our data privacy regime. The way we reconcile a child’s right to privacy with their right to autonomy, therefore, lies at the heart of this debate.

The writer is Research Fellow, Shardul Amarchand Mangaldas & Co. The inputs of Shahana Chatterji and Namrata Ramachandran are acknowledged

comment COMMENT NOW