April 2, 2023

General Studies Paper 2


  • The Digital Personal Data Protection (DPDP) Bill, 2022 provides for mandatory parental consent for all data processing activities by children, defined as any person aged under 18 years.
  • Background of data privacy law: Started in 2010 with the constitution of the Justice Srikrishna Committee.

Justice BN Srikrishna Committee Data Protection Report:

  • The Committee was constituted by the union government in July 2017, to deliberate on a data protection framework.
  • The Supreme Court in its Puttaswamy judgment, 2017: It declared privacy a fundamental right.
  • Interests of citizens:The report has emphasized that interests of the citizens and the responsibilities of the state have to be protected, but not at the cost of trade and industry.
  • It proposed a draft Personal Data Protection Bill.

New Data Protection Bill:

  • Inclusion of the word “digital” in the Bill’s title speaks to India’s long-standing goal of being a digitally forward society.
  • Bill has two major stakeholders:
  • Data Principal
  • Data Fiduciary.
  • Data Principal: It refers to the subject whose data is being processed
  • Data Fiduciary: It is an entity that processes this data.
  • fiduciary” whilst referring to a data processor is significant.
  • The relationship between the two is guided by:
  • Trust, assurance and good faith.
  • Data Fiduciary: It is responsible for safeguarding the interests of Data Principals.
  • Bill describes:
  • The obligations of the Data Fiduciaries towards Data Principals
  • The rights and duties of the latter
  • Regulatory framework through which data will be processed.
  • Bill lists the “duties” of the Data Principals: these have no bearing on the realization of the rights provided by the Bill.

Important aspects of bill:

  • In addition to the general obligations to prevent the misuse of the personal data of individuals
  • The Bill has outlined a category of Significant Data Fiduciaries entities: that are required to comply with additional measures to safeguard the personal data of individuals.
  • Only companies that process vast amounts of data or have a potential impact on the country’s sovereignty and integrity need to take such stringent measures.
  • Such measures reduce the compliance cost of companies that are at a nascent stage.
  • Data localisation” in the previous versions of the Bill, have been omitted:The reworked Bill permits the government to notify countries to which data transfers may be permitted.

The gaps in the Bill:

  • The Bill relies on parents to grant consent on behalf of the child in all cases.
  • In a country with low digital literacy, where parents in fact often rely on their children (who are digital natives)
  • This is an ineffective approach to keep children safe online.
  • It does not take into account the “best interests of the child”, a standard originating in the Convention on the Rights of the Child, 1989,to which India is a signatory.
  • The Bill does not factor in how teenagers use various Internet platforms for self-expression and personal development and how central it is to the experience of adolescents these days.
  • Bill does allow the government to provide exemptions in the future from strict parental consent requirements, profiling, tracking prohibitions, etc
  • It does not acknowledge the blurring lines between what a platform can be used for.
  • For example: Instagram is a social media platform, but is regularly used as an educational and professional development tool by millions of artists around the world.
  • Each platform will have to obtain ‘verifiable parental consent’ in the case of minors.
  • It can change the nature of the Internet
  • It is not possible to tell if the user is a minor without confirming their age, platforms will have to verify the age of every user.
  • Risk for citizens: The government will prescribe whether verifiability will be based on ID-proof, or facial recognition, or reference-based verification etc
  • All platforms will now have to manage significantly more personal data than before
  • Citizens will be at greater risk of harms such as data breaches, identity thefts, etc.

India laws for child Protection;

  • Protection of Child Rights Act, 2005
  • The Right of Children to Free and Compulsory Education Act, 2009
  • Protection of Children from Sexual Offences Act, 2012.

Way Forward

  • We need to shift our approach with respect to children’s data before this Bill is brought to Parliament.
  • To avoid the folly of treating unequals equally and blocking off access to the Internet for teenagers these steps are needed.
  • Move from a blanket ban on tracking, monitoring, etc. and adopt a risk-based approach to platform obligations.
  • Platforms should be mandated to undertake a risk assessment for minors and not only perform age-verification-related corresponding obligations
  • Design services with default settings and features that protect children from harm.
  • This approach will bring in an element of co-regulation, by creating incentives for platforms to design better products for children.
  • Relax the age of mandatory parental consent for all services to 13 years in line with many other jurisdictions around the world.
  • It will minimize data collection, which is one of the principles that the Bill is built on.
  • Experience and deliberations in the United Kingdom, and in the United States (California, New York, etc.) where age appropriate design codes have been introduced. To
  • The government should conduct large-scale surveys of both children and parents to find out more about their online habits, digital literacy, preferences and attitudes.
  • Design a policy in India that balances the safety and the agency of children online.
  • We should not put the onus of keeping our young safe only on parents, but instead it should make it a society-wide obligation.
  • Get the data protection framework right as India’s ‘techade’ cannot be realized without its youth.
Print Friendly, PDF & Email

© 2023 Civilstap Himachal Design & Development