In August 2023, the Digital Personal Data Protection Act, 2023 (act), was passed into law. Before this, the collection, storage, usage, and other matters relating to personal data were regulated primarily by the Information Technology Act, 2000, read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
The act came into effect after three previous attempts had been made to legislate specific data protection legislation. It points to a clearer future in relation to the digital use, collection and processing of personal data. Personal data means data that enables a specific individual to be identified from them. Data that is collected in non-digital form, but is subsequently digitised also falls within the purview of the act. The act creates a supervisory authority, the Data Protection Board of India (board), which has the power to investigate complaints and to impose penalties.
While safeguards for children, that is individuals under the age of 18, are to be found in other areas of the legal system, the old data protection regime did not carve out specific protections for the personal data of children. In the context of modern online challenges posed to child safety such as grooming, phishing and cyber-bullying, and because many children frequently use social media platforms this absence was particularly noticeable. The social media platforms in question did not fill this legislative gap, as they seldom had nuanced policies to protect children.
However, section 9 of the act now specifically deals with the rights of the child and the duties imposed on data fiduciaries regarding children. A data fiduciary is one who, alone or with others, determines the purpose for which personal data is processed and the way in which it is so processed.
Section 9(1) provides that the processing of the personal data of a child may take place only once the verifiable consent of the parent or legal guardian has been obtained. Section 9(3) prohibits the tracking or behavioural monitoring of children and targeted advertising directed towards them. The processing of the personal data of children, which is likely to cause any detrimental effect on their well-being, is not allowed under section 9(2).
Anyone who breaches any obligation in relation to the processing of children’s personal data is, under section 33 and the schedule to the act, liable to pay a fine of up to INR2 billion (USD24 million). This heavy penalty comes with a list of factors that the board has to take into account when assessing the extent of the harm caused by the statutory violation. These include the nature, gravity and duration of the breach, and whether such breach has been repeated. The need to deter breaches is specifically set out as a factor to be considered.
It should be repeated that in addition to obtaining parental consent prior to the processing of the personal data of any child, a data fiduciary has to ensure that the identity of the parent or guardian is accurately authenticated or verified.
Section 9(4) carves out a relaxation of the obligations where the government is satisfied that the personal data of children can be safely processed by a prescribed class of data fiduciaries or for a prescribed set of purposes and subject to any prescribed conditions.
In the event the government is satisfied that a data fiduciary has ensured that its processing of the personal data of children is done in a manner that is verifiably safe, it may, under section 9(5), set the age for such processing above which that data fiduciary is exempt from the obligations in sections 9(1) and (3).
Technological developments, exerting significant and rapid effects on the cultural and legal role of personal data, occur at a pace that is inconsistent with considered, deliberate and effective law-making. It is apparent that the new act meets this challenge by making room for a considerable degree of variation in the treatment of digital data, as affected by such developments. It does this by ensuring that the upper limit of penalties is suitably high, but leaving the government flexible and free enough to accommodate the positions of data fiduciaries when the need arises. Counterbalancing public interest must of course also be taken into account in this equation.
Ashima Obhan is a senior partner and Anubhav Chakravorty is an associate at Obhan & Associates.
Advocates and Patent Agents
N – 94, Second Floor
Panchsheel Park
New Delhi 110017, India
Contact details:
Ashima Obhan
T: +91-9811043532
E: email@obhans.com
