The Personal Data Protection Bill, 2019 and the Digital Age of Consent : A Comment


The Supreme Court of India, in its landmark judgement of K.S Puttuswamy v UoI [(2017) 10 SCC 1)], upheld the right to privacy of individuals. It proved to be a positive start to develop on privacy laws in India. In furtherance of the same the Personal Data Protection Bill, 2018 was drafted. After a year of discourse and comments on the same, The Personal Data Protection Bill, 2019 (hereinafter referred to as Bill) was brought into light. 

While considering the right to privacy of individuals, the Bill has provided protection of personal and sensitive data of children. Section 3 (8) of the Bill defines ‘child’ as anyone under the age 18. Chapter IV specifically deals with the protection of personal data and sensitive personal data of Children.

The premise of this chapter is that the data fiduciaries, while processing data of children must keep in check the rights of the child, keeping in mind them being the vulnerable section of the society. 

The chapter further focuses on requisite consent by parent/guardian after verifying the age of the child, based on the grounds provided (Section 16(3)). The provision specifically bars any fiduciary using said data for purposes specified therein (section 16(5)).

However, one of the concerns is with regard to the blanket provision for anyone aged below the age of 18. The logic that was put forth by the drafters was corresponding to the age limit as prescribed in the Indian Contract Act. 

Problems with regard to a blanket provision:

1.) Difference in understanding capacities: 

The Netizen now depends on the internet and related activities since an early age. Given an understanding that certain aged individuals that do not understand the concept of importance of protecting personal data and need a representative to decide/consent on behalf of them is important. However, this does not always prove well when taken into consideration with regard to activities of older children and their online presence.

Example: A 16 year old, while being a part of an online survey on market accessibility of a certain food product would not require consent from his parents/guardian (and would understand the importance of giving any personal data) as opposed to a 10 year old that would.

Age of 13 is now considered as the Internet’s age of adulthood. Given the understanding capacity, few websites that process given data collected from older children would need a different regulation mechanism. 

2.) Unclear with regard to data fiduciaries:

The mention of guardian data fiduciaries is focused essentially on fiduciaries dealing with services directed at children. However, such classification significantly excludes websites that do not specifically target children but 13-18 year olds are a huge population on the same. 

For example- The Children Online Privacy Protection Act, 1998, USA (COPPA)- has given a clear age classification of anyone below 13 years of age to be considered a child. This Act applies to all US based companies. Majority of social media websites being regulated under this law are to only comply with the age classification given under this Law. Thus, making 18 the age of consent to be able to access social media would mean policing the already existing accounts of teenagers within the age group of 13-18 and suspending or deleting the same. This making for difficult policy to implement and seeking better age verification standards. 

Suggested Solution:

1.) Plain and Clear Language:

Given the difference in the understanding capacity, it is clear that if the age group of 13-18 year olds are to be clearly explained the role of their personal data and the consequences of misuse of such data, it would not be necessary to obtain consent from their parent/guardian under certain circumstances, i.e informed consent.   

As is reiterated in the 2016 GDPR regulation in para 58 as “clear and plain language” specifically for lower age groups should be used while processing personal data of children. Thus when the provision in the Bill mentions circumstances under which protection would be provided to children under 18, the same could be found having a clearer effect on older children given the different understanding capacities as mentioned earlier. 

2.) Regulation of Guardian Data Fiduciary based on age group-

The Guardian Data Fiduciary must further be divided into two brackets- one that concerns children under 13 and the other with children aged 13-18 (Adolescent).

This classification would help regulate websites that target solely pre-teen population online. For example the COPPA provides for special regulations for pre teen targeted websites and the extra precautions they are to take with regard to collecting and processing data. Precisely keeping in mind that the interest of adolescents might differ from their parents’.

3.) Distinction between age groups to be made in the provisions of the Bill (or) Change in the age of consent-

With regard to further regulations being based on the two separate age groups of children as mentioned, should be settled as ground in the text of the Bill. This would only make easy the formation of effective regulations that will be drafted under the Act.

Article 8 of the GDPR sets the age of consent as 16. This is however not a strict imposition and member states are allowed to have a lower threshold according to the laws of the state. This proves well the point that in a fast developing tech savvy world, the digital age of consent, especially over the internet need not follow the older contract law based approach. 


Understanding the importance of protection of rights of a child is essential. The drawbacks mentioned in this essay are solely for the enforcement of this very intention of protecting child rights. The protection of personal data and sensitive data of children (although the Chapter does not mention sensitive data and its distinction with regard to regulation of personal data) sheds a positive light in the steps taken with regard to protecting the rights of a child. The Bill prohibiting profiling, targeting children directly or behaviorally through advertisements for children is a commendable inclusion, further the relaxing of parent/guardian consent for online counselling or child protection services is also remarkable. More comments on the said provision can be made when further regulations are drafted and after implementation of the same.

Priyanshi Dixit is a final year law student.

2 thoughts on “The Personal Data Protection Bill, 2019 and the Digital Age of Consent : A Comment”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s