In 2023, the Indian Parliament passed the long-awaited Digital Personal Data Protection Act (DPDPA), which, under Section 9 makes provision for the regulation of the personal data of minors. According to the Act, parental consent is mandatory for the processing of any personal data of children up to the age of 18 years. While protecting the personal data of children from misuse or unauthorized processing is a laudable objective, it is questionable whether the child should be completely excluded from the decision-making process.
As held by the Indian Supreme Court in the Puttaswamy case, the fundamental right to privacy not only encompasses protection of one’s personal data from unauthorized processing, but also protection of the right to informational self-determination and data sovereignty. In other words, the data subject must have control over how her personal data is to be processed. While children and adults cannot be placed at par when it comes to providing consent for processing of personal data, it appears to be overly paternalistic to assume that the child can never decide what is in her best interests.
In the digital age, the proliferation of EdTech and social media has ensured that the primary means of communication and information-sharing happens online. Keeping such a context in mind, one can argue that fundamental rights of minors, such as the right to education and the right to receive and impart information, are liable to be infringed, in case parents deny consent to processing of their personal data. The problem is further exacerbated by the fact that the age limit of 18 years is set unduly high, unlike in enactments like the General Data Protection Regulation (GDPR) in the EU, and the Children’s Online Privacy Protection Act in the US, where the age limit is set at 16 years and 13 years, respectively.
Scholars have argued that the rights of a child vis-à-vis her parents cannot be subjected to a bright line test, but rather lie on a spectrum, with the rights of a child continually increasing in extent with age and maturity, even when the legal age of majority has not been reached. This position is in line with both international regulations and case law. Article 12 of the UN Convention on the Rights of the Child, which India has ratified, stresses on the point that due weightage must be given to the views of the child when the child is “capable of forming his or her own views”. The General Comment on this provision makes it clear that as the age and maturity of the child increases, the role of the parent as the sole decision-maker on behalf of the child correspondingly decreases [84]. In the UK, the Gillick case adopted a similar line of reasoning, albeit in the context of a child’s right to access healthcare without the consent of parents. As the House of Lords noted, a child must be able to provide consent to obtain contraception before the age of 18 years, provided that the child shows “sufficient understanding and intelligence” to understand the ramifications of the decision.
It is undoubtedly true that children remain vulnerable to online harm, and a certain degree of parental supervision and guidance may be warranted. However, the paternalistic approach in the DPDPA that nullifies the right of the child to take decisions concerning her own personal data, conflicts not only with international legal norms but can potentially fall foul of a child’s fundamental rights.
0 Comments