• In India, 833 million active internet users comprise 59.28% of the population.
• 66 million Internet users are children of 5 to 11 years which is 15 % of India''s active Internet users.
• In order to ensure safeguarding of internet users, Ministry of Electronics and Information Technology recently proposed a draft Digital Personal Data Protection (DPDP) Bill, 2022.
• This provides for mandatory parental consent for all data processing activities by children, defined as any person aged under 18 years. 

Digital Personal Data Protection (DPDP) Bill

• The first draft of the law — the Personal Data Protection Bill, 2018, was proposed by the Justice Srikrishna Committee.
• Aim: setting out a data protection law for India.
• The government made revisions to this draft and introduced it as the Personal Data Protection Bill, 2019 (PDP Bill, 2019) in the Lok Sabha in 2019.
• The Lok Sabha passed a motion to refer the PDP Bill, 2019 to a joint committee of both the Houses of Parliament.
• Due to delays caused by the pandemic, the Joint Committee on the PDP Bill, 2019 (JPC) submitted its report on the Bill after two years in December 2021.
• The report was accompanied by a new draft bill, namely, the Data Protection Bill, 2021 that incorporated the recommendations of the JPC.
• However, in August 2022, citing the report of the JPC and the “extensive changes” that the JPC had made to the 2019 Bill, the government withdrew the PDP Bill.

Key features of Digital Personal Data Protection Bill, 2022

• It focused on personal data, as compared to an earlier unwieldy draft.
• It incorporates hefty penalties for non-compliance, but which are capped without any link to the turnover of the entity in question.
• It has relaxed rules on cross-border data flows that could bring relief to the big tech companies, alongside a provision for easier compliance requirements for start-ups.
• It covers the processing of personal data which is collected by data fiduciaries within the territory of India and which is processed to offer goods and services within India.
• It provides a lower degree of protection as the earlier drafts only excluded data processed manually specifically by “small entities” and not generally.
• It reduces the information that a data fiduciary is required to provide to the data principal.
• It seems to suppose that a notice is only to be provided to take consent of the data principal.
• A notice is also important for the data principal to exercise data protection rights such as the right to know what personal data is being processed by whom, whether that data needs correction or updation and also to request deletion of data that may not be relevant for the purpose of processing.
• It introduces the concept of “deemed consent”.
• In effect, it bundles purposes of processing which were either exempt from consent-based processing or were considered “reasonable purposes” for which personal data processing could be undertaken under the ground of “deemed consent”.
• It recognises the right to post-mortem privacy which was missing from the PDP Bill, 2019.
• It would allow the data principal to nominate another individual in case of death or incapacity.

Issues with bill

• Relies on parents to grant consent on behalf of the child in all cases.
• Low digital literacy: In India parents often rely on their children for the digital content.
• Does not factor in teenager''s use of various Internet platforms for self-expression and personal development.
• Does not take into account the “best interests of the child”, a standard originating in the Convention on the Rights of the Child, 1989, to which India is a signatory.
• India has upheld this standard in laws such as the Commissions for Protection of Child Rights Act, 2005, the Right of Children to Free and Compulsory Education Act, 2009, and the Protection of Children from Sexual Offences Act, 2012.
• However, it has not been applied to the issue of data protection. 
• Allow the government to provide exemptions in the future from strict parental consent requirements, profiling, tracking prohibitions.
• For example, Instagram is regularly used as an educational and professional development tool by millions.
• Each platform will have to obtain ‘verifiable parental consent’ in the case of minors.
• All platforms have to manage more personal data than before
• Citizens will be at greater risk of harms such as data breaches, identity thefts, etc.

Looking ahead

• Platforms should be mandated to undertake a risk assessment for minors and design services with default settings that protect children from harm.
• This will bring in co-regulation, by creating incentives for platforms to design better products for children.
• Relax the age of mandatory parental consent for the short term to minimize data collection.
• Conduct surveys of both children and parents to find out their online habits, digital literacy.
• Make a policy that balances the safety and the agency of children online.

In the digital era of India, data protection is very important for Indian internet users. A data breach can cause damage to the economy as well as the population of India. A good policy concerning data protection is necessary for the secure digitalization of India.