Processing of Personal Data of Children

Section 9. Processing of Personal Data for Children

9(1).

• Processing of personal data may involve a child.

• It may also involve a person with disability who has a lawful guardian.

• Before undertaking such processing of such a person , consent is required.

• The consent must be obtained from:

  1. The parent of the child.

  2. The lawful guardian of the person with disability, as applicable.

• The consent must be verifiable consent.

  1. Verifiable consent makes sure that the consent is genuine and can be confirmed.

  2. The manner of obtaining such consent must follow prescribed rules.

  3. Processing of personal data can begin only after such verifiable consent is obtained.

Explanation:

• For the purposes of this section:

  1. The term consent of the parent does not refer only to biological or adoptive parents..

  2. Wherever applicable, it also includes the consent of a lawful guardian.

  3. Accordingly, consent can also be given by a lawful guardian.

  4. Such consent by a lawful guardian is treated as equivalent to parental consent.

9(2).

• Processing of personal data may involve a child.

• Such processing must be carefully evaluated.

  1. A Data Fiduciary is prohibited from undertaking certain processing activities if it is likely to cause harm.

  2. The harm must have a detrimental effect and must concern the well-being of the child.

  3. Accordingly, any processing that risks adversely affecting a child’s well-being is not permitted.

9(3).

• Certain types of data practices are expressly prohibited.

• If the Data Principal is a child then:

  1. A Data Fiduciary is not permitted to carry out tracking of children.

  2. A Data Fiduciary is also not permitted to engage in behavioural monitoring of children.

  3. In addition, targeted advertising directed specifically at children is not allowed.

• These restrictions are absolute and apply irrespective of consent.

• The objective is to protect children from profiling, surveillance, and exploitative advertising practices.

9(4).

• 9 (1) and 9 (3) normally apply when personal data of a child is processed.

• These sub-sections will NOT apply in certain situations.

• These exceptions apply only to Specific classes of Data Fiduciaries when the processing is done for specific purposes.

  1. These Specific Data Fiduciaries are only those categories that are officially notified.

  2. Even where the exemption is allowed, it is subject to conditions that may be laid down.

• All such classes, purposes, and conditions will be prescribed by rules under this Act.

9(5).

• The Central Government has the power to grant exemptions.

• This power can be exercised only if the Government is satisfied that:

  1. A Data Fiduciary processes children’s personal data in a verifiably safe manner.

  2. Once satisfied, the Government may issue a notification for that specific Data Fiduciary.

  3. The notification will specify an age threshold (An age above which children are covered by the exemption).

• For children above that specified age, the Data Fiduciary may be exempted from:

  1. All or some obligations under 9(1).

  2. All or some obligations under 9(3).

• The extent of the exemption (which obligations are relaxed and to what degree) will be clearly mentioned in the notification.

• The exemption applies only to the processing carried out by that notified Data Fiduciary, not universally.

Section 10. Additional Obligations of Data Fiduciary

10(1).

• The Central Government has the power to identify certain Data Fiduciaries as Significant Data Fiduciaries.

• Such identification is done by issuing a notification.

• The notification may apply to either of the following:

  1. A specific Data Fiduciary.

  2. A class of Data Fiduciaries.

• The decision is based on an assessment carried out by the Central Government.

• The assessment must consider relevant factors.

• These factors may include the following:

  1. (a). The volume and sensitivity of personal data processed.

  2. (b). The risk posed to the rights of the Data Principal.

  3. (c). The potential impact on the sovereignty and integrity of India.

  4. (d). The risk to electoral democracy.

  5. (e). The security of the State.

  6. (f). Public order.

• These factors help determine whether heightened obligations are warranted.

10(2).

• Once an entity is designated as a Significant Data Fiduciary, additional obligations apply.

• The Significant Data Fiduciary shall comply with the following requirements:

• (a). Appoint a Data Protection Officer, who shall:

  1. (i). Represent the Significant Data Fiduciary under the provisions of this Act.

  2. (ii). Be based in India.

  3. (iii). Be an individual who is responsible to the Board of Directors or a similar governing body of the Significant Data Fiduciary.

  4. (iv). Act as the point of contact for the grievance redressal mechanism under the provisions of this Act.

• (b). Appoint an independent data auditor:

  1. To carry out a data audit.

  2. To evaluate the compliance obligations of the Significant Data Fiduciary in accordance with the provisions of this Act; and

• (c). Undertake the following other measures, namely:

  1. (i). Conduct a periodic Data Protection Impact Assessment, which shall be a process comprising:

     1. A description of the rights of Data Principals.

     2. The purpose of processing of their personal data.

     3. Assessment of risks to the rights of the Data Principals.

     4. Management of such risks.

     5. Any other matters relating to the process as may be prescribed.

  2. (ii). Carry out a Periodic audit.

  3. (iii). Undertake such other measures, consistent with the provisions of this Act, as may be prescribed.