The paradox of Consent & Autonomy: The Data Protection Bill of India & Children

  • Shashwat Bhutani and Pranav Tiwary


With the advent of the internet, easy access to knowledge, information and entertainment has increased manifolds. The development of the internet was coupled with a revolution in the sphere of technology which has made children the technocrats of today. It is estimated that there are some 71 million active internet users in India in the age bracket of 5-11 years as of 2019. As there are two sides to every coin, the increasing use and the overarching reach of the internet poses some serious risks to the data privacy of an individual, especially of the children. Many countries have enacted laws in order to protect data privacy like the General Data Protection Regulation (GDPR) of the European Union and the Children’s Online Privacy Protection Rules (COPPR) of the United States. In India, the Supreme Court in the much-celebrated judgment of K.S. Puttaswamy v. Union of India recognized the right to privacy as a fundamental right by declaring it an inextricable part of Article 21 of the Constitution. This set the wheels in motion of the government machinery which led to the establishment of the Justice B.N. Srikrishna Committee for providing their insights into the issues relating to data protection in India. The suggestions of the Committee translated into the Data Protection Act of 2019. As of July 2020, this bill is pending before the Joint Parliamentary Committee for their approval. Thus, significant inroads have also been made by India to protect data privacy

As such, Data Protection can be divided into two phases:

1) Protection of data at the stage of the collection.

2) Protection of data when in possession of the data fiduciary.

In this paper, the authors will only deal with the first stage i.e. Protection of data at the stage of the collection, in case of Children and the requirement of parental consent.


The Supreme Court while delivering the Puttaswamy judgment expounded the scope of the Right to Privacy by stating that the Right to Privacy includes “decisional autonomy”, which means that a person has a right to make an informed decision on whether to enforce his fundamental right to privacy or not. In other words, a person can at his will revoke his right to privacy and allow others to process his data. Thus, the right to privacy forms an exception to the ruling of the Supreme Court in BehramKhurshedPesikaka v The State of Bombay, in which it was held that Fundamental Rights cannot be waived.

The Court, however, while dealing with ‘decisional autonomy’, gave it a universal application. As a result of this, every individual, irrespective of his/her age or mental capacity was allowed to waive off his/her right to privacy. However, an individual, along with his right to privacy, also has a duty to protect his privacy. Adults can reasonably be expected to have the capacity to protect their privacy, however, young children lack such capacity. The situation becomes further complicated in the case of adolescents as they are clearly way more mature than children but are still not grown adults. Thus, on one hand, there exists a need for state intervention in restricting the decisional autonomy and thereby, protecting the Privacy of children and adolescents, however on the other hand, such restrictions must be proportional so that they do not exceed their limits.

Now, in order to protect the Right to Privacy of the people, the Government proposed the Data Protection Bill, 2019. Section 3(8) of the Bill defines a child as a person who has not completed the age of eighteen years. Section 16(1) requires age verification and parental consent before allowing any processing of data of a child. In other words, a person who is below the age of eighteen cannot give his own consent and would require the consent of the parent as he/she has been classified as a child by the Bill.

The Srikrishna Committee while dealing with the age of consent, deliberated on other laws dealing with data protection, namely GDPR and COPPR. Article 8 of the GDPR has fixed the age of consent at 16 years and it has also given the flexibility to the member states of the EU to reduce it up to 13 years of age. Rule 312.2 of the COPPR further relaxes the age of consent by fixing it at 13. In India however, the Committee relied on Section 11 of the Indian Contract Act and fixed the age of consent at 18 years. While acknowledging that it might appear too high in light of the development of the child, the justification given by the committee is consistent with the existing legal framework.

It is submitted that the decision of the board relies less on the practical realities of life but gives credence to uniformity in the law. According to a famous study, the children at the age of sixteen possess psychological maturity similar to that of an adult. The Madras High Court, in the case of Sabari SabarinathanSabarivasan v. State Commission for Protection of Child Rights and Ors., also suggested in a similar vein, to reduce the age of consent under the POSCO Act to 16 years owing to the maturity attained by a child. Thus, where the High Court has opined that the children above the age of 16 years should be allowed to give consent for something as serious as sexual intercourse, so they must also be allowed to give consent when it comes to the processing of their data.

It is further submitted that in the times of rapid technological advancement, the children, especially late adolescents, i.e., ages 16-18, have become increasingly aware of the consequences of their acts on their privacy. Children in their later years of childhood become more mature and responsible while using the internet. They achieve the level of consciousness required to make reasoned decisions and responsible choices relating to their privacy. In many households across the country, it is the children who command greater knowledge in the technological sphere than their parents. Moreover, the increasing debate in recent times relating to one’s data privacy and protection has further educated them on these important concepts.


The Supreme Court, in the case of K.S. Puttaswami v. Union of India, gave a four-pointer test (Collectively known as the Doctrine of Proportionality), to determine the Constitutionality of a law which restricts the Fundamental Right to Privacy as:

(i) The action must be sanctioned by law;

(ii)  The proposed action must be necessary for a democratic society for a legitimate aim;

(iii)  The extent of such interference must be proportionate to the need for such interference;

(iv) There must be procedural guarantees against abuse of such interference

Thus, the state law which aims to restrict the Decisional Autonomy vis-à-vis the Right to Privacy, which in our case is the Data Protection Bill, must fulfill the aforementioned conditions. Here, the authors would like to draw attention towards the third point of the proportionality test i.e. “the extent of such interference must be proportionate to the need for such interference” and submit that the interference necessary in case of children between the age of 16 to 18 years is substantially less than that in case of younger children for the simple reason that adolescents are way more mature. Subjecting them to similar restrictions as that of a child would mean curtailment of their decisional autonomy beyond the limit. For example, the restrictions required for a 16-year-old are significantly lower than that of a 10-year-old. Hence, it is submitted that the present Bill is violative of the right to privacy of the late adolescents as it restricts their decisional autonomy beyond necessity.


In light of the above arguments, the authors would like to submit that a more pragmatic approach to the issue is required and reducing the age of a child, as provided in the bill, to below sixteen would serve the purpose. This would allow a person to have greater decisional autonomy, by removing the barrier of parental consent, and would also make them more responsible towards their data rights. Furthermore, this would be fairly reasonable and receptive to the reality of today’s times. At the same time, the government should take active steps to educate the children about their right to privacy and data privacy. Since much of the teaching is taking online due to the pandemic, schools can also play a fundamental role in inculcating among children the concepts of privacy and data security. Oliver Wendell Holmes once remarked, “Children are our most valuable natural resource”. Thus, we need to nurture them, today, in such a manner so that they truly become “responsible” digital leaders of tomorrow.

The authors are law students at Faculty of Law, University of Allahabad.

Leave a Reply

Your email address will not be published. Required fields are marked *