Author details:
Poorvi Yerrapureddy is a 4th year student at the National University for Advanced Legal Studies (NUALS), Kochi.
Sharath Chandupatla is a practicing advocate at the Telangana High Court.
Introduction
The proposed personal data protection framework for India puts heavy obligations on the data fiduciary to process personal data. Under the Personal Data Protection Bill, 2019 (“PDPB” or “PDP Bill” or “the Bill“), the obligations to process children’s personal data are more stringent than processing the personal data of adults. The Bill requires data fiduciaries to process the personal data of a child to protect the rights of and in the best interest of the child.[1] Guardian data fiduciaries, a subset of data fiduciaries, are barred from “profiling, tracking, behaviourally monitoring, or targeted advertising directed at, children” and conducting any processing activity which may cause “significant harm” to the child.[2] A child under the Bill has been defined to mean anyone under the age of 18 years.[3]
To ensure that these obligations are adequately discharged, the Bill requires data fiduciaries to deploy age verification mechanisms. Once the age of the data principal has been verified, to proceed with the processing of children’s personal data, the data fiduciaries must obtain the consent of the child’s parent or guardian for processing any personal data of children.[4] This article focuses on interpreting what constitutes the “best interests” of a child. The moot point being, the standard for the “best interests” of the child in the context of processing their personal data. The authors discuss whether the interpretation of the principle under other statutes and international instruments is sufficient to interpret the “best interests” phrase and whether parental consent is enough to satisfy the “best interests” requirement. The article attempts to address the obligation of data fiduciaries while processing children’s personal data in the context of the “best interests” principle.
Best Interests of Child
The Bill does not define what constitutes the best interests of a child or what factors must be taken into consideration while interpreting the same. To understand what the best interests of a child are, it is pertinent to review the intention behind the legislation and refer to the interpretation of this phrase in other statutes.
The Sri Krishna Committee Report on Data Protection states that “Safeguarding the best interests of the child should be the guiding principle for statutory regulation on protecting data of children. This is enunciated in the CRC, to which India is a signatory”.[5] Article 3 of the Convention on Rights of the Child envisages that the best interests of the child should be the primary consideration of States Parties and that the rights and duties of the child’s parents or guardian should be taken into consideration to that end.[6]
The prevailing interpretation of the doctrine states that the child’s opinion must be taken into consideration and that the child is heard.[7] The best interests of the child will not always be the single, overriding factor to be considered; the child’s interests, however, must always be the subject of active consideration. It needs to be demonstrated that the children’s interests have been explored and taken into account as a primary consideration.[8] According to the UN Committee, if a legal provision has multiple interpretations, the interpretation which most effectively serves the child’s best interests should be chosen.[9]
The UN Committee on the Rights of the Child has stated that the determination of the best interests of the child should begin with an assessment of the specific circumstances which make the child unique and the following elements should be taken into account when assessing the child’s best interests:[10] the age of the child, the nature of the personal data, nature of the relationship between the child and the parent/guardian, the purpose for which the guardian seeks to exercise the child’s rights, the child’s views and identity, preservation of the family environment and maintaining relations; care, protection and safety of the child; a situation of vulnerability; the child’s right to health; the child’s right to education along with any sectoral rules/laws which may be present.[11]
When it comes to balancing the various elements in the best interests assessment, the UN Committee considered that there may be situations where “protection” factors requiring restriction of the child’s rights need to be assessed against the child’s “empowerment” (e.g. the full exercise of their rights without restriction). In such situations, the UN Committee’s position is that the age and developmental capacity of the child should be taken into account to assess the level of maturity of the child.[12] For example, while deciding whether or not to show a child sexually explicit content, the purpose should be considered, such as whether it is for sex education or for other reasons.
Accordingly, it can be understood that the obligation deriving from international law as well as European law to act in the best interests of the child is of paramount importance. This is particularly relevant taking into account the consideration that the position of children as data subjects and any context where decisions are made by any organisation in connection with the processing of children’s personal data.[13]
Under Indian law, the “best interests” principle has been primarily discussed in the context of custody. Indian Courts have held that the best interests of the child should be the primary consideration while deciding a case of custody.[14] However, the Courts interpret the principle on a case-to-case basis. The interpretation of the best interest doctrine in Indian law follows the notion that society and state should be given space to intervene while the child should be given an opportunity to participate.[15] The Bill does not give an opportunity to the child to participate in processing their personal data. Consent should be given by the parents, which is necessary for processing children’s personal data. This leads to the question of whether parental consent equates with the best interests of the child.
Parental Consent
The Bill mandates that the processing of personal data of children requires the data fiduciary to obtain parental consent in a manner that would later be specified through regulations. The Srikrishna Committee Report stresses the importance of parental consent as the sole basis for processing children’s personal data.[16] Considering that there is a requirement to obtain parental consent under the Bill, the question then arises whether data fiduciaries can absolve themselves of all liability with regards to processing the data in the best interests of the child by merely obtaining parental consent. The authors argue that parental consent is merely a legal basis for data fiduciaries to process children’s personal data while processing it in the “best interests” of the child goes above and beyond obtaining parental consent.
The Report, among other things, does not address whether taking parental consent would suffice in fulfilling the obligations of data fiduciaries to process the personal data in the best interests of the child. The Report and the Bill are drafted on the premise that parents know what is best for their children. This is more likely to be applied in other concerns of children, like adoption or custody. However, the question arises whether a parent would even understand the concept of privacy, notice and consent in itself, let alone evaluate the best interests of the child for processing personal data. In reality, it is an arduous task for parents around the world to read and understand the legal jargon of privacy policies and terms of service; however, this becomes increasingly more complex for many Indian parents as they may not be well educated or literate. Consequently, the premise that parental consent will be sufficient for processing personal data of children (other than barred practices by guardian data fiduciaries) is flawed.
Now, let us evaluate the obligations on data fiduciaries to process personal data of children in their best interests vis-a-vis obtaining parental consent. There are two ways to interpret the threshold of obligation on data fiduciaries. Firstly, the best interest of the child will be considered as a larger set, within which parental consent constitutes a subset. This means that even if a parent consents to certain types of processing activities, there will still be an underlying obligation on behalf of the data fiduciary to process the data only if it is in the best interest of the child, the data fiduciary should ensure they are compliant. Secondly, it is assumed that a parent would only consent to activities that are in their child’s best interest and therefore, as long as a data fiduciary is able to obtain valid parental consent, it shall be presumed that all processing is in the best interest of the child. The second interpretation significantly lowers the burden on data fiduciaries as they will not be liable to check if the processing activities cause significant harm to the child as long as they have obtained valid consent from parents.
However, the second interpretation will result in the provision being redundant. As, if parental consent is sufficient and there was no additional obligation on the part of the data fiduciary to take the best interest of the child into consideration, there would be no requirement to add an additional provision specifying that best interest is an obligation which must be fulfilled. Therefore, even if a data fiduciary obtains valid parental consent, they must still ensure their processing is in the best interest of the child by applying various privacy by design mechanisms.
Conclusion
Creating safe cyberspace for children is of paramount importance. This cannot be achieved by relying solely on parental consent. Imposing an obligation on the data fiduciary to process personal data in the best interests of the child will further the protection of children’s rights. Implementation of a practical standard of the best interest principle is essential to process children’s personal data in a fair and reasonable manner.
[1] The Personal Data Protection Bill, 2019, Bill No. 373 of 2019, S.16(1). [Hereinafter referred to as ‘PDPB’]
[2] PDPB, S.16(5).
[3] PDPB, S.3(8).
[4] PDPB, S.16(2)
[5] Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, A Free and Fair Digital Economy Protecting Privacy, Empowering Indians, p. 43.
[6] Article 3, Convention of the Rights of the Child, General Assembly resolution 44/25 of 20 November 1989.
[7] Lecture by Thomas Hammarberg, Commissioner for Human Rights Council of Europe, THE PRINCIPLE OF THE BEST INTERESTS OF THE CHILD – WHAT IT MEANS AND WHAT IT DEMANDS FROM ADULTS, p.5.
[8] UNICEF, Implementation Handbook for the Convention on the Rights of the Child, p. 38; LAW COMMISSION Report 257, Reforms in Guardianship and Custody Laws in India (May 2015),
[9] ‘General comment No. 14 (2013) On the Right of the Child to Have His or Her Best Interests Taken as a Primary Consideration’ (art. 3, para. 1), Committee on the Rights of the Children 2013, United Nations CRC/C/GC/14 Convention on the Rights of the Child.
[10] Fundamentals for a Child Oriented Approach to Data Processing Draft Version for Consultation, IDPC, p.19
[11] LAW COMMISSION Report 257, Reforms in Guardianship and Custody Laws in India (May 2015).
[12] Supra note 10; Fundamentals for a Child Oriented Approach to Data Processing Draft Version for Consultation, IDPC, p.19.
[13] Fundamentals for a Child Oriented Approach to Data Processing Draft Version for Consultation, IDPC, pg. 19.
[14] Lahari Sakhamuri v. Sobhan Kodali, (2019) 7 SCC 311,
[15] Sasmita Adika Candra, Rodliyah; L.Parman, The Best Interest of the Child Principle in the Juvenile Justice System, International Journal of Multicultural and Multireligious Understanding (IJMMU), Vol. 6: 4 (2019), p. 501.
[16] Supra note 5, p.45.