India’s proposed data protection law has been a long time in the making. In 2018, a committee of experts constituted by the Indian government issued a first draft of a proposed law on data protection. In late 2019, a revised version of the draft, titled the Personal Data Protection Bill, 2019 (the “PDPB”), was introduced in the Indian Parliament. The PDPB was dogged by controversies, especially on exemptions that were afforded to government agencies, the treatment of anonymised data, data localisation requirements, and regulated cross-border transfers. For a deeper examination of the proposed law, the draft was referred to a Joint Parliamentary Committee that comprised of members of both Houses of the Parliament (“Committee”).

On December 16, 2021, the Committee finally presented the “Report of the Joint Committee on the Personal Data Protection Bill, 2019” (referred to as the “Report”) to the Parliament. The Report substantially consists of the Committee’s overarching recommendations on the PDPB and a revised draft of the PDPB. Now referred to as the Data Protection Bill, 2021 (hereafter, the “Bill”), the updated draft law contains the spirit of its predecessor – that is, it seeks to protect the digital privacy of citizens and create a relationship of trust between individuals and entities processing their data – but also goes several steps further.

Part 5 of this series discusses the provisions relating to “Personal Data of Children” under the PDPB Bill.


Processing of the personal data of a child (i.e., someone below the age of 18 years) must be done in a manner that protects the rights of the child. A data fiduciary must, before processing the personal data of a child, verify the age of the child and obtain their parent’s or guardian’s consent in a prescribed manner.

Data fiduciaries are prohibited from profiling, undertaking the tracking or behavioural monitoring of or direct advertising directed at children, or undertaking any processing that can cause significant harm to a child.

Key Divergence from the PDPB

The Committee has recommended the deletion of the concepts of “guardian data fiduciaries” which were, under the PDPB, data fiduciaries that (a) operated commercial websites for or provided online services that were directed towards children, or (b) processed large volumes of personal data of children. Instead, data fiduciaries that process personal data of children or provide services to children will be classified as “significant data fiduciaries”, and will therefore automatically be subject to more enhanced compliance obligations.