New Delhi: A draft of rules for India’s data protection law has proposed that parents mandatorily identify themselves before their children can join certain online platforms.
This is part of the first draft of the rules that will enforce the Digital Personal Data Protection (DPDP) Act, 2023, and was published by the ministry of electronics and information technology (Meity) on Friday.
Among key points, the rules mandated localization of all personal data within India apart from exceptional circumstances. Parents and guardians, barring specific exceptions, will have to verify their identity before an individual under 18 years of age can sign up for a ‘significant’ online platform.
The rules have also proposed to give the Centre exceptional powers to seek personal data—or withhold it—of and from a citizen, citing national security.
Underlining that companies operating online platforms will have to “ensure that verifiable parental consent is obtained” before an individual below 18 years of age signs up for a platform, the rules state that companies will further have the burden of observing “due diligence for checking that the individual identifying herself as the parent is an adult who is identifiable, if required”.
Also read | Meta works to comply with India’s data protection Act
The rules state that such a verifiable identity can be established through a “verified token”, or through DigiLocker—the Centre’s Aadhaar-linked digital identity storage and authentication platform.
Applicability of the DPDP Act and its rules have also been offered exemptions in case of archiving personal data, on which industry consultants and lawyers have raised concerns.
The Centre has retained powers to seek personal data without any specified checks in concerns involving national security, which will require a company to divulge personal information of an individual without disclosing it to the individual himself, also citing national security and integrity.
“Further clarity will certainly be sought in the public consultation process that follows, including clarity on what happens to all the minors and their data that are already in public domain,” a senior consultant to the Centre said, requesting anonymity.
Personal data, however, has been mandated to be localized in India, barring in cases and countries as exempted by the Centre.
Industry consultants said that the rules are likely to add a heavy compliance burden on all parties involved, since enforcing verifiable parental consent could lead to chaos.
“Further clarity will certainly be sought in the public consultation process that follows, including clarity on what happens to all the minors and their data that are already in public domain,” a senior consultant to the Centre said, requesting anonymity.
The rules, to be sure, are not immediately notified, but will now go through a consultation process, following which it would be notified with a time period afforded to companies to comply with them.
Also read | Mint Explainer: Concerns around Digital Personal Data Protection law
“The public consultation is expected to spark significant discussions on various aspects of the rules. A critical area of focus will be the potential for data localization, where specific categories of personal data may be required to remain within India. Equally important is the need for robust mechanisms to ensure verifiable parental consent, particularly requiring identification of parents and their adulthood before processing children’s personal data. Provisions allowing government access to personal data for national security reasons will likely draw close scrutiny, addressing questions about transparency and oversight,” said Dhruv Garg, partner at think-tank Indian Governance and Policy Project.
Kazim Rizvi, founding director of think-tank The Dialogue, added that the parental consent mechanism “leaves ambiguity regarding the verification process.”
“It remains unclear whether this would entail methods such as phone calls, video conferencing, signed forms, financial information, or other personal identification documents like a driver’s license. Another potential issue could be that this Rule presumes that the parent in question is digitally literate, at least to effectively navigate and assist in this process. A more challenging aspect of the Rules is the mandatory requirement for parental supervision for the majority processing of children’s data, defined as individuals below the age of 18 years. This provision could lead to substantial consent fatigue for parents or guardians, given the frequency with which children interact with digital platforms. The lack of a graded or nuanced approach to evaluating the capacity of minors to provide informed consent independently may render this requirement overly rigid and controversial, particularly for older adolescents who may possess the maturity to make decisions about their data,” Rizvi added.
And read | The new data protection bill: Five takeaways
For companies too, Rizvi added that the rule, in its current form, “introduces risks of inconsistent implementation, especially in cases involving guardians.”
Catch all the Technology News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates & Live Business News.
MoreLess
