In order to operationalise the Digital Personal Data Protection Act, now the Union Ministry of Electronics and IT (MeitY) seems to be all prepared to kickstart the consultations on data protection rules.
New Data Protection Rules
Earlier it was notified around four months ago in August.
In this regard, the ministry has scheduled a closed-door consultation to discuss with industry stakeholders on the proposed rules on December 19, as per the information provided by the official sources.
Under this initiative, almost 25 rules have to be formulated to operationalise the Act notified in August.
Besides this the center also has been empowered to enact rules for any provision that it deems fit.
Some of them include, using an Aadhaar-based system to verify children’s age for using online services and to gather their parents’ consent, and introducing a two-stage notification measure for tech companies to intimate users about data breaches, are among the key proposals in the upcoming data protection rules, as per the media report.
Development Of Consent Framework For Children
It also includes the task of developing a consent framework which will verify a child’s age before they can use an online service.
This Act also mandates that the companies will have to gather the “verifiable parental consent” for letting anyone under 18 years access their platform.
This appears to be a major sticking point for the industry as this Act itself does not suggest any ways by which different platforms can go ahead with age-gating.
But these are expected to recommend two methods as learnt.
The first suggestion talks about the use of parents’ DigiLocker app, again it is based on their Aadhaar details.
While the second suggestion is for the industry to create an electronic token system that can help in allowing the audience only if the government authorizes it.
So, for the first scenario, the parents will be allowed to add their kids’ Aadhaar details to the DigiLocker platform.
Then the platforms would be able to ping the app so that they can verify whether a person accessing their site is indeed a child.
According to a senior official, “This would be Aadhaar-based authentication. The internet platforms will not know the Aadhaar details of the users. It is a simple yes/no response from the Aadhaar database on a user’s age, as simple as that.”
In the second suggestion, the industry will be able to develop an electronic system having a consent manager which can accept a user’s government ID, tokenize it into an encrypted format to protect the contents of the ID, and will only share the age and name parameters with an online platform to verify a user’s age.
Please note here that this kind of system development will only be allowed if the Centre approves it.
Besides this, they are planning to exempt some entities from obtaining verifiable parental consent and age gating requirements which includes healthcare and educational institutions.