Aadhaar-Based System for Child Verification

The upcoming data protection rules in India aim to use an Aadhaar-based system to verify children’s age for accessing online services and obtaining parental consent. This move is part of the operationalization of the Digital Personal Data Protection Act, which was notified over four months ago.

Two-Stage Notification Measure for Data Breaches

The Union Ministry of Electronics and IT (MeitY) is initiating consultations on data protection rules, including a two-stage notification measure for tech companies to inform users about data breaches. An industry consultation on the proposed rules is scheduled for December 19, aimed at formulating at least 25 rules to operationalize the Act.

Consent Framework for Child Age Verification

One of the crucial rules under consideration is the development of a consent framework to verify a child’s age before accessing online services. The Act mandates companies to obtain “verifiable parental consent” for users under 18. The proposed rules may recommend two methods: using parents’ DigiLocker app based on Aadhaar details or an industry-created electronic token system, subject to government authorization.

Aadhaar-Based Authentication

For the first method, parents can add their kids’ Aadhaar details to the DigiLocker platform, allowing platforms to verify a user’s age without knowing the Aadhaar details. This involves a simple yes/no response from the Aadhaar database, ensuring privacy.

Electronic Token System for Consent Management

The second method involves the industry developing a consent manager using a user’s government ID. This ID is tokenized into an encrypted format, sharing only age and name parameters with online platforms for age verification. This system will be allowed only with government approval.

Simplifying Consent Rules

The government aims to simplify consent rules, particularly regarding parental consent for children accessing the internet. Internet platforms can obtain ‘yes/no’ responses from the Aadhaar database without revealing users’ details. Some entities, such as healthcare and educational institutions, may be exempt from obtaining verifiable parental consent and age gating requirements.

Exemptions Based on Specific Purpose

Certain entities may be exempted from norms on a restricted basis, depending on the specific purpose for processing a child’s data. For example, a transport company can process a child’s data for offering transport services but not beyond that. Similarly, the government can process a child’s data for limited welfare services.

Two-Stage Notification for Data Breaches

The proposed rules include a two-stage notification process for data breaches. In the first step, entities must alert users about the breach’s nature and quantum. In the second stage, they must provide additional details within 72 hours. Failure to safeguard against data breaches could result in penalties up to Rs 250 crore under the Data Protection Act.

Government Notice for Personal Data Usage

Another key proposal is that government institutions must issue notices to citizens when using their personal data for offering welfare services, subsidies, or similar activities. This enhances transparency and accountability in the usage of citizens’ personal information.

Month: Current Affairs - December, 2023

Category: Legal & Constitution Current Affairs