Aadhaar-based consent for children to go online is proposed in new data protection rules.

The Sunday Express has learned that among the key proposals in the upcoming data protection rules are using an Aadhaar-based system to verify children’s age for using online services and obtaining their parents’ consent, as well as introducing a two-stage notification measure for tech companies to notify users about data breaches.

The Union Ministry of Electronics and IT (MeitY) is set to begin consultations on data protection rules as it prepares to implement the Digital Personal Data Protection Act, which was notified in August. According to official sources, it has scheduled a closed-door consultation with industry stakeholders on the proposed rules for December 19.

To operationalize the Act, at least 25 rules must be drafted, and the government has been given the authority to enact rules for any provision that it deems appropriate.

One of them is creating a consent framework to validate a child’s age before allowing them to use an online service. According to the Act, companies must obtain “verifiable parental consent” before allowing anyone under the age of 18 to use their platform. This has been a major sticking point for the industry because the Act does not specify how platforms can perform age-gating.


It is learned that the rules are expected to recommend two methods. The first is to use parents’ DigiLocker app, which is based on their Aadhaar details, and the second is for the industry to develop an electronic token system, which will be permitted only if the government approves it.

“Aadhaar-based authentication would be used.” The internet platforms will not have access to the users’ Aadhaar details. “It’s as simple as a yes/no response from the Aadhaar database on a user’s age,” said a senior government official who did not want to be identified because the rules have not yet been made public.

The industry will be able to develop a consent manager under the electronic system that can accept a user’s government ID, tokenize it into an encrypted format to protect the contents of the ID, and only share the age and name parameters with an online platform to verify a user’s age. According to reports, such a system will be permitted only if the Centre approves it.

Healthcare and educational institutions, for example, are exempt from obtaining verifiable parental consent and age gating requirements. It is also understood that some entities may be exempted from the regulations on a limited basis, based on the specific purpose for which they need to process a child’s data.

“For example, a transportation company can process a child’s data without age gating for the sole purpose of providing transportation services to that child.” But nothing further. Similarly, the government can process a child’s data for the sole purpose of providing them with welfare services,” a second official explained.

As part of a two-stage notification process, the rules are expected to propose that entities notify users about a data breach as soon as they become aware of it. In the first step, they must notify users about the nature and scope of the breach, among other things. In the second stage, they must notify users within 72 hours of any additional information related to the breach.

As part of a two-stage notification process, the rules are expected to propose that entities notify users about a data breach as soon as they become aware of it. In the first step, they must notify users about the nature and scope of the breach, among other things. In the second stage, they must notify users within 72 hours of any additional information related to the breach.

The penalty for failing to take adequate safeguards to prevent a data breach under the Data Protection Act could be as much as Rs 250 crore.

Another key rule proposal will be to require government institutions to notify citizens whenever they use their personal data to provide welfare services and subsidies, or for other similar purposes.

Shares:
Post a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *