New Delhi: The first draft rules of India's Digital Personal Data Protection (DPDP) Act, 2023 have raised concerns and confusion around the proposed idea of a parent having to verify their identity when a child wants to use an online platform.
Lawyers and policy advisors said the proposed framework for verifying whether a person claiming to be an adult is one, in addition to being related to a child, could cause complications for individuals and become a burden on businesses. It could also cause confusion as the first draft of the DPDP rules does not define key terms such as 'harmful', 'welfare' and 'due diligence'.
The rules, published in the public domain on Friday, require parents and guardians of minors, defined as those under the age of 18, to authenticate themselves as responsible for the minor users – using tokenized data or government identification through the Digilocker platform to do this. So.
Burden for companies
However, early responses from policymakers argue that the process prescribed by the rules could impose a significant compliance burden on companies – without explicitly suggesting this.
Supratim Chakraborty, partner at law firm Khaitan & Co, said the current set of rules “only provides a basic framework for how the parental verification process could work.”
“Further rounds of consultation could lead to changes – such as finding a balance for companies in terms of their responsibilities and liabilities to establish a verifiable relationship between a parent and a minor. Apart from that, the DPDP law leaves no room for rules to define important words used in the law in the context of children's personal data, such as 'harm' and 'welfare'. This could be especially important when it comes to the use of key online platforms by those under the age of 18,” he added.
The verifiability of parentage can further complicate matters. Kazim Rizvi, founder and director of policy think tank The Dialogue, said there may be concerns about sharing too much sensitive data with private technology companies, and how that could impact privacy and information protection.
Share less data
A senior official directly involved in the regulatory process agreed with Chakraborty and Rizvi's assessment, adding: “A critical part of the regulatory process is to minimize data sharing as much as possible – this will be a key issue that must be addressed for the sake of both users and businesses.”
In this regard, companies have yet to express their concerns about the draft rules. Emails sent to Meta and Google seeking comments on the law received no immediate response.
The two companies, which operate Instagram and YouTube respectively, fall directly under the rules of the DPDP Act, 2023.
A senior executive at one of the companies, who requested anonymity, said that on the face of it, “making tech companies responsible for determining their parents' ID is unprecedented — if users of tech platforms don't voluntarily disclose the information themselves.”
“Overall, there is still a significant amount of ambiguity that can be addressed, but the current framework does succeed in establishing the direction that companies and individuals should take,” Chakraborty added.
Starting point
For the Center, the rules are a starting point to protect minors from threats on online platforms.
This was said by a senior industry official with direct knowledge of the matter Mint on condition of anonymity: “There is an understanding within the IT ministry that creating a framework that is foolproof, beneficial to all parties, yet conducive enough, can vary enormously for each stakeholder involved. The proposal of the current draft is to largely ensure that a basic framework is created – which can be resolved through current and future consultations and amendments.”
The consultation process for the rules, which began on January 3, will conclude on February 18.