The Ministry of Electronics and Information Technology (MeitY) has released the draft rules for the Digital Personal Data Protection (DPDP) Act, 2023, passed by Parliament last year.
These rules, now open for public consultation until February 18, 2025, aim to establish a comprehensive framework for data protection in India’s growing digital ecosystem.
A key focus of these draft rules is to ensure that digital platforms can verify the identification and age details of users, especially when processing the personal data of children. Below are the various scenarios in which data fiduciaries (DF) must verify the identity and age details of parents or guardians before processing a child’s data:
Verification of Parent’s Identity
When a child (C) is using a platform, their parent (P) must authenticate their identity before the child’s personal data can be processed. The platform (DF) will allow P to authenticate through its website, app, or other means. DF will ensure that P is a registered user who has already provided their identity and age details. Before processing the child’s data, DF will verify that it has reliable identification and age information for P.
Verification by a Trustworthy Authority
In this case, DF will enable P to authenticate their identity through the platform. Before processing C’s personal data, DF must ensure that the parent’s identification and age details are provided by a trustworthy source, such as a legal or government body or a verified digital token. P may voluntarily provide these details using digital locker services.
Verification of Identifiable Adult
If P identifies themselves as the parent but is not a registered user on the platform, DF must verify, before processing the child’s data, that P is an identifiable adult. The verification will rely on identification and age details from an authoritative source, such as a government or legal entity or a virtual token. P may voluntarily use a digital locker service to provide the required details.
The draft also defines several terms critical to these processes:
– Adult: A person who is at least eighteen years old.
– Digital Locker Service Provider: An intermediary, including any government agency or corporation, that may be notified by the central government under the Information Technology Act, 2000.
– Designated Authority: An authority designated under the Rights of Persons with Disabilities Act, 2016, which helps persons with disabilities exercise their legal capacity.
– Applicable Law for Guardian: This applies to individuals with long-term physical, mental, intellectual, or sensory disabilities, and the laws governing guardianship for such individuals to ensure their full and equal participation in society.
These provisions aim to ensure that children’s data is processed responsibly while safeguarding their privacy and rights in the digital space. The consultation period for the draft rules will allow stakeholders to provide feedback, ensuring the rules are comprehensive and effective.
