© The Indian Express Pvt Ltd
Tags:
Journalism of Courage
Unable to narrow down on a conclusive technological intervention to allow tech companies gathering parental consent before processing children’s personal data, the IT Ministry has reached out to the industry for inputs on how the requirement can be implemented under the upcoming data protection rules, The Indian Express has learnt.
The Digital Personal Data Protection Act, 2023 requires tech companies to develop a consent framework to verify a child’s age (people below the age of 18) and gather their parents’ consent before they can use an online service. This has been a major sticking point for the industry since the Act itself does not suggest ways in which platforms can perform age-gating.
In an internal meeting involving senior IT Ministry officials on Tuesday, it was discussed that though the ministry has explored a number of options for implementing the provision, it has become a significant challenge as to how the relationship between a child and her parents can be reliably established, a senior government official said, requesting anonymity.
“There will be a meeting now between the ministry and the tech industry sometime this week, likely today (July 18) to come up with a workable solution and figure out what is technically feasible,” a second official said on condition of anonymity.
The IT Ministry did not respond to an immediate request for comment.
While the data protection Act has largely been welcomed by the industry for its relatively easy compliance structure, the provision on gathering verifiable parental consent has been the final thorn in the bush which has divided the industry and the government.
Last year, as part of its internal deliberations on the data protection rules, the ministry was considering two ways to establish the relationship between children and their parents – one was to use parents’ DigiLocker app, which is based on their Aadhaar details, and the other is for the industry to create an electronic token system which will be allowed only if the government authorises it.
However, the ministry no longer thinks these solutions could be implemented at scale and is understood to have dropped the idea. The inability to arrive at a conclusive decision on how to proceed with the verifiable parental consent provision is the biggest reason behind the delay in releasing the data protection rules. Without the rules, the data protection Act can not be operationalised as it depends on at least 25 such provisions to implement the modalities of the Act.
As per the data protection Act, some entities can be exempted from obtaining verifiable parental consent and age gating requirements including healthcare and educational institutions. It is also understood some entities can be exempted from the norms on a restricted basis, that is, depending on the specific purpose for which they need to process a child’s data.
Globally, privacy legislations have not prescribed a technology to gather verifiable parental consent, and have left it to data collectors to use relevant technology through which such consent can be gathered.
For instance, the United States’ Children’s Online Privacy Protection Act (COPPA) does not mandate the method a company must use to get parental consent. Instead, it says that an operator must choose a method “reasonably designed” in light of available technology to ensure that the person giving the consent is the child’s parent.
The COPPA, however, has prescribed some basic standards that any technological measure to gather a child’s parent’s consent should adhere to. These include signing a consent form and sending it back to them via fax, mail, or electronic scan; using a credit card, debit card, or other online payment system that provides notification of each separate transaction to the account holder; calling a toll-free number staffed by trained personnel; connecting to trained personnel via a video conference; or verifying a picture of a driver’s licence or other photo ID submitted by the parent and then comparing that photo to a second photo submitted by the parent, using facial recognition technology, among others.
The European Union’s General Data Protection Regulation (GDPR) – considered to be among the strictest privacy laws globally – on the other hand, requires data collectors to make “reasonable efforts” using available technology to verify that consent provided on behalf of a child under the age of 13 has, in fact, been provided by the holder of parental responsibility for that child.
In the event of a complaint, the law will consider whether a data collector has made reasonable efforts to verify that the data subject is old enough to provide their own consent, taking into account the risks inherent in the processing and the available technology.
