The Ministry of Electronics and Information Technology of the Union Government notified the draft rules for the Digital Personal Data Protection Act, 2023 (DPDP) and invited stakeholders to share feedback/comments on the rules by February 18, 2025.
The Rules related to the verifiable consent for processing personal data of children and persons with disabilities outlines the requirements for obtaining verifiable consent from parents or legal guardians before processing the personal data of children or persons with disabilities. “Verifiable consent is a great initiative to ensure governance on child consent, however, the draft rules do not prescribe a single method of identification for an adult claiming to be the parent,” said Vikas Bansal, Partner, IT Risk Advisory and Assurance, BDO India.
Specifically, a Data Fiduciary must implement measures to ensure that the person providing consent for a child’s data processing is the child’s parent or legal guardian, and that the parent or guardian is identifiable.
The Section 9 of the DPDP Act deals with Processing of personal data of children mandating the Data Fiduciary to obtain verifiable consent of the parent of such child or the lawful guardian before processing any personal data of a child or a person with disability. “The Data fiduciary must ensure that the identity of a parent is reliable and verifiable which could involve multiple combinations of documents which are already with the data fiduciary or identify data from official government service,” Vikas Bansal, Partner, IT Risk Advisory and Assurance, BDO India.
For a child, the Data Fiduciary must verify that the parent is an adult by using reliable identity details or a virtual token mapped to such details. This verification process is critical to ensure that consent is being given by a responsible adult, in compliance with relevant laws.
Comparing with International Jurisdictions
The comparison can be insightful in understanding the law, and challenges to the application. On age threshold for children, Vinay Butani, Partner at Economic Laws Practice highlights the age for parental consent required in India, GDPR (EU), and COPPA (USA) to be under 18, under 16 (can be lowered to 13), and under 13 respectively.
The DPDP Act states, “child” to an individual who has not completed the age of eighteen years. The parental control aligns with the existing legal jurisprudence, ensuring protecting the consent of the child and maintaining accountability to the question of ascertaining the validity of consent.
Vinay Butani, Partner at Economic Laws Practice further highlights the different in the status of accessibility in different jurisdictions such as India, GDPR, and COPPA. He noted that here were the frameworks requires disability-friendly consent mechanisms but lacks detailed implementation guidelines, GDPR ensures inclusivity and accessibility in processing whereas COPPA provides no explicit provisions for persons with disabilities.
“In comparison with prominent data privacy laws around the world, DPDP has been soft on various aspects such as lawful data processing or cross border transfer,” said Vikas Bansal, Partner, IT Risk Advisory and Assurance, BDO India.
There seems to be a legislative gaps in addressing the challenges related to cross-border transfers. There are exemptions provided from obligations in processing personal data of children to the standard requirements for processing the personal data of children, as stated in section 9 of the Act.
These exemptions are applicable to healthcare professionals, educational institutions, and childcare providers.
The processing of children’s personal data by these entities is permitted, but it is restricted to specific activities like health services, educational activities, safety monitoring, and transportation tracking.
These activities must be necessary for the well-being and safety of the child, ensuring that data processing is done within a defined and limited scope.
The draft rules will be going through public scrutiny and clarification considering the implication of the same on the individuals as well as businesses which will be a key challenge to address the challenges and ascertainment of clarity navigating through the issues of implementing the framework.