USING AN Aadhaar-based system to verify children’s age for using online services and to gather their parents’ consent, and introducing a two-stage notification measure for tech companies to intimate users about data breaches, are among the key proposals in the upcoming data protection rules, The Sunday Express has learnt.
Read More: These Banks Changed Loan Interest Rates In December: Check New Rates Here
The Union Ministry of Electronics and IT (MeitY) is set to kickstart consultations on data protection rules as it looks to operationalise the Digital Personal Data Protection Act, which was notified over four months ago in August. It has scheduled a closed-door consultation with industry stakeholders on the proposed rules on December 19, official sources said.
At least 25 rules have to be formulated to operationalise the Act notified in August and the government has also been empowered to enact rules for any provision that it deems fit.
One of them is developing a consent framework to verify a child’s age before they can use an online service. The Act states that companies will need to gather “verifiable parental consent” for letting anyone under 18 years access their platform. This has been a major sticking point for the industry since the Act itself does not suggest ways in which platforms can perform age-gating.
The rules, it is learnt, are expected to recommend two methods. One is to use parents’ DigiLocker app, which is based on their Aadhaar details, and the other is for the industry to create an electronic token system which will be allowed only if the government authorises it.
Under the first, parents will be allowed to add their kids’ Aadhaar details to the DigiLocker platform and platforms would be able to ping the app to verify whether a person accessing their site is indeed a child.
“This would be Aadhaar-based authentication. The internet platforms will not know the Aadhaar details of the users. It is a simple yes/no response from the Aadhaar database on a user’s age, as simple as that,” said a senior government official, who did not wish to be named, since the rules are yet to be made public.
Read More: Petrol, Diesel Fresh Prices Announced: Check Rates In Your City On December 17
Under the electronic system, the industry will be able to develop a consent manager which can accept a user’s government ID, tokenise it into an encrypted format to protect the contents of the ID, and only share the age and name parameters with an online platform to verify a user’s age. Such a system, it is learnt, will only be allowed if the Centre approves it.
Simplifying consent rules
KEY among the rules to be framed by the government in consultation with stakeholders are those related to parental consent for children before they could browse the internet. Without revealing Aadhaar details of users, internet platforms will be able to obtain simple ‘yes/no’ responses from the Aadhaar database based on a user’s age.
Some entities can be exempted from obtaining verifiable parental consent and age gating requirements including healthcare and educational institutions. It is also understood some entities can be exempted from the norms on a restricted basis, that is, depending on the specific purpose for which they need to process a child’s data.
“For instance, a transport company can process a child’s data without age gating for the limited purpose of offering them transport services. But nothing beyond that. Similarly, the government can process a child’s data for the limited purpose of offering them welfare services,” a second official said.
The rules are also expected to propose that entities notify users about a data breach as soon as they become aware of it as part of a two-stage notification process. In the first step, they will be required to alert users about the nature and quantum of the breach, among other things. In the second stage, they will have to notify users within 72 hours about any additional details related to the breach.
Read More: Double Trouble For Delhi As Temperature Goes Down, Air Quality In ‘Very Poor’ Category
Under the data protection Act, the penalty for not being able to take enough safeguards for preventing a data breach could go as high as Rs 250 crore.
Another key proposal of the rules will be to require government institutions to issue a notice to citizens whenever they are using their personal data for offering welfare services and subsidies, or for other similar activities.