DPDP Act 2023 and the Issue of Parental Consent | 19 Jul 2024

For Prelims: Digital Personal Data Protection Act, National Data Governance Policy,, Data fiduciaries, Data Protection Board of India, Right to privacy

For Mains: Data privacy, Data Protection Act 2023, Challenges and Way Forward

Source: IE

Why in News?

Recently, while the industry has largely welcomed the Digital Personal Data Protection Act (DPDPA) 2023 for its straightforward compliance structure, the provision requiring verifiable parental consent before processing children’s data has sparked division between industry and government.

What are the Salient Features of the Digital Personal Data Protection Act (DPDPA) 2023?

  • Right to Data Protection: It empowers individuals with the right to know and control their personal data. This includes rights to access, correction, and erasure of their data, giving citizens greater control over their personal information.
  • Data Processing and Consent: The Act mandates that personal data can only be processed with the explicit consent of the individual. Organisations must provide clear and specific consent forms and ensure that consent is obtained before data collection.
  • Data Localisation: Certain types of sensitive personal data are required to be stored and processed within India. This provision aims to enhance data security and facilitate easier enforcement of data protection laws.
  • Regulatory Authority: The Act establishes a Data Protection Board of India (DPBI) to oversee compliance and handle grievances. The Board is responsible for adjudicating disputes and imposing penalties for violations.
  • Data Breach Notification: Organisations are required to notify individuals and the Data Protection Board of any data breaches that may compromise personal information. This provision aims to ensure transparency and prompt action in the event of data leaks.
  • Fines and Penalties: It outlines stringent penalties for non-compliance, including significant fines for violations. This is intended to incentivize organisations to adhere to data protection standards.

What are the Issues with Obtaining the Parental Consent?

  • About:
    • Under Section 9 of the DPDP, 2023 data fiduciaries must obtain verifiable consent from parents or guardians before processing children’s data.
      • The Act also bans harmful data processing and ad targeting for minors. 
    • However, some entities can be exempted from obtaining verifiable parental consent and age gating requirements including healthcare and educational institutions. 
    • Also, some entities can be exempted from the norms on a restricted basis, that is, depending on the specific purpose for which they need to process a child’s data.
  • Issues:
    • While the act introduces measures for child data protection, including parental consent, challenges remain regarding age verification and defining what constitutes harm to children.
    • Handling situations where parents revoke consent or children reach the age of consent requires careful management.
    • Issues like storing biometric data, and ensuring compatibility across various devices can pose difficulties in implementation.
    • The act itself does not suggest ways in which platforms can perform age-gating leading to a major sticking point for the industry.
    • Another challenge is how the relationship between a child and his/her parents can be reliably established.
      • The inability to arrive at a conclusive decision on how to proceed with the verifiable parental consent provision is the biggest reason behind the delay in releasing the data protection rules without which the act cannot be operationalised (the DPDP Act depends on at least 25 such provisions to implement the modalities of the Act).
  • Likely Solution and Their Limitations:
    • Initially, the MeitY considered using parents’ DigiLocker app, which relies on Aadhaar details. However, scalability and privacy concerns led to its dismissal.
    • Another option was for the industry to create an electronic token system, authorised by the government. However, this approach also faced practical limitations. 
    • In a recent meeting between the MeitY and the Industry representatives, the latter suggested a graded approach based on risk, citing the UK’s Age Appropriate Design Code (AADC) as a model.

Note: Global Practices on Parental Consent:

  • Globally, privacy legislations have not prescribed a technology to gather verifiable parental consent, and have left it to data collectors to use relevant technology through which such consent can be gathered.
    • E.g., the US Children's Online Privacy Protection Act (COPPA) doesn't specify the exact method for obtaining parental consent but requires using a method that is "reasonably designed" given the available technology to confirm the identity of the child's parent.
  • The European Union’s General Data Protection Regulation (GDPR) requires data collectors to make “reasonable efforts” using available technology to verify that consent provided on behalf of a child under the age of 13 has, in fact, been provided by the holder of parental responsibility for that child.

What are the Possible Suggestions for Addressing the Issue of Parental Consent?

  • Self-Declaration: Companies can allow parents to declare their relationship with the child during account setup. However, this relies on honesty and lacks robust verification.
  • Two-Factor Authentication (2FA): Implementing 2FA for parental accounts can enhance security. Parents receive a code via SMS or email to confirm consent.
  • Biometric Verification: Leveraging biometrics (such as fingerprint or facial recognition) for parental consent can be secure and privacy-friendly.
  • Proxy Consent: Parents could authorise a trusted third party (like a school or paediatrician) to verify their relationship with the child. 

Drishti Mains Question:

Q. Discuss the challenges and potential solutions in the effective implementation of the Digital Personal Data Protection Act (DPDPA), 2023.

UPSC Civil Services Examination, Previous Year Question (PYQ)

Prelims:

Q1. ‘Right to Privacy’ is protected under which Article of the Constitution of India? (2021)

(a) Article 15
(b) Article 19
(c) Article 21
(d) Article 29

Ans: (c)

Q2. Right to Privacy is protected as an intrinsic part of Right to Life and Personal Liberty. Which of the following in the Constitution of India correctly and appropriately imply the above statement? (2018)

(a) Article 14 and the provisions under the 42nd Amendment to the Constitution.
(b) Article 17 and the Directive Principles of State Policy in Part IV.
(c) Article 21 and the freedoms guaranteed in Part III.
(d) Article 24 and the provisions under the 44th Amendment to the Constitution.

Ans: (c)


Mains:

Q. Examine the scope of Fundamental Rights in the light of the latest judgement of the Supreme Court on Right to Privacy. (2017)