DPDP Act 2023 and the Issue of Parental Consent | 19 Jul 2024

Source: IE

Why in News?

Recently, while the industry has largely welcomed the Digital Personal Data Protection Act (DPDPA) 2023 for its straightforward compliance structure, the provision requiring verifiable parental consent before processing children’s data has sparked division between industry and government.

What are the Salient Features of the Digital Personal Data Protection Act (DPDPA) 2023?

• Right to Data Protection: It empowers individuals with the right to know and control their personal data. This includes rights to access, correction, and erasure of their data, giving citizens greater control over their personal information.
• Data Processing and Consent: The Act mandates that personal data can only be processed with the explicit consent of the individual. Organisations must provide clear and specific consent forms and ensure that consent is obtained before data collection.
• Data Localisation: Certain types of sensitive personal data are required to be stored and processed within India. This provision aims to enhance data security and facilitate easier enforcement of data protection laws.
• Regulatory Authority: The Act establishes a Data Protection Board of India (DPBI) to oversee compliance and handle grievances. The Board is responsible for adjudicating disputes and imposing penalties for violations.
• Data Breach Notification: Organisations are required to notify individuals and the Data Protection Board of any data breaches that may compromise personal information. This provision aims to ensure transparency and prompt action in the event of data leaks.
• Fines and Penalties: It outlines stringent penalties for non-compliance, including significant fines for violations. This is intended to incentivize organisations to adhere to data protection standards.

What are the Issues with Obtaining the Parental Consent?

• About:
  • Under Section 9 of the DPDP, 2023 data fiduciaries must obtain verifiable consent from parents or guardians before processing children’s data.
    • The Act also bans harmful data processing and ad targeting for minors. 
  • However, some entities can be exempted from obtaining verifiable parental consent and age gating requirements including healthcare and educational institutions. 
  • Also, some entities can be exempted from the norms on a restricted basis, that is, depending on the specific purpose for which they need to process a child’s data.
• Issues:
  • While the act introduces measures for child data protection, including parental consent, challenges remain regarding age verification and defining what constitutes harm to children.
  • Handling situations where parents revoke consent or children reach the age of consent requires careful management.
  • Issues like storing biometric data, and ensuring compatibility across various devices can pose difficulties in implementation.
  • The act itself does not suggest ways in which platforms can perform age-gating leading to a major sticking point for the industry.
  • Another challenge is how the relationship between a child and his/her parents can be reliably established.
    • The inability to arrive at a conclusive decision on how to proceed with the verifiable parental consent provision is the biggest reason behind the delay in releasing the data protection rules without which the act cannot be operationalised (the DPDP Act depends on at least 25 such provisions to implement the modalities of the Act).
• Likely Solution and Their Limitations:
  • Initially, the MeitY considered using parents’ DigiLocker app, which relies on Aadhaar details. However, scalability and privacy concerns led to its dismissal.
  • Another option was for the industry to create an electronic token system, authorised by the government. However, this approach also faced practical limitations. 
  • In a recent meeting between the MeitY and the Industry representatives, the latter suggested a graded approach based on risk, citing the UK’s Age Appropriate Design Code (AADC) as a model.

What are the Possible Suggestions for Addressing the Issue of Parental Consent?

• Self-Declaration: Companies can allow parents to declare their relationship with the child during account setup. However, this relies on honesty and lacks robust verification.
• Two-Factor Authentication (2FA): Implementing 2FA for parental accounts can enhance security. Parents receive a code via SMS or email to confirm consent.
• Biometric Verification: Leveraging biometrics (such as fingerprint or facial recognition) for parental consent can be secure and privacy-friendly.
• Proxy Consent: Parents could authorise a trusted third party (like a school or paediatrician) to verify their relationship with the child.