Privacy law raises complications of verifying parent identity, 6 Jan.

Lawyers and policy on privacy law consultants said that the proposed framework to verify whether an individual claiming to be an adult is so, on top of being related to a child, can cause complications for individuals, and become a burden for companies. It could also raise confusion, since the first draft of the DPDP rules do not define key terms such as ‘detrimental’, ‘wellbeing’ and ‘due diligence’.

The rules, published in the public domain on Friday, need parents and guardians of underage minors, defined as individuals below 18 years of age, to authenticate themselves as responsible for the underage users—using tokenized data or government identification through the Digilocker platform to do so.

Burden on companies

However, early reactions of policymakers have stated that the process prescribed by the rules could add significant compliance burden on companies—without explicitly suggesting so.

Supratim Chakraborty, partner at law firm Khaitan & Co, said that the current set of rules “only offer a basic framework for how the parental verification process may work.”

“Further rounds of consultations may lead to amendments—such as striking a balance for companies in terms of their responsibilities and liabilities to establish a verifiable relationship between a parent and a minor. That aside, the DPDP Act does not leave room for rules to define important words used in the Act in the context of children‘s personal data, such as ‘detrimental’ and ‘wellbeing’. This may be especially important when it comes to the usage of significant online platforms by individuals under the age of 18,” he added.

The privacy law verifiability of parentage can make matters further complicated. Kazim Rizvi, founding director at policy think-tank The Dialogue, said that there could be concerns around sharing too much sensitive data with private tech firms, and how that can impact privacy and safeguarding of information.

Less data sharing

A senior official directly associated with the rulemaking process concurred with Chakraborty and Rizvi’s assessment, adding, “A crucial part of the rulemaking process is to minimize data sharing wherever possible—this will be a key concern that will need to be addressed for the sake of both users and companies alike.”

Companies, on this note, are yet to voice their concerns around the draft rules. Emails sent to Meta and Google, seeking reactions to the law, did not immediately receive responses.

The two companies, which run Instagram and YouTube, respectively, will directly come under the ambit of the rules of DPDP Act, 2023.

A senior executive at one of the companies, requesting anonymity, said that prima facie, “making tech companies responsible to establish parental identity proof is unprecedented—if users of tech platforms do not themselves declare the information voluntarily.”

“Overall, there is a considerable amount of ambiguity that can still be addressed—but the current framework does succeed in establishing the direction that companies and individuals are to follow,” Chakraborty added.

Starting point

For the Centre, the rules represent a starting point to safeguard minors against threats on online platforms.

A senior industry official, with direct knowledge of the matter, told Mint on condition of anonymity, “There is an understanding within the IT ministry that creating a framework that is watertight, beneficial for all parties, and yet conducive enough could wildly vary for each stakeholder involved. The current draft’s proposal is to largely ensure that a basic framework is put in place—which current and future consultations and amendments can solve.”

The consultation process for the rules, which began on 3 January, will conclude on 18 February.