Content:
NITI Aayog, the premier think tank of the Indian government, has expressed reservations regarding certain provisions of the Digital Personal Data Protection Act (DPDPA) .
NITI Aayog’s Concerns
One of the contentious issues raised by NITI Aayog pertains to the proposed amendment to Section 8(1)(j) of the Right to Information (RTI) Act. This amendment would limit the disclosure of personal information related to public officials, even when there is significant public interest involved. During inter-ministerial consultations, NITI Aayog urged the Ministry of Electronics and Information Technology (MeitY) to reconsider the bill in its existing form, cautioning that it could undermine the effectiveness of the RTI Act.
Opposition parties and civil society activists echoed these concerns, raising objections both during the consultation phase and later in parliamentary debates. Despite these critiques, MeitY chose not to revise the proposed amendment to the RTI Act. The government defended its position by emphasizing that the right to privacy is a fundamental right under the Indian Constitution, which should extend to government officials as well.
Key Features of the Digital Personal Data Protection Act (DPDPA)
Empowerment of Individuals: The DPDPA grants individuals the right to access, correct, and delete their personal data, enhancing their control over personal information.
Consent Requirement: The act stipulates that personal data can only be processed with explicit consent from individuals. Organizations must provide clear consent forms and secure consent before collecting data.
Data Localization: It mandates that certain sensitive personal data must be stored and processed within India, aiming to enhance data security and simplify enforcement of regulations.
Establishment of Data Protection Board: The DPDPA establishes the Data Protection Board of India (DPBI) to oversee compliance and address grievances. The Board is responsible for resolving disputes and imposing penalties for non-compliance.
Breach Notification: Organizations are required to notify both individuals and the Data Protection Board about data breaches that may compromise personal information, promoting transparency and timely action.
Penalties for Non-Compliance: The act imposes substantial fines for violations, encouraging adherence to data protection standards.
Challenges in Obtaining Parental Consent
Consent Requirement for Children’s Data: Section 9 mandates that data fiduciaries must obtain verifiable consent from parents or guardians before processing children’s data, prohibiting harmful data practices and targeting minors.
Exemptions: Certain entities, such as healthcare and educational institutions, may be exempt from obtaining verifiable parental consent under specific conditions, allowing limited exemptions based on the purpose of data processing.
Implementation Challenges: Significant difficulties remain regarding age verification and defining harm to children. Issues arise when parents revoke consent or when children reach the age of consent, and practical challenges include storing biometric data and ensuring compatibility across devices.
Delay in Rule Implementation: The finalization of data protection rules has been delayed primarily due to unresolved issues related to verifiable parental consent. The DPDPA requires at least 25 provisions to become operational, adding to the complexity.
Proposed Solutions: Initial considerations included using the DigiLocker app for verification; however, privacy and scalability concerns led to its rejection. An electronic token system was also suggested but faced practical limitations. A recent industry meeting proposed a graded approach based on risk, referencing the UK’s Age Appropriate Design Code (AADC).
Strategies for Addressing Parental Consent
Self-Declaration by Parents: Companies can allow parents to declare their relationship with the child during account setup. However, this method relies on parental honesty and lacks a robust verification mechanism.
Two-Factor Authentication (2FA): Implementing 2FA for parental accounts enhances security. Parents can receive a verification code via SMS or email to confirm their consent, adding an extra layer of protection.
Biometric Verification: Utilizing biometric methods, such as fingerprint or facial recognition, for parental consent can provide secure and privacy-conscious verification, ensuring that only the authorized parent can grant consent.
Proxy Consent: Allowing parents to authorize a trusted third party, such as a school or pediatrician, to verify their relationship with the child could provide additional verification and simplify the consent process.
Read Also: Arjun Vajpai Achieves Historic Summit of Mt. Shishapangma
