New data protection rules; Aadhaar-based system to verify childrens age, parent consent for using online services

As per reports in the Indian Express, two of the main proposals in the upcoming data protection rules are to introduce a two-stage notification system for tech companies to inform users about data breaches and to use an Aadhaar-based system to verify children's age for using online services and to gather their parents' consent.

The Digital Personal Data Protection Act was notified in August of last year, and the Union Ministry of Electronics and IT (MeitY) plans to operationalize it by initiating consultations on data protection regulations. On December 19, it has planned a private meeting with industry representatives to discuss the draft regulations, according to individuals in the know.

One of them is creating a framework for permission to confirm a child's age prior to allowing them to use an internet service. According to the Act, businesses must get "verifiable parental consent" before granting access to their platform to users who are less than 18 years old. This has been a major source of contention for the business because the Act does not include recommendations for how platforms might implement age-gating.

It has been discovered that the guidelines should provide two approaches. There are two options: using the DigiLocker software, which is based on the Aadhaar data of the parents, or having the industry develop an electronic token system that can only be used with government approval.

The first will enable parents to upload their children's Aadhaar data to the DigiLocker platform, and platforms will be able to ping the app to confirm that the user is, in fact, a child.

The industry will be able to create a consent manager under the electronic system that can receive a user's government ID, tokenize it into an encrypted format to safeguard its contents, and only communicate the user's name and age parameters with an online platform to confirm their age. It has been discovered that such a system will only be permitted with Centre approval.

Healthcare and educational facilities are among the organisations that are exempt from the need to get verifiable parental consent and age-gating regulations. It is also acknowledged that certain organisations may have limited exemptions from the rules, based on the particular reason(s) for which they must process a child's data.

As part of a two-stage notification procedure, the regulations are anticipated to suggest that companies alert consumers about a data breach as soon as they learn about it. They will have to notify users in the first instance of the type and extent of the breach, among other things. In the second phase, they will have to provide users with any new information regarding the breach within 72 hours.

The Data Protection Act imposes a fine of up to Rs 250 crore for failing to implement sufficient security measures to avert a data breach.The regulations' requirement that government agencies notify people anytime they use their personal information to provide welfare services, subsidies, or other comparable purposes is another important component.