Comments on DPDPA Rules-4: Verifiable Guardian Consent

Posted on January 7, 2025 by Vijayashankar Na

One of the most discussed provisions of the DPDPA Rules is the rule 10 and 11 related to the handling of personal data of a minor.

As per the Act, a data fiduciary intending to process the personal data of a minor or a person with a disability who has a lawful guardian needs to obtain the consent from the parent or guardian. Additionally the law requires that the processing shall not harm the child and there shall be no behavioural monitoring or targeted advertisements to the children.

The issues involved here are

  1. How do we know if a data principal is a minor or a disabled person?
  2. How do we know who is the guardian who is legally authorized to provide consent on behalf of the minor or the disabled person
  3. How do we know at what future date the consent given by the guardian as expired?
  4. How do we know if the parent/guardian is not having conflicts of guardianship?
  5. Does a “Verifiable” consent include verification of disability, verification of guardianship and verification of age

Under Rule 10 of the rules it is mandated that the Data Fiduciary shall observe “Due Diligence” and adopt “appropriate” technical and organizational measures to ensue

a) That the identity and age available with the data fiduciary is reliable

b) The claimed guardian is an “adult” himself

The words “Due Diligence” and “Appropriate” read with “Fiduciary” means that it is the responsibility of the data fiduciary to find such technology and procedure that satisfies compliance.

The compliance to this section requires that every data principal has to be verified that he is not a minor. If the person is a minor, the age should be collected and verified. Also the data fiduciary needs to collect the identity of the guardian and check if he is the authorized guardian.

There is at present no proper solution available to meet this requirement. There are some views that this section leads to denial of some internet services to persons with digitally illiterate parents. There is every possibilities that “Andolan Jeevies” will latch onto such comments and try to stall the implementation of the rules.

It is our view, if in an attempt to protect Children from the adverse impact of the Internet and the Social Media, some minors or disabled persons are unable to open Face Book accounts or Instagram accounts, it would be a blessing in disguise.

In the era of Artificial Intelligence, I donot see how the technology can accept defeat in not being able to protect the interest of the children. We had already discussed in an earlier article titled “Is there no solution for Age-gating?” some solutions in this direction.

Now we can look forward to a workable technical solution that is “DGPSI Compliant”.

As we are aware, Australia has been the first country to ban access to social media for children below the age of 16. The tech companies will face a penalty of Australian Dollars 49.5 million for violation. The Indian provision for “Parental Consent” is therefore not as stringent as the Australian provision. If the rule is challenged in a Court, it is necessary to defend the rule citing the Australian approach.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.