Naavi.org

India provided legal recognition to electronic documents through the Information Technology Act 2000 (ITA 2000). This gave legal recognition to electronic documents. ITA 2000 also introduced the Digital Signature and later on the Electronic Signature (e-Sign) as a means of authentication of an electronic document. The two together enabled “Electronic Offer and Acceptance to conclude an Electronic Contract valid in a Court of law” subject to exclusions in Section 1(4) of ITA 2000 and the Schedule I of ITA 2000.

Now the DPDPA has been enacted and the “Issue of a Notice and obtaining Consent” in a legally valid form has become relevant. The “Consent” as per Section 6 of DPDPA 2023 is expected to be an agreement meant to be enforced in law by a Data Principal against a Data Fiduciary.

The need for a legally acceptable online Consent Contract poses the following legal challenges.

1.Consent needs to be authenticated by a Digital/Electronic Signature and a mere Click-Wrap consent may be disputable.

2. If Consent is a Contract, its validity after the death of a data principal is disputed and hence the “Nomination” clause may be disputed.

3. If Consent is a Contract the validity of consent provided by minors or mentally disabled persons for whom a Court has granted a legal guardian may also be disputed and it is necessary to establish that every consent was given by a person of above 18 years of age and every consent of a person less than 18 years of age (or a mentally disabled person) was given by his guardian.

We now need to find a solution to each of these problems while implementing DPDPA 2023 and formulating DPDPA Rules.

In this connection, I draw the attention of readers to two of my earlier writings on this topic indicating that I have been trying to find a solution to this issue for a long time and the thoughts expressed in the underlying articles need to be pursued by the Government.

1.What is an “Adult Pass”? – naavi.org (July 13, 2005)

2.“Personal Digital Age” needs to be given a legal recognition (February 20, 2023)

A few days back, in a discussion between MeitY and the Face Book/Google representatives on DPDPA Draft Rules, the press reports have emerged to the effect that the meeting concluded that no solution is acceptable to the industry in this regard and they should be given the freedom to determine their own method to identify “Minors”. They have also asked for exemption on regulating “Behavioural Monitoring and Targeted advertising” of minors.

In summary the Face Book and Google have asked for complete exemption on any regulation of their activities on Minors and the Government seems to be yielding to this demand. Without the acceptance of the draft rules by Face Book and Google, they are unlikely to be adopted by the Government.

In this context I also draw the attention of the readers to the article in Mint published on 23rd November 2023 (Link here) which provides useful information on the use of Social Media by minors in India. According to this article about 35 % of users are minors and spend more than 3 hours per day. I leave it to the sociologists to quantify the adverse impact of this with the development of the minors which the busy parents of the day are unable to control. The article also records that more than 73% of the parents do prefer to exercise control through parental consent but the services donot enable them. As a result, it is not only the adult content but unauthorized E Commerce purchases, possible drug purchases, possible crime information etc are also easily accessible to minors causing a threat to the society.

Regulating content to Minors is therefore a social responsibility of the Government and there is no need to tune the regulations to protect the commercial interests of Face Book or Google. It is even more surprising that these same organizations are in the forefront of litigating against the Government whenever they donot like the law. It would have been fair if the Government had kept them at a distance till the cases they have filed against the Union of India in respect of ITA 2000 rules are not withdrawn instead of seeking their consensus on the proposed DPDPA rules. The reason why a more robust PDPB 2018/PDPB 2019/DPB 2021 was replaced with the DPDPA 2023 was the objections of these organizations and now they are not allowing the Government freedom to make the regulations also.

Under these circumstances the giving up of the age-gating regulations is not a wise move and needs to be re-visited.

It is not correct to say that there is no solution or that any solution is not scalable etc (Refer here) . These are the same agencies who have filed objections to the ITA rules on identification of “Originator of a WhatsApp Message” on unsustainable technical excuses. Their views are not final and Government needs to honestly try alternatives even if they serve the purpose partially.

Some of the solutions that can be tried are indicated below.

1.Use of “Age Certificates” to be issued by UIDAI to every Aadhaar holder which can be produced for every consent.

This will also serve the purpose of curtailing fake accounts in social media.

There will be the “Privacy Objections” but as long as release of identifiable data behind the Age Certificate is subject to valid legal process, there is no violation of Privacy principles.

This is the easiest and most effective manner and only India can do this and perhaps not USA.

Aadhaar information of a minor is also associated with the name of the parent which can be used for matching the name declared by the minor. There may be exceptions when a mother wants to provide consent instead of the father whose name is in the Aadhar but such exceptions can be handled through escalation of the requests.

It is for UIDAI to confirm if they are not able to meet the scaling requirements and what should they do to use the services of subsidiary agencies to scale up the requirements.

“Age Pass” and “Guardian Pass” can be two ancillary services that can be issued by UIDAI and would be of great use to the community. As long as the link to identity is regulated by a proper legal process, this should be acceptable to Supreme Court also though an initial objection would definitely be filed by the “Andolan Jeevies”.

2. DPDPA has introduced the concept of “Consent Managers”. These consent managers can maintain a KYC of their customers and hence age-gating responsibility can be undertaken by them. There can be specialized Consent Managers to manage Minor’s consents who may be Authorized User Agencies of UIDAI.

3. Another method of partial satisfaction of confirming whether a consent giver is an adult or not is through the TRAI and the OTP system. Whenever an OTP is given through a number X, TRAI can ensure that the owner of the OTP authenticating SIM is an adult and his name is so and so… which can be matched with the name of the guardian stated by the minor.

4.The problem of legal guardians of mentally disabled persons is different. I am not aware if Aadhaar has a system of recording this information and if not, it needs to be introduced. Secondly the Courts have to develop a data base of legal guardianship certificates issued by any Court across India and make it available to authorized agencies like UIDAI or an accredited Consent Manager of DPDPA.

5. MeitY can also check with RBI if Banks will be willing to issue an ID Card “I am Not a Minor” or “I am a minor till ….. and my guardian is …….”

I would also urge the Ministry of Consumer Affairs to incorporate some of these suggestions as a part of the regulation of E Commerce Transactions by minors. Regulating e-commerce transactions of minors can also be attempted with the cooperation of RBI by creating a “Minor Payment Card” associated with any Credit/Debit card which the Banks can issue after a KYC process.

I invite suggestions from others to improve the above thoughts.

If MeitY authorizes, Naavi would be working with some of the technology partners to develop a prototype for one or more of the above suggestions.

I reiterate that there is a solution for Age-gating and we only need to discover it with some effort. If MeitY can assure that they will stand by the principle, technology players can invest their time and effort to find a solution.

If however, the “Minor Consent system” is ruled by the Face Book and Google, then no Indian technology company may be interested in investing for such development. The ball is now in the court of MeitY whether they want indigenous efforts to be invested in fining a solution to the Age-gating problem.

Naavi

The failure of Crowd strike security software causing global chaos will be analysed by experts in Due Course.

In the immediate, it appears that there could be a failure in the Artificial intelligence based automated response which has generated a false alarm.

The appearance seems to be related to update issue. But probably it is a false report. Or the fault has been triggered in the updated version recognizing the update itself as an act of Cyber threat.

This should be a wakeup call for all those who think AI makes things more reliable. It was amusing to know that many airports are shifting to manual mode to tide over the crisis.

Workaround

One of the suggested work around is:

1. Boot Windows into Safe Mode or the Windows Recovery Environment.
2. Navigate to the C:\Windows\System32\drivers\CrowdStrike directory.
3. Locate the file matching C-00000291*.sys and delete it.
4. Boot the host normally.

Terrorists have been found to use a second bomb blast after some time in the same location to smoke out victims from the first blast and kill them with the second.

A similar risk could be there in this case. It is said that the workaround will disable some security features. Attackers may be planning to hit in this time window.

Organisations should be careful.

Naavi

It can only happen in India that Companies like Meta are in the forefront of challenging Government notifications such as the Intermediary Rules in Courts and they are the same entities who are also consulted for advise on how we frame rules.

In its continuing bid to placate the Big Tech before releasing the DPDPA draft Rules, MeitY held a discussion yesterday with select Big Tech Players like Meta to get their approval for the proposed DPDPA Rules.

The DPDPA rule that requires age verification and parental consent for those who are less than of 18 years of age is a rule that hurts FaceBook and it is trying to ensure that the rules are not stringent.

Several newspapers have carried a report today based on the meeting which states that a discussion took place on the method of determining the “Minority” status of the users in this meeting.

One such report is from Indian Express here.

Despite the presence of all the Tech Experts, the meeting has concluded that it is not possible to implement any solutions even based on tokens issued by UIDAI. Hence it is decided that we should leave it to Meta and Google to determine their own methods to declare that a person is not a minor.

It is surprising to think that UIDAI cannot tokenize the existing data related to Aadhaar into “Persons of above 18 years of age” and “Persons Below the age of 18” as of date and add “Name of Parent in case of Persons below 18 years of age”.

This decision means that the Meta-Google type of companies will device their own methods on how to determine whether a person is a minor, who is his parent and take consent as they deem fit. This will avoid the responsibility of the Government to suggest any solution and leave it to the Courts later to determine if the systems adopted by the industry is acceptable or not.

I hope that with this clearance from Meta and Google, the Government will at least now release the rules for public consultation and meet the 100 day commitment of Modi 3.0.

Naavi

In the new Indian Evidence Act which became effective from 1st July 2024, the earlier Section 65B of Indian Evidence act has been modified as Section 63.

This being an important section in the Act, Naavi has tried to place his perspective through this detailed video.

Your comments are welcome .

Naavi

There are a number of CERT-In auditors who are registered with CERT IN for different kinds of audits.

With the notification of DPDPA 2023 expected during this year, there will be new business opportunities that will open up for Audits in the DPDPA segment of the market.

In order to enable the CERT IN auditors to explore the new opportunities that may be coming up, FDPPI is planning a one day training program at Bangalore on the “Emerging Opportunities for CERT IN Auditors in DPDPA”.

Looking forward to your interest for finalizing the dates and venue. The tentative date is in August first week.

Naavi

The Data Protection Industry in India today is waiting for MeitY to start a discussion on the DPDPA Rules.

Currently there is one section of the market which is convinced that MeitY has shared its draft with a closed group of its trusted international Tech Companies like the Meta, Microsoft and Google through their agents in Delhi and is waiting for their approval. Such approvals can only come from USA, and hence delay is inevitable.

Earlier multiple versions like PDPB 2018, PDPB 2019 and DPA 2021 were rejected because there was no “Consensus” in the Big Tech and their agents in India.

Seeking consensus on DPDPA from this section of the industry is like seeking consensus for the Indian Opposition in the Parliament on any action of the Government. If we want progress, we have to have conviction, act in good faith and move on.

DPDPA is a law that affects organizations other than the Big Techies and hence there are many in the industry who are keen to know the mind of MeitY because the Rules can overnight impose “Potential Financial Risks” that have to be provided for in the books of account. Whether they comply or not, the CFOs will demand provision for potential losses and Insurance to cover the Risks.

Hence it is in the interest of the industry that the current state of uncertainty is cleared at the earliest and Rules are made for the benefit of the larger MSME section of the society rather than the handful of members of the BigTech Association.

For this purpose, the section of the industry who are today away from the policy making group in Delhi needs to be vocal and express their views strongly. An opportunity for such expression is being created by FDPPI by an Industry meet on July 27 at Bangalore which should not be missed by them.

The Current version that MeitY has circulated is not necessarily the ideal set of Rules. But we can take it as the best effort preparation and together help MeitY to improve upon it by participate in the July 27 event and forging a strong response.

This should help MeitY to reduce their dependence on the Big Tech and their agents who are bullies in their own right and want MeitY to be at their beck and call.

FDPPI is now giving a platform to this section of the industry to come together and rally behind FDPPI so that MeitY can be liberated from the shackles placed by the Big Tech.

Let Us meet on July 27 at Bangalore to discuss the “DPDPA Rules” and help MeitY to move ahead. Check out www.fdppi.in and register for your participation. If the industry does not raise your voice, there will be no opportunity to change the course of the Rules later.

Let us not be like the Voters who fall for the “Guarantee Bait” and later complain about raising taxes.

Naavi