In the DPDPA implementation, we have been discussing he requirement of determining the “Age” of a data principal to identify if he is a minor or not. Without identification of the age, the obligations of DPDPA towards a “Minor” cannot be fulfiled.
At the same time, there is a need to develop a mechanism by which one can identify the class of data principals to which Section 9 of DPDPA is applicable (Minors and Disabled Persons). In the case of a minor the consent has to be provided by the guardian who may be either a natural guardian or a legal guardian. In case of the disabled persons, it is the legal guardian who has to provide the consent.
The “Legal Guardian” is always a product of the decision of the Court and unless the Courts create a system of publishing a data base of “Legal Guardians” approved by different Courts, there is no way for a Data fiduciary to know if a person is disabled or not. A request for this has been sent by FDPPI to CJI and some time in future it may see the light of the day.
As regards the Natural Guardian, law has its own uncertainty since there may be many single parents and divorced parents where the natural guardian cannot be determined by just identifying the father or mother.
It is the duty of the Government and the Judiciary to find a proper mechanism to identify the age of a data principal if they are serious about protecting the privacy of a minor. At present Data Fiduciaries simply accept a “Self Declaration” from the data principal that he/she is not a minor and proceed to provide services meant for adults. This is not an effective system for protection of privacy of minors without a verification of the declaration. We therefore need a mechanism for such verification.
At DGPSI, we need to identify a suitable mechanism for organizations to identify the age of a data principal. We have in the past discussed this in these columns and recommended the use of Aaadhar as an instrument for not only creating a “Age Pass” but also to verify the “Guardian of a minor”. (Refer article titled “Is there no solution for Age Gating?)
In this context we need to discuss the recent Supreme Court judgement in the case Saroj & Ors vs IFFCO-TOKIO General Insurance Co & Ors
An article titled “Aadhaar Card Not Suitable as proof of date of Birth: Supreme Court” was published in Live Law yesterday explaining this judgement.
We however would like to point out that the article with the above headline may not reflect the issue in the right context of “Age-Gating” for Privacy regulation and need to be read in the given context.
The context in which the Supreme Court decided in this appeal was that the insurance company had sought a reduction of compensation based on the age of the deceased in the Aadhaar Card vs the Age of the deceased as per a school leaving certificate. There were two age documents available and there was a conflict. The choice of the reference document would have materially altered the compensation payable to a victim of an accident which had taken away the life of a bread winner in the family.
We trust that the decision of the Court has to be viewed in this context.
It is also true that as observed by the Court, the purpose of Aadhaar was to establish the identity of the individual and the noting of the Date of Birth is only incidental.
However it is to be noted that Aadhaar is still the best Government document that can establish the identity of a person. The Adhaar card issued to a minor also records the name of the guardian. Short of a Court order, this is therefore the best document of proof of the age of a minor and the name of the guardian.
The documents which are collected for Aadhaar enrolment are available here and indicate the documents which are used for age verification.
The enrolment documents include the Birth Certificate, Passport, Certificate issued by an Orphanage, School Leaving Certificate, Service Identity Card, Pensioner’s Card, Transgender certificate.
The Aadhaar document therefore is not an adhoc self declaration of date of birth and is based on documentation. The subject Supreme Court judgement was a case where there were conflicting dates in different authentic documents and the Court had to prioritize one over the other. In the context they chose to chose the school leaving certificate ahead of the Aadhar.
DGPSI which is defining the Jurisprudence related to the DPDPA therefore does not suggest dropping of the Aadhar based age determining process for determination of a minor for the purpose of obtaining the consent from the parent.
We remember that when Supreme Court in the Afzal Guru case had held that Section 65B certificate for digital evidence as “Not Mandatory”, Naavi had disagreed with the Court and held to his view that Section 65B Certificate for admissibility of digital evidence was mandatory. It took several more years and the Judgement of PV Anwar Vs P K Basheer to correct the decision. Even subsequently, when Shafi Mohammed judgement appeared to disagree with our view, we held onto the view until it was validated in the Arjun Pandit Rao case. Now IEA has been replaced with Bharatiya Nyaaya Samhita and the jurisprudence that “Section 63 Certificate is mandatory for admissibility of digital evidence” holds, though the form of Certification has changed a little.
Similarly we hold onto our view on Age Verification for DPDPA purpose that an Aadhaar based system is acceptable as a “Reasonable Measure” for the Data Fiduciary to verify the Age. In every case it is not feasible for a Data Fiduciary to be a Court and ask for multiple age proof document and verify the same. Probably a Consent Manager can do it and the case of a specialized consent manager for minors is made out.
At FDPPI, we can state that the data principal can provide any one of the following documents as age of proof namely
- Birth Certificate,
- Passport
- School Leaving Certificate,
- Service Identity Card,
- Pensioner’s Card
We would also like to add PAN Card and Driving License to the above list. Obviously a court order would also have to be accommodated in this accepted document list. However, these documents may not be as easily verifiable as the Aadhar data and hence Aadhaar remains the preferred reference tool.
As we have discussed earlier, the verification of age is not only a requirement for a person who has already declared himself as a minor so that we donot want anonymous malicious adults in minor community. For this purpose, we need to apply age verification to all data principals as a general rule of entry. Verification of who is the guardian is a more complicated exercise and at present Aadhar is the only document (other than a court order) that has this data. PAN card of a minor may also have this information but they may not be as many minor PAN cards as there are minor Aadhar cards.
To summarize, we may say that the Supreme Court judgement cited above is not a bar on use of Aadhar for the purpose of age verification in the DPDPA compliance and can be one of the several ways by which the data fiduciary may satisfy himself about the status of a data principal as a minor or not a minor.
Naavi
