The introduction and definition of a proposed ‘consent artefact’ in the Digital Personal Data Protection (DPDP) Act and the exemptions provided to certain intermediaries on the processing of children’s data have raised concerns among experts. Digital privacy and cybersecurity experts as well as lawyers ET spoke to also said that there needs to be additional deliberation on the finer workings of the consent artefact architecture, including how giving and revoking consent will work. “The tricky part is how consent provided under Section 7(a) of the Act will be later located to withdraw such consent, which was not originally recorded, or provided using a consent artefact,” a technology lawyer, who has seen a copy of the proposed rules and was present during the industry consultations on DPDP Rules , told ET.
Advt Section 7(a) of the proposed executive rules under the Act envisages transactional situations where neither the user’s consent has been documented nor a privacy notice has been exchanged with the said user. The DPDP Act defines companies processing personal data as data fiduciaries and the users whose data is processed as data principals. The proposed final draft of the executive rules under the Act, set to be released soon, has introduced the concept of a consent artefact, which could be any machine-readable electronic record such as an e-mail, a digital signature or an electronic document of any kind.
This electronic document, a kind of digital form, should be able to provide both data fiduciaries and data principals with the option to notify each other on various aspects such as granting, managing, reviewing or withdrawing consent for personal data processing. “The draft has proposed that the consent artefact must also contain information to correctly identify both the user and the company. The problem that could arise here is how does one verify whether such data, provided either by the user or the data fiduciary, is correct,” a senior executive at a social media intermediary told ET.
Another issue, experts said, could be with the IT ministry’s proposal to allow the use of a digital locker service but not mandating it. Advt “It is a recognition that the government’s DigiLocker is being used by only around 234 million users currently, which is a fraction of this country (population). The government has kept it technology agnostic.
It is not going into how reliable age and identity is established,” a senior public policy research executive, who has seen a copy of the draft rules, said. Though the government had indicated that there could be more reliance on a government-issued identity card-based or digital-locker-based verification of age of children, the stance now seems to have changed as civil societies raised concerns on the exclusionary impact of such lockers or ID cards, the executive said. “Now the government has left it to the intermediary to choose the technology that is convenient to them,” she said.
Though the US and countries in the EU and other parts of the world have come up with the concept of consent managers or other facial recognition technology to obtain verifiable parental consent, these methods have their limitations. “There is enough room for technology innovation. Every method has its limitations.
It cannot be uniform globally,” she said. Apart from these, the draft has also raised concerns about the exemptions from the restrictions on the processing of children’s data mandated under the Act provided to educational institutions, health establishments and certain government entities. The entities eligible for this exemption include government entities that perform functions related to the ‘interests of a child’, healthcare professionals, crèche or childcare institutions and government bodies that issue subsidies and licences.
For healthcare institutions, the exemption may be restricted to the provision of healthcare services to a child. Educational institutions will be allowed to undertake behavioural monitoring and tracking of educational activities. “This kind of classification is not very useful in giving exemptions.
For example, YouTube is considered a social media platform, but it is used for educational purposes. Kids from low-income backgrounds learn a lot from YouTube. So, the classification and exemptions should be risk-based,” the public policy executive said.
By Suraksha P & Aashish Aryan , ETtech Published On Jan 10, 2024 at 07:44 AM IST Telegram Facebook Copy Link Be the first one to comment. Comment Now COMMENTS Comment Now Read Comment (1) All Comments Post Post Find this Comment Offensive? Choose your reason below and click on the submit button. This will alert our moderators to take actions REASONS FOR REPORTING Foul Language Defamatory Inciting hatred against a certain community Out of Context / Spam Others Report Join the community of 2M+ industry professionals Subscribe to our newsletter to get latest insights & analysis.
Download ETTelecom App Get Realtime updates Save your favourite articles Scan to download App digital personal data protection DPDP Rules Social media digital privacy data fiduciaries DPDP Act DigiLocker reliance {“@context”:”http://schema. org”,”@type”:”BreadcrumbList”,”itemListElement”:[{“@type”:”ListItem”,”position”:1,”item”:{“@id”:”https://telecom. economictimes.
indiatimes. com”,”name”:”Home”}},{“@type”:”ListItem”,”position”:2,”item”:{“@id”:”https://telecom. economictimes.
indiatimes. com/news”,”name”:”News”}},{“@type”:”ListItem”,”position”:3,”item”:{“@id”:”https://telecom. economictimes.
indiatimes. com/news/policy”,”name”:”Policy”}},{“@type”:”ListItem”,”position”:4,”item”:{“@id”:”https://economictimes. indiatimes.
com/tech/technology/dpdp-rules-furore-over-leeway-to-some-companies-on-use-of-kids-data/articleshow/106673860. cms”,”name”:”DPDP Rules: Furore over leeway to some companies on use of kid’s data”}}]} {“@context”:”http://schema. org”,”@type”:”NewsArticle”,”mainEntityOfPage”:{“@type”:”WebPage”,”@id”:”https://telecom.
economictimes. indiatimes. com/news/policy/dpdp-rules-furore-over-leeway-to-some-companies-on-use-of-kids-data/106681218″},”headline”:”DPDP Rules: Furore over leeway to some companies on use of kid’s data”,”datePublished”:”2024-01-10T07:44:01+05:30″,”dateModified”:”2024-01-10T07:44:30+05:30″,”articleBody”:”The introduction and definition of a proposed ‘consent artefact’ in the Digital Personal Data Protection (DPDP) Act and the exemptions provided to certain intermediaries on the processing of children’s data have raised concerns among experts.
Digital privacy and cybersecurity experts as well as lawyers ET spoke to also said that there needs to be additional deliberation on the finer workings of the consent artefact architecture, including how giving and revoking consent will work. “The tricky part is how consent provided under Section 7(a) of the Act will be later located to withdraw such consent, which was not originally recorded, or provided using a consent artefact,” a technology lawyer, who has seen a copy of the proposed rules and was present during the industry consultations on DPDP Rules, told ET. Section 7(a) of the proposed executive rules under the Act envisages transactional situations where neither the user’s consent has been documented nor a privacy notice has been exchanged with the said user.
The DPDP Act defines companies processing personal data as data fiduciaries and the users whose data is processed as data principals. The proposed final draft of the executive rules under the Act, set to be released soon, has introduced the concept of a consent artefact, which could be any machine-readable electronic record such as an e-mail, a digital signature or an electronic document of any kind. This electronic document, a kind of digital form, should be able to provide both data fiduciaries and data principals with the option to notify each other on various aspects such as granting, managing, reviewing or withdrawing consent for personal data processing.
“The draft has proposed that the consent artefact must also contain information to correctly identify both the user and the company. The problem that could arise here is how does one verify whether such data, provided either by the user or the data fiduciary, is correct,” a senior executive at a social media intermediary told ET. Another issue, experts said, could be with the IT ministry’s proposal to allow the use of a digital locker service but not mandating it.
“It is a recognition that the government’s DigiLocker is being used by only around 234 million users currently, which is a fraction of this country (population). The government has kept it technology agnostic. It is not going into how reliable age and identity is established,” a senior public policy research executive, who has seen a copy of the draft rules, said.
Though the government had indicated that there could be more reliance on a government-issued identity card-based or digital-locker-based verification of age of children, the stance now seems to have changed as civil societies raised concerns on the exclusionary impact of such lockers or ID cards, the executive said. “Now the government has left it to the intermediary to choose the technology that is convenient to them,” she said. Though the US and countries in the EU and other parts of the world have come up with the concept of consent managers or other facial recognition technology to obtain verifiable parental consent, these methods have their limitations.
“There is enough room for technology innovation. Every method has its limitations. It cannot be uniform globally,” she said.
Apart from these, the draft has also raised concerns about the exemptions from the restrictions on the processing of children’s data mandated under the Act provided to educational institutions, health establishments and certain government entities. The entities eligible for this exemption include government entities that perform functions related to the ‘interests of a child’, healthcare professionals, crèche or childcare institutions and government bodies that issue subsidies and licences. For healthcare institutions, the exemption may be restricted to the provision of healthcare services to a child.
Educational institutions will be allowed to undertake behavioural monitoring and tracking of educational activities. “This kind of classification is not very useful in giving exemptions. For example, YouTube is considered a social media platform, but it is used for educational purposes.
Kids from low-income backgrounds learn a lot from YouTube. So, the classification and exemptions should be risk-based,” the public policy executive said. “,”keywords”:[“Policy”,”Digital Personal Data Protection”,”DPDP Rules”,”Social Media”,”Digital Privacy”,”Data Fiduciaries”,”DPDP Act”,”DigiLocker”,”Reliance”],”articleSection”:”Policy”,”url”:”https://telecom.
economictimes. indiatimes. com/news/policy/dpdp-rules-furore-over-leeway-to-some-companies-on-use-of-kids-data/106681218″,”description”:”Digital privacy and cybersecurity experts as well as lawyers ET spoke to also said that there needs to be additional deliberation on the finer workings of the consent artefact architecture, including how giving and revoking consent will work.
“,”author”:[{“@type”:”Person”,”name”:”Suraksha P”,”url”:”https://telecom. economictimes. indiatimes.
com/author/479244511/suraksha-p”},{“@type”:”Person”,”name”:”Aashish Aryan”,”url”:”https://telecom. economictimes. indiatimes.
com/author/479257742/aashish-aryan”},{“@type”:”Thing”,”name”:”ET Telecom”,”url”:”https://telecom. economictimes. indiatimes.
com”}],”publisher”:{“@type”:”NewsMediaOrganization”,”name”:”ETtech”,”logo”:{“@type”:”ImageObject”,”url”:”https://img. etb2bimg. com/files/cp/upload-1679566637-et-telecom-light-theme.
png”,”width”:600,”height”:60}},”image”:[{“@type”:”ImageObject”,”url”:”https://etimg. etb2bimg. com/thumb/msid-106681218,width-1200,height-900,resizemode-4/.
jpg”,”width”:1200,”height”:900}]} Home News Policy DPDP Rules: Furore over leeway to some companies on use of kid’s data.
From: telecom_economictimes
URL: https://telecom.economictimes.indiatimes.com/news/policy/dpdp-rules-furore-over-leeway-to-some-companies-on-use-of-kids-data/106681218
