The Ministry of Electronics and Information Technology (MeitY) released the draft rules today for the Digital Personal Data Protection (DPDP) Act, 2023, which was passed by Parliament last year. These draft rules, now open for public consultation until February 18, 2025, aim to provide a robust framework for data protection in India’s digital landscape.
How will DF verify that it has reliable identification and age details of P?
Case 1: C is a child, P is their parent, and DF is a data fiduciary. C’s personal data will be processed, and C’s user profile will be created on DF’s online platform. DF will ensure that it is possible for C’s parents to authenticate their identity through the website, app, or other means. P will authenticate their identity as a parent, and DF will verify that P is a registered user on the platform and has previously provided their identity and age details. Before processing C’s personal data to create a user profile, DF will check and confirm that it has the trustworthy identification and age details of P.
Case 2: C is a child, P is their parent, and DF is a data fiduciary. DF will enable C’s parents to authenticate their identity through the website, app, or other platforms. Before processing C’s personal data for creating a user profile, DF will ensure that the identification and age details of P are provided by a trustworthy authority, such as a legal or government body assigned to maintain such records, or mapped to a verified digital token. DF will confirm that P is an identifiable adult. P can voluntarily use digital locker services to provide these details.
Case 4: P identifies as the parent of C and informs DF that they are not a registered user on DF’s platform. Before processing the personal data for creating C’s user profile, DF will verify, based on identification and age details issued by an entity assigned by law or government for maintaining such details, or a virtual token mapped to them, that P is an identifiable adult. P may voluntarily provide such details using the services of a digital locker service provider.
(3) In this rule, the following meanings are implied:
- (a) “Adult” refers to a person who has completed the age of eighteen.
- (b) “Digital Locker Service Provider” refers to an intermediary, including any appropriate government agency or corporation, which may be notified by the central government as per the rules made under the Information Technology Act, 2000 (Act 21 of 2000).
- (c) “Designated Authority” refers to the authority under section 15 of the Rights of Persons with Disabilities Act, 2016 (Act 49 of 2016), which assists persons with disabilities in exercising their legal capacity.
- (d) “Applicable Law for Guardian” means:
- (i) In relation to a person with long-term physical, mental, intellectual, or sensory disabilities, which, along with barriers, limits their full and effective participation in society on equal terms with others…
