Confusion abounds among key stakeholders of India Inc in respect of consent management and allied concerns under India’s newly published Digital Persona Data Protection Act, 2023 (“DPDP Act”). This is especially true in the context of age verification requirements, along with the means of obtaining verifiable parental consent for children’s data. However, India’s digital public infrastructure could provide the right answers, eventually.
It is unwise to look at the DPDP Act in isolation, divorced from the preceding reality of India Stack and the Data Empowerment and Protection Architecture (“DEPA”) — the framework of which has sired the ‘Digital India’ program. India Stack comprises a set of open-source application programming interfaces (“APIs”) and digital public goods that aim to utilise the economic potential of identity, data and payments at population scale.
Acting as an intermediary layer that processes data transfers across systems, the definitions and protocols within an API enable different applications to ‘talk’ to each other. For example, every time we use a ride-hailing app from a smartphone, we use an API. Similarly, when an individual purchases a product on an e-commerce platform, they may be prompted to pay through a third-party system — whose function relies on APIs to make the necessary connection. Accordingly, the requests and responses with respect to data exchanges occur through an API even while remaining invisible on the user interface.
Other than their benefits and widespread use, APIs offer security layers between the requesting application and the infrastructure of the responding service, typically requiring authentication credentials. In terms of ensuring the privacy of personal users, when a website requests an individual’s location (provided through a location API), the user can decide whether to allow or deny that request.
In this context, DEPA is designed to empower individuals to share their data securely with third parties whereby they can provide consent through an innovative digital standard for every piece of their personal information via ‘consent managers’ (account aggregators with respect to financial data) — which, in turn, can provide an electronic dashboard to help individuals administer their consent artifact for real-time data processing. A consent ‘artifact’ is a machine-readable e-document that specifies the parameters of approved data sharing, where individual consents remain digitally signed.
Accordingly, other than DEPA, the layers of India Stack include Aadhaar-based e-KYC and e-Sign (for unique digital identification and digital contracts); Unified Payments Interface (“UPI”) (for mobile-based digital payments); and DigiLocker (providing access to a secure cloud-based platform for document storage, sharing and verification).
Europe, too, has struggled with monitoring age verification techniques. Its proposal for a European Digital Identity (“eID”) aims to enable minors prove their age (without disclosing other data) through the use of a personal digital identity wallet (e.g., on a mobile phone). The objective behind an interoperable digital identity wallet is for people to authenticate their identity, along with their key attributes (such as date of birth, medical history or bank balance). Already a leader of digital ID through Aadhaar, India could adopt a similar framework that enables individuals to choose and control which aspects of their identity and data they share with third parties.
This insight has been authored by Deborshi Barat (Counsel); he can be reached at email@example.com for any questions. A version of this insight was first published by The Hindu Businessline on October 22, 2023. This insight is intended only as a general discussion of issues and is not intended for any solicitation of work. It should not be regarded as legal advice and no legal or business decision should be based on its content.
© 2023 S&R Associates