IT minister Ashwini Vaishnaw said on Tuesday that the country has technological solutions to verify children’s age online, leveraging its digital infrastructure to implement the new draft data protection rules’ parental consent requirements even as he conceded that verifiable parental consent is a global problem.
The minister’s comments come against the backdrop of experts questioning how entities processing children’s data are supposed to obtain parental consent, especially without putting in a system mandating widespread age and identity verification of all users.
“What luckily we have in our country because of Digital India programme, Aadhaar and payment system is a lot of digitalisation. There is a very good digital architecture,” Vaishnaw said on Tuesday.
The minister outlined how virtual tokens, an industry-proposed solution that has worked “very well in the case of account aggregators and Aadhaar verification,” could verify identities. These tokens would be built by the industry and deleted after use, he contended. However, under the draft rules, consent records need to be maintained for seven years. It is not clear if that extends to these virtual tokens too.
“Let’s say you have a 16-digit Aadhaar number and you have a particular address in the school. Against this, a virtual token can be created,” he explained, adding that multiple systems including APAAR ID and state-level family IDs could be integrated.
Addressing privacy concerns, Vaishnaw dismissed suggestions that the system could enable surveillance. “We are not asking you to give your phone number which social media companies ask you to give. Through phone number, they already have all the information on you,” he said.
On data localisation, another contentious aspect, the minister emphasised that the provisions align with the parent act and would be implemented based on sectoral needs, and citizen and national interests. “It is not about creating a backdoor. The law already allowed for it [localisation]. All laws around the world have some form of this [restriction],” he said, citing examples including RBI’s payments data rules and China’s restrictions on EV manufacturers’ data exports.
The rules propose routing data localisation decisions through a committee of sector-specific experts. “Some sectors may not require restrictions at all, whereas some may require extreme restrictions, such as financial sectors,” Vaishnaw explained. The committee would include “the most qualified people,” including professors and domain experts (such as doctors and defence experts for health and defence sectors, respectivley) depending on the sector under consideration.
This, he said, has been done to prevent confusion and disruption in the industry caused by sectoral regulators notifying restriction on their own. The idea is to examine every sectoral restriction on data flows and discuss it with stakeholders before notification, he said.
Addressing other aspects of the rules, the minister said consent managers could follow NITI Aayog’s Data Empowerment and Protection Architecture framework and RBI’s account aggregator system. He clarified that consent managers would not be classified as data fiduciaries, though they must “act in a fiduciary capacity” with users according to the draft rules.
To be sure, RBI’s licensed account aggregators include entities such as PB Fintech (the parent entity of Policybazaar and Paisabazaar) and PhonePe. Under the draft rules, such entities cannot act as consent managers as the rules want CMs to “avoid” conflict of interest with data fiduciaries.
On funding the consent manager infrastructure, Vaishnaw pointed to India’s UPI payments system as a model, though he didn’t address how these entities would generate revenue given that UPI providers currently don’t earn from transactions.
On government access to data under Section 36, Vaishnaw said this provision allows law enforcement to obtain specific information, such as from WhatsApp or Twitter, but only for “very specific reasons” related to national security or sovereignty. “We don’t want the police to ask for information as a routine but only for very specific reasons,” he emphasised.
The minister also addressed concerns about online anonymity, questioning whether true anonymity exists on the internet. He said technological solutions exist to detect children online, but platforms have been unwilling to implement them. “Now we are telling in the law that they will have to do this [detect who is a child and who is an adult],” he said.
Regarding the draft rules’ reception, Vaishnaw claimed sentiment analysis showed 99% of responses were either positive or neutral. The negative responses, he said, primarily stemmed from misunderstandings about age verification implementation and concerns about increased compliance burden.