2023 年數位個人資料保護規則草案已通知，要求家長同意處理兒童數據

電子資訊部週五（1月3日）向社會公開徵求《2023年數位個人資料保護法》規則草案。

The Ministry of Electronics and Information Technology on Friday notified the draft rules under the Digital Personal Data Protection Act 2023 for public comments.

電子與資訊科技部週五通報了《2023年數位個人資料保護法》規則草案，徵求公眾意見。

The draft rules, among others, propose to mandate parental consent for data-fiduciaries to process the personal data of children. Data-fiduciaries include social media intermediaries, e-commerce companies, gaming platforms etc.

除此之外，該規則草案建議強制資料受託人徵得父母同意才能處理兒童的個人資料。資料受託人包括社群媒體中介機構、電子商務公司、遊戲平台等。

The rules state :

規則規定：

"A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India, by reference to—

「資料受託人應採取適當的技術和組織措施，確保在處理兒童的任何個人資料之前獲得父母的可驗證同意，並應進行盡職調查，以檢查自稱父母的個人是否為成年人如果需要遵守印度目前有效的任何法律，可以透過參考以下內容來識別誰：

(a) reliable details of identity and age available with the Data Fiduciary; or

(a) 資料受託人提供的可靠的身分和年齡詳細資料；或者

(b) voluntarily provided details of identity and age or a virtual token mapped to the same, which is issued by an entity entrusted by law or the Central Government or a State Government with the maintenance of such details or a person appointed or permitted by such entity for such issuance, and includes such details or token verified and made available by a Digital Locker service provider."

(b) 自願提供身分和年齡的詳細資訊或與其映射的虛擬代幣，該虛擬代幣由法律或中央政府或州政府委託維護此類詳細資訊的實體或由其指定或允許的人員發行此類發行的實體，並包括由數位儲物櫃服務提供者驗證和提供的此類詳細資訊或令牌。

The rules give out the following illustrations:

規則給了以下說明：

C is a child, P is her parent, and DF is a Data Fiduciary. A user account of C is sought to be created on the online platform of DF, by processing the personal data of C.

C 是孩子，P 是她的父母，DF 是資料受託人。透過處理 C 的個人數據，尋求在 DF 的線上平台上建立 C 的使用者帳戶。

Case 1: C informs DF that she is a child. DF shall enable C's parent to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she is a registered user on DF's platform and has previously made available her identity and age details to DF. Before processing C's personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P.

案例1：C告訴DF她是個孩子。 DF 應讓 C 的家長透過其網站、應用程式或其他適當方式識別自己的身分。 P 表明自己是家長，並告知 DF，她是 DF 平台上的註冊用戶，並且之前已向 DF 提供了她的身份和年齡詳細資訊。在處理 C 的個人資料以建立其使用者帳戶之前，DF 應檢查以確認其持有 P 的可靠身分和年齡詳細資料。

Case 2: C informs DF that she is a child. DF shall enable C's parent to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she herself is not a registered user on DF's platform. Before processing C's personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the same, check that P is an identifiable adult. P may voluntarily make such details available using the services of a Digital Locker service provider.

案例2：C告訴DF她是個孩子。 DF 應讓 C 的家長透過其網站、應用程式或其他適當方式識別自己的身分。 P 表示自己是家長，並告知 DF，她本身不是 DF 平台的註冊用戶。在處理 C 的個人資料以建立其使用者帳戶之前，DF 應參考法律或政府委託維護上述詳細資訊的實體發布的身份和年齡詳細資訊或映射到該詳細資訊的虛擬代幣，檢查P 是可識別的成年人。 P 可以使用數位儲物櫃服務提供者的服務自願提供此類詳細資訊。

Case 3: P identifies herself as C's parent and informs DF that she is a registered user on DF's platform and has previously made available her identity and age details to DF. Before processing C's personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P.

案例3：P自稱是C的家長，並告知DF，她是DF平台的註冊用戶，並且之前已向DF提供了她的身份和年齡詳細資料。在處理 C 的個人資料以建立其使用者帳戶之前，DF 應檢查以確認其持有 P 的可靠身分和年齡詳細資料。

Case 4: P identifies herself as C's parent and informs DF that she herself is not a registered user on DF's platform. Before processing C's personal data for the creation of her user account, DF shall, by reference to identity and age details issued by an entity entrusted by law or the Government with maintenance of the said details or to a virtual token mapped to the same, check that P is an identifiable adult. P may voluntarily make such details available using the services of a Digital Locker service provider.

案例4：P自稱是C的家長，並告知DF，她本身不是DF平台的註冊用戶。在處理 C 的個人資料以建立其使用者帳戶之前，DF 應參考法律或政府委託維護上述詳細資訊的實體發布的身份和年齡詳細資訊或映射到該詳細資訊的虛擬代幣，檢查P 是可識別的成年人。 P 可以使用數位儲物櫃服務提供者的服務自願提供此類詳細資訊。

A Data Fiduciary, while obtaining verifiable consent from an individual identifying herself as the lawful guardian of a person with disability, shall observe due diligence to verify that such guardian is appointed by a court of law, a designated authority or a local level committee, under the law applicable to guardianship.

資料受託人在獲得自稱為殘疾人合法監護人的個人的可驗證同意時，應進行盡職調查，以核實該監護人是由法院、指定機構或地方委員會根據以下規定指定的：適用於監護權的法律。

However, the mandate on parental consent are not applicable to data fiduciaries, who are health professionals, mental health professionals, or engaged by educational institutions.

然而，父母同意的強制規定不適用於資料受託人，他們是健康專業人員、心理健康專業人員或由教育機構聘用的。

The rules also specify the contents of the notice to be given by data fiduciaries to obtain the informed consent of users(data principals) to process their personal data.

該規則還規定了資料受託人為獲得使用者（資料主體）處理其個人資料的知情同意而發出的通知的內容。

The notice should give, in clear and plain language, a fair account of the details necessary to enable the Data Principal to give specific and informed consent for the processing of her personal data, which shall include, at the minimum,—

該通知應以清晰、通俗易懂的語言公平地說明必要的細節，使資料主體能夠就其個人資料的處理給予具體和知情的同意，其中至少應包括：

(i) an itemised description of such personal data; and

(i) 此類個人資料的詳細描述；和

(ii) the specified purpose of, and an itemised description of the goods or services to be provided or uses to be enabled by, such processing.

(ii) 此類處理的具體目的以及要提供的商品或服務或透過此類處理實現的用途的詳細描述。

A communication link to withdraw consent should also be given.

也應提供撤回同意的通信連結。

Every Data Fiduciary shall prominently publish on its website or app, and mention in every response to a communication for the exercise of the rights of a Data Principal under the Act, the business contact information of the Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary the questions of the Data Principal about the processing of

每位資料受託人應在其網站或應用程式的顯著位置發布資料保護官（如果適用）或個人的業務聯絡信息，並在對根據該法案行使資料委託人權利的通信的每次回復中提以及誰能夠代表資料受託人回答資料委託人有關處理資料的問題