On Friday, the government unveiled the eagerly anticipated draft of the Digital Personal Data Protection Rules, which mandates that social media and online platforms must secure verifiable consent from parents before allowing children to create accounts. The draft specifies that parents’ identity and age will also need to be validated through identity proof that is voluntarily provided and issued by an authorized entity.
The guidelines stipulate that entities can utilize and process personal data only after individuals have granted their consent to consent managers, the appointed bodies responsible for managing consent records.
When processing data related to children, digital platforms are required to conduct due diligence to ensure that the individual claiming to be the child’s parent is indeed an adult and can be identified if necessary for legal compliance.
According to the draft, “A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child.”
This classification of data fiduciaries will encompass e-commerce, social media, and gaming platforms.
The draft rules further state that data fiduciaries must retain the data only for the duration for which consent has been granted, with the obligation to delete it afterwards.
These draft regulations come after a 14-month period following the Parliament’s approval of the Digital Data Protection Bill 2023.
The draft notification indicates that the rules are proposed by the central government under the powers conferred by specific sections of the Digital Personal Data Protection Act, 2023, and are published for the awareness of all stakeholders potentially affected.
Notably, the draft discusses the process for suspending or cancelling the registration of consent managers in instances of repeated violations. However, it omits any mention of penalties established under the DPDP Act, 2023, which allows for fines reaching up to Rs 250 crore for data fiduciaries.
Shreya Suri, a Partner at IndusLaw, noted the expectations for thresholds in data breach reporting, indicating that smaller breaches might incur fewer compliance obligations. Yet, the current draft applies uniform treatment for all breaches, requiring consistent levels of reporting and notification to both the Data Protection Board and affected individuals, without discretion for data fiduciaries. Additionally, while some considerations for reasonable security practices are referenced, the lack of detailed guidance may lead to varied interpretations.
The draft rules have been published for public consultation, with the government set to consider the feedback for the finalization of the rules post-February 18. Interested parties can review the draft on the MyGov website and provide their comments.
Mayuran Palanisamy, a Partner at Deloitte India, commented on the draft’s extensive nature, stating that it offers much-needed clarity for businesses in India regarding compliance. This includes obligations for Significant Data Fiduciaries, the registration and responsibilities of Consent Managers, and details about the structure and function of the Data Protection Board, as well as protocols for data breach notifications.
He cautioned that managing consent, which is central to the regulations, may present complex challenges for businesses. Maintaining consent records and allowing withdrawal of consent for specific purposes might require significant adjustments in the design and architecture of applications and platforms. Organizations will need to enhance both technical infrastructure and operational processes to effectively fulfill these requirements, focusing on revising data collection methods, implementing consent management systems, and establishing clear data lifecycle protocols.
(This story has not been edited by NDTV staff and is auto-generated from a syndicated feed.)
