Government Unveils Draft Rules for Digital Personal Data Protection; Parental Consent Required for Children's Data
Click to start listening
New Delhi, Jan 3 (NationPress): The Ministry of Electronics and Information Technology has published the proposed regulations for the Digital Personal Data Protection Act, mandating that a Data Fiduciary must obtain verifiable consent from a parent before handling any personal data of a child. The Act received parliamentary approval in August 2023, and the government is inviting public feedback on these draft regulations via the MyGov portal until February 18, 2025.
The proposed regulations state, “A Data Fiduciary is required to implement suitable technical and organizational measures to ensure that a parent’s verifiable consent is acquired prior to processing any personal data of a child and must exercise due diligence to verify that the individual claiming to be the parent is indeed an adult who can be identified.”
To establish identity, government-issued IDs or digital tokens associated with identity services such as Digital lockers must be utilized.
This initiative aims to protect the privacy of children across various social media platforms and websites.
Moreover, the draft regulations propose exemptions from specific provisions concerning the processing of children's data for educational institutions and child welfare organizations.
Additionally, the draft stipulates that consent managers must register with the Data Protection Board and maintain a minimum net worth of Rs 12 crore.
The regulations advocate for the creation of a Data Protection Board as a governing entity, which will function as a digital office, facilitating remote hearings. This board is expected to possess the authority to investigate violations and impose penalties.
The draft outlines that a Data Fiduciary must safeguard personal data in its possession or under its control, including any processing conducted by it or on its behalf by a Data Processor, by implementing reasonable security measures to avert personal data breaches. These measures should encompass securing personal data through encryption and controlling access to the computer resources utilized for the data.
Furthermore, the regulations mandate that a Data Fiduciary must promptly notify each affected Data Principal about any personal data breach “in a concise, clear, and straightforward manner and without delay.”
The draft also indicates that the processing of personal data outside India is subject to the stipulation that the Data Fiduciary must comply with requirements as specified by the Central government concerning the availability of such personal data to any foreign state or its entities.
These rules are anticipated to clarify various aspects of the law, including notifications by data fiduciaries to individuals, the processing of children's personal data, and the registration and obligations of consent managers.
Moreover, the provisions will clarify the establishment of the Data Protection Board, including the appointment and service conditions of its Chairperson and members.
The Ministry has assured that submissions made during the consultation process will remain confidential, with only a summary of the feedback being published post-finalization of the regulations.
Commenting on these regulations, Deloitte India partner Mayuran Palanisamy stated: “We anticipate that businesses will encounter intricate challenges in managing consent, which is central to the law. Maintaining consent artifacts and providing options for consent withdrawal for specific purposes may require alterations at the design and architecture stages of applications and platforms. Additionally, organizations will need to invest in both technical infrastructure and processes to comply with these requirements efficiently. This includes reevaluating data collection practices, implementing consent management systems, and establishing clear data lifecycle protocols.”
