The government has revealed the draft of the Digital Personal Data Protection Rules, which are essential for the effective enforcement of the Digital Personal Data Protection Act 2023. These draft regulations outline the procedure for obtaining explicit consent from individuals and stipulate the need for parental consent when handling children’s data.
Highlights
Key Highlights of the Draft Rules
– Mandatory Parental Consent: Parents are required to provide verifiable consent for their children to access online or social media platforms.
– Identity Verification: The identity and age of parents must be verified using valid identification from an entity recognised by law or the government.
The draft rules state, “A Data Fiduciary must implement appropriate technical and organisational measures to ensure that the verifiable consent of the parent is secured prior to processing any personal data of a child. They must carry out due diligence to confirm that the individual claiming to be the parent is indeed an adult, who can be identified if necessary, in compliance with applicable laws in India.”
Entities are allowed to use and process personal data only when individuals provide consent to consent managers—specific entities designated to oversee consent records. Digital platforms that manage children’s data must implement robust checks to verify that the individual claiming to be the parent is indeed an adult. For creating accounts for children on online platforms, identity verification of the parent will be executed via services such as Digital Locker.
Data Fiduciary Responsibilities
Ecommerce, social media, and gaming platforms are categorized as data fiduciaries under these rules.
– Retention Duration: Data fiduciaries must retain personal data only for the duration agreed upon and delete it thereafter.
– Consent Manager Compliance: There are specific conditions for the suspension or cancellation of consent managers’ registration upon repeated violations.
Additionally, entities classified as Significant Data Fiduciaries, according to the DPDP Act, will face heightened responsibilities, such as conducting annual Data Protection Impact Assessments and audits. They must also ensure that their algorithms do not infringe on individual rights.
Data Localization and Cross-Border Data Sharing
An unexpected aspect of the draft rules pertains to data localization and the governance of cross-border data transfers. While the DPDP Act generally permits cross-border data flow, excluding blacklisted jurisdictions, the draft suggests possible constraints. It indicates that significant data fiduciaries should process certain personal data solely within India, based on the recommendations of a government-established committee.
Regarding the transfer of personal data outside India, the draft specifies, “Transfer to any country or territory outside India of personal data processed by a Data Fiduciary… is conditional upon adherence to requirements set forth by the Central Government through general or special orders regarding the accessibility of such personal data to any foreign State or to any person or entity that is under the control of or an agency of such State.”
Data Breach Notification Requirements
In the event of a data breach, entities are obligated to swiftly inform affected individuals, providing details about the breach’s nature, extent, timing, and location, as well as potential impacts and the steps being taken to address the situation.
The draft rules are presently open for public consultation on the MyGov website and will be finalised after February 18. Industry experts, including IndusLaw Partner Shreya Suri and Deloitte India Partner Mayuran Palanisamy, have shared their views on the proposed regulations. Suri noted the consistent treatment of data breaches while highlighting the absence of comprehensive guidelines on reasonable security measures. Palanisamy underlined the detailed directives for businesses, emphasising the difficulties in managing consent and the essential need for investment in technological infrastructure and processes.
The Digital Personal Data Protection Act 2023, which was approved 14 months ago, stipulates penalties of up to ₹250 crore for breaches of personal data, although these draft rules do not explicitly mention these penalties.
