The government has released the draft of Digital Personal Data Protection Rules, key to operationalising the Digital Personal Data Protection Act 2023. The draft rules specify mechanisms for obtaining explicit consent from individuals and mandate parental consent for children to use their data in any form.
Parents’ verifiable consent and identification will be mandatory for creating a child’s user account on online or social media platforms. Parental identity and age will need to be validated and verified through voluntarily provided identity proof issued by an entity entrusted by law or the government.
“A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India,” the draft rules state.
Entities will only be able to use and process personal data if individuals have given their consent to consent managers—entities entrusted to manage records of consent. For children’s data processing, digital platforms must ensure due diligence to verify that the person identifying as the parent is an adult.
In case of a child’s account creation on an online platform, the platform will verify the parent’s identity using services like Digital Locker.
Ecommerce, social media, and gaming platforms will fall under the category of data fiduciaries. The draft specifies that data fiduciaries must keep personal data only for the duration consented to and delete it afterward. Additionally, it outlines the process of suspending or canceling registration of consent managers in case of repeated violations.
Significant Data Fiduciaries, as defined by the DPDP Act, will have additional obligations, including annual Data Protection Impact Assessments and audits. They must also ensure that algorithmic software deployed does not pose a risk to individual rights.
An unexpected provision in the draft rules is related to data localization and oversight on cross-border data sharing. While the DPDP Act largely permits cross-border data sharing except to blacklisted jurisdictions, the draft introduces potential restrictions. It proposes that significant data fiduciaries process specified personal data within India, as recommended by a committee constituted by the government.
On processing personal data outside India, the draft rules state, “Transfer to any country or territory outside India of personal data processed by a Data Fiduciary… is subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State.”
In the event of a data breach, entities will need to inform affected individuals immediately, providing details of the breach, including its nature, extent, timing, and location, potential consequences, and mitigation measures being implemented.
The draft rules, published for public consultation on the MyGov website, will be finalised after February 18. Industry experts, including IndusLaw Partner Shreya Suri and Deloitte India Partner Mayuran Palanisamy, have shared their perspectives on the rules.
Suri highlighted the uniform treatment of data breaches and the lack of detailed guidance on reasonable security practices. Palanisamy noted the draft’s detailed direction for businesses, emphasising challenges in managing consent and the need for investment in technical infrastructure and processes.
The Digital Personal Data Protection Act 2023, passed 14 months ago, provides for penalties of up to ₹250 crore for personal data breaches, although the draft rules do not mention these penalties explicitly.
