NEW DELHI, Jan 4: The Central Government has released the long-awaited draft of the Digital Personal Data Protection (DPDP) rules, introducing new provisions that mandate parental consent for children under 18 to create accounts on online or social media platforms. The rules also require parents to validate their identity and age, ensuring the consent is verifiable before any personal data of children is processed by online entities.
The draft rules are central to the implementation of the Data Protection Act, aiming to protect children’s personal data in the digital space. According to the draft, a “Data Fiduciary,” the entity processing personal data, must ensure that a parent provides verifiable consent before processing a child’s personal data. The rules also outline that parents’ identity and age must be validated through proof issued by an entity authorized by the law or government.
A notable addition to the draft rules, which has surprised industry experts, is the emphasis on data localization and more stringent oversight of cross-border data sharing. The rules state that a “Significant Data Fiduciary” must ensure that certain personal data and traffic data do not leave the country. These data fiduciaries are entities that manage large volumes of personal data or sensitive data, and their processing methods are subject to strict regulations to ensure the protection of individuals’ rights and India’s sovereignty.
The draft rules explain that if a child’s account is to be created on an online platform, the platform must reference verified identity and age details to confirm that the parent is an identifiable adult. The parent may use services like a Digital Locker provider to voluntarily make these details available. This process will ensure compliance with Indian laws and regulations.
Another key feature of the rules is the provision for “consent managers,” entities tasked with managing and recording users’ consent for the processing of personal data. These consent managers must confirm that individuals have granted permission for their data to be used.
Furthermore, the draft includes provisions that would require significant data fiduciaries to carry out a Data Protection Impact Assessment (DPIA) and an audit every year. This assessment ensures that the processing of personal data is in line with the Data Protection Act and the rules. These fiduciaries must also ensure that the algorithmic software they use for data processing does not compromise individuals’ rights.
In terms of cross-border data sharing, the draft rules propose that data fiduciaries must comply with specific requirements outlined by the Central Government if transferring personal data outside India. These transfers must be conducted under strict conditions, as the government may restrict data flows to certain countries or entities. This could signal additional oversight for cross-border data sharing, even for countries that are not on a “blacklist.”
Shreya Suri, a Partner at IndusLaw, highlighted the new obligations for significant data fiduciaries regarding cross-border data transfers. While the DPDP Act generally permits such transfers, the draft rules suggest that certain personal data may face additional restrictions based on a committee’s recommendations. This adds a new layer to the regulatory framework that stakeholders will need to carefully consider.
In the event of a data breach, the rules also stipulate that affected individuals must be promptly informed. Entities must provide a detailed description of the breach, including its nature, scope, timing, and potential consequences, along with the risk mitigation measures being implemented.
