The Ministry of Electronics and Information Technology on Friday unveiled the draft rules for the Digital Personal Data Protection Act which require a Data Fiduciary to ensure that verifiable consent of a parent is obtained before processing any personal data of a child.
The Act was passed in Parliament in August 2023 and the government is now inviting feedback through the MyGov portal till February 18, 2025.
As per the draft rules, "A Data Fiduciary shall take appropriate technical and organisational measures to ensure that verifiable consent of the parent is received prior to processing any personal data of a child and shall exercise due diligence, for ascertaining that the individual identifying herself as the parent is an adult who is identifiable." The government-issued IDs or digital tokens must be tied to identity services such as Digital lockers to establish identity.
This is to ensure that a child's privacy is maintained on different social media sites and other websites. The government will also extend the exclusion from these particular provisions relating to processing children's data for educational institutions, and child welfare organizations, the draft rules suggested. The draft rules also require that consent managers register with the Data Protection Board and must have a minimum net worth of Rs 12 crore.
The rules propose the setting up of a Data Protection Board as a regulatory body that would function as an office with virtual hearings. It is supposed to have an investigative capacity into breach cases and mandate penalties.
According to the draft rules, a Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent a personal data breach. Such steps would include securing personal data through its encryption and appropriate measures to control access to the computer resources used for the data.
The rules also make it mandatory for the Data Fiduciary to immediately intimate any personal data breach "to each affected Data Principal, in a concise, clear and plain manner and without delay". The rules further provide that the processing of personal data outside India shall be subject to the restriction that the Data Fiduciary shall meet such requirements as the Central government may, by general or special order, specify in respect of making such personal data available to any foreign state, or to any person or entity under the control of or any agency of such a state.
The rules are expected to provide clarity on various provisions of the law such as the notice by data fiduciary to individuals, processing of personal data of children, and registration and obligations of consent manager.
The rules also provide clarity regarding the setting up of the Data Protection Board, appointment and service conditions of the Chairperson and other members of the board.
MeitY has said that the submissions made during the consultation will not be disclosed, and that only a summary of the feedback received will be published after the finalisation of the rules.
Commenting on the rules, Deloitte India partner Mayuran Palanisamy said: "We foresee that businesses will face some complex challenges in managing consent as it forms the heart of the law. Maintaining consent artefacts and offering the option to withdraw consent for specific purposes could necessitate changes at the design and architecture level of applications and platforms.".
Besides, organizations will need to invest in both technical infrastructure and processes in order to achieve these requirements effectively.
This involves relooking into data collection practices, implementing consent management systems and establishing clear data lifecycle protocols.
Read also| Silicon Valley Now Deeply Tied to Trump Affairs: Indian American Venture Capitalist
Read also| Realme 14 Pro Series 5G to Introduce World's First Triple Flash Camera
