Govt Drafts Rules for Digital Data Protection: Focus on Child Privacy and Security

The Ministry of Electronics and Information Technology (MeitY) has published draft rules for the Digital Personal Data Protection Act (DPDP Act), emphasizing stringent guidelines to ensure the protection of children’s data.

A notable provision mandates that data fiduciaries must obtain verifiable parental consent before processing any child’s personal data.

The DPDP Act, passed by Parliament in August 2023, aims to bolster data privacy across digital platforms. Ministry of Electronics and Information Technology (MeitY) has invited public feedback on these draft rules via the MyGov portal until February 18, 2025.

Parental Consent for Child’s Data

As per the draft:

"A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable."

To establish identity, parents must provide government-issued IDs or use digital tokens linked to identity services, such as DigiLocker. These measures are aimed at protecting children’s privacy on social media platforms and websites.

Exemptions for Educational and Welfare Institutions

The draft rules propose exemptions for educational institutions and child welfare organizations, allowing them to process children’s data under specific conditions.

Obligations of Data Fiduciaries

Data fiduciaries are required to:

• Implement reasonable security safeguards like encryption and controlled access to prevent breaches.

• Notify affected individuals immediately in the event of a personal data breach. Notifications must be delivered in a “concise, clear, and plain manner.”

For data processing outside India, fiduciaries must adhere to requirements specified by the Central Government, ensuring no unauthorized sharing with foreign entities.

Consent Management and Regulatory Oversight

Consent managers must register with the Data Protection Board (DPB) and maintain a minimum net worth of ₹12 crore. The DPB will function as a digital regulatory body, conducting remote hearings and holding investigative and penalization powers.

The rules also clarify procedures for:

• Registration and obligations of consent managers.

• Establishment of the DPB, along with the Chairperson's and members’ service conditions.

Challenges and Industry Implications

According to Mayuran Palanisamy, Deloitte India partner:

“We foresee that businesses will face some complex challenges in managing consent as it forms the heart of the law. Maintaining consent artefacts and offering the option to withdraw consent for specific purposes could necessitate changes at the design and architecture level of applications and platforms. Further, organisations will need to invest in both technical infrastructure and processes to meet these requirements effectively. This includes relooking into data collection practices, implementing consent management systems and establishing clear data lifecycle protocols.”

These challenges may require companies to revamp application designs, adopt robust consent management systems, and revise their data collection practices.

Feedback and Next Steps

MeitY has clarified that feedback submissions will remain confidential, with only a summary being published post-finalization. The rules are expected to bring greater clarity to the processing of children’s data, data fiduciary obligations, and board operations.

Conclusion

The draft rules under the Digital Personal Data Protection Act mark a pivotal step in India’s journey toward robust digital privacy regulations. By mandating verifiable parental consent for children’s data, setting stringent guidelines for data fiduciaries, and establishing a Data Protection Board, the government aims to strike a balance between safeguarding individual privacy and fostering digital innovation.

However, the implementation of these rules presents significant challenges for businesses, requiring investments in infrastructure, consent management systems, and updated data practices. As the public feedback phase progresses, it will be crucial for all stakeholders—citizens, organizations, and policymakers—to collaborate in shaping a framework that ensures security and transparency in India’s growing digital landscape.

The finalized rules are poised to bring greater clarity and enforcement capabilities, paving the way for a more secure digital ecosystem. #DataProtection #DigitalPrivacy #ChildSafety #IndiaDigitalTransformation