On January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) released draft rules under the Digital Personal Data Protection Act 2023 for public consultation. These proposed rules introduce significant provisions for the protection and processing of personal data, especially concerning children and individuals with disabilities.
The draft rules emphasize verifiable parental consent for children’s data processing and outline guidelines for data transfer, consent management, and grievance redressal mechanisms. Here are the key takeaways:
Parental Consent for Processing Children’s Data
The draft rules require data fiduciaries—such as social media platforms, e-commerce sites, and gaming platforms—to obtain verifiable consent from parents or lawful guardians before processing a child’s personal data.
Verification Process for Parental Consent:
- Case 1: If the child (C) informs the data fiduciary (DF) of being underage, DF must verify the parent’s (P) identity using details previously provided on their platform.
- Case 2: If the parent is not registered with DF, identity and age details must be verified using government-approved entities or virtual tokens, such as Digital Locker services.
- Case 3 and 4: Similar diligence applies, with verification tailored to whether the parent is registered or not, ensuring compliance with legal norms.
Exceptions:
The parental consent mandate does not apply to:
- Health professionals
- Mental health professionals
- Educational institutions
Guardian Verification for Persons with Disabilities
The rules specify due diligence for verifying the identity of guardians for individuals with disabilities. Verification should confirm that the guardian is lawfully appointed by a court, designated authority, or local committee.
Informed Consent for Data Processing
Data fiduciaries are mandated to issue clear and plain-language notices detailing:
- The specific personal data being processed.
- The purpose and scope of the data processing.
- A link for withdrawing consent.
Additionally, data fiduciaries must publish the contact details of their Data Protection Officer (DPO) or a designated representative to address user grievances.
Grievance Redressal Systems
Every data fiduciary must:
- Specify the timeframes for grievance redressal on its website or app.
- Ensure accessibility to grievance mechanisms for data principals.
Data Transfers Outside India
The rules impose restrictions on cross-border data transfers:
- Personal data processed within India or related to Indian users may only be transferred if the Central Government permits it through a general or special order.
- Specific requirements may be imposed for sharing data with foreign states, entities, or their agencies.
Public Participation in Rule-Making
Objections and suggestions to these draft rules can be submitted on the MyGov website (https://mygov.in) until February 18, 2025. This consultation aims to incorporate public feedback before the rules are finalized.
Impact of the Draft Rules
These rules aim to enhance transparency, accountability, and data protection in the digital space. By introducing robust measures for parental consent, grievance redressal, and cross-border data processing, the framework aligns with global privacy standards while catering to India’s unique digital ecosystem.
For more updates and detailed analysis, stay tuned.
