In a landmark move aimed at safeguarding children’s digital privacy, the Indian government has introduced draft rules under the Digital Personal Data Protection Act 2023 (DPDP). These rules mandate verifiable parental consent for children under 18 to access social media platforms in the country. The Act, which was passed by Parliament in August 2023, reflects the growing global emphasis on protecting minors in the online world.

With public comments on the draft rules open until February 18, the guidelines aim to reshape the way personal data is handled by businesses and provide much-needed clarity to the industry.


Key Highlights of the Draft Rules

1. Verifiable Parental Consent for Minors

Under the draft rules, anyone below 18 years of age is classified as a child. Social media platforms and other data fiduciaries are required to ensure that children seeking access to their platforms have explicit parental consent.

This provision has been designed with a real-world, flexible approach, giving companies the freedom to determine how to obtain and verify such consent. This step aims to strike a balance between protecting children and ensuring smooth implementation for businesses.

2. Categorization of Data Fiduciaries

For the first time, the rules divide data fiduciaries into three broad categories:

  • E-commerce Companies
  • Gaming Intermediaries
  • Social Media Firms

Each category will have specific obligations to ensure compliance with the Act, fostering accountability and transparency in handling personal data.

3. Data Retention and Deletion

Inactive user data poses a significant risk in terms of privacy and security. The draft mandates that data fiduciaries must delete personal data of users who have been inactive on their platforms for more than three years. This move ensures that dormant accounts do not become a source of data exploitation.

4. Stringent Data Breach Reporting

In case of a data breach, companies must inform the newly established Data Protection Board within 72 hours. Additionally, users must be informed of the breach in a concise, clear, and plain manner without delay. This notification must include:

  • The nature and extent of the breach.
  • Timing and location of the incident.
  • The impact on the user.
  • Risk mitigation measures being taken.
  • Contact information of the responsible person for further queries.

5. Potential Return of Data Localisation

A notable inclusion in the draft is the provision for the reintroduction of data localisation requirements. The rules state that a committee may decide to enforce localisation for specific types of sensitive personal data in the future. This could have a significant impact on international companies operating in India, as data localisation requires storing certain data within the country.


Industry Reactions

Experts have expressed a mix of optimism and concern over the draft rules.

  • Aparajita Bharti, founding partner of The Quantum Hub Consulting, stated, “The DPDP Rules have been much awaited and give a broad direction to the industry to start thinking about implementation. However, the mention of potential data localisation requirements could be a concern for significant data fiduciaries.”
  • Neha Chaudhari, Partner at Ikigai Law, praised the flexibility of the parental consent provision, saying, “It’s good that it’s not overly prescriptive. Data fiduciaries can choose how to do it.”

While the rules provide clear guidelines on data handling, the possibility of mandatory data localisation has sparked debates about its impact on operational costs and global trade.


Implications for Businesses

  1. Increased Compliance Obligations: Social media companies, e-commerce platforms, and gaming firms will need to revise their operations to incorporate mechanisms for parental consent, data retention policies, and breach notifications.
  2. Data Privacy Focus: Businesses must adopt robust data privacy practices to protect user information and avoid penalties.
  3. Localization Costs: If data localisation is enforced, companies may face increased infrastructure and operational costs to comply with the regulation.
  4. User Trust: Enhanced privacy measures and timely breach notifications are likely to foster trust among users, especially in the digital-savvy Indian market.

Conclusion

The draft rules under the Digital Personal Data Protection Act 2023 are a significant step forward in ensuring data privacy, particularly for minors. By mandating parental consent, streamlining data retention policies, and enforcing breach notifications, the rules aim to create a safer digital environment for Indian users.

As businesses prepare to comply with these regulations, it is crucial to strike a balance between user protection and operational efficiency. The ongoing feedback period until February 18 provides stakeholders an opportunity to share their concerns and suggestions, ensuring that the final implementation is both robust and practical.

For businesses and individuals alike, these rules are a reminder of the growing importance of data privacy in the digital age.

Leave A Comment

All fields marked with an asterisk (*) are required