New Delhi: The Indian government has released the draft Digital Personal Data Protection Rules, specifying key obligations for platforms such as social media, e-commerce businesses, and gaming companies. The draft mandates platforms to secure verifiable parental consent before children can create accounts, validated through identity proof issued by a government-authorised entity.

The rules require that personal data be processed only with individuals' consent, which must be recorded and managed through designated consent managers. These entities will maintain a registry of consents and ensure compliance. For platforms dealing with children's data, the draft proposes stringent verification measures to confirm the identity of parents as adults who are legally accountable.

A provision in the draft emphasises that data fiduciaries must adopt technical and organisational measures to obtain verifiable parental consent before processing a child’s personal data. Data fiduciaries, tasked with managing personal data, are also required to retain data only for the duration agreed upon in the consent and must delete it thereafter. Non-compliance by consent managers could lead to suspension or cancellation of their registration, though the draft omits any penal provisions.

Unlike the Digital Personal Data Protection Act of 2023, which includes penalties of up to ₹250 crore for violations, the current draft does not specify fines. The rules, published 14 months after the passage of the Digital Personal Data Protection Bill, 2023, are open for public consultation until 18 February and can be accessed on the MyGov platform.

Legal experts have noted both strengths and ambiguities in the draft. They observed that while the rules address breach reporting and reasonable security practices, the lack of detailed guidance could lead to varied interpretations. Concerns were also raised about uniform reporting requirements for breaches, regardless of their severity, potentially overburdening data fiduciaries.

Operational challenges for businesses were highlighted, particularly in managing consent mechanisms. Industry specialists indicated that companies may need to overhaul application designs, data collection methods, and operational protocols to meet the draft's requirements. Significant investments in technical infrastructure and process adjustments are likely to ensure compliance.

The draft rules also outline responsibilities for Significant Data Fiduciaries, such as compliance measures and establishing a Data Protection Board. This board will oversee grievances, data breaches, and the exercise of rights by data principals.

While the draft provides direction for aligning data management practices with regulatory expectations, the absence of detailed guidance in key areas and the lack of penal clauses suggest scope for further deliberation before the rules are finalised.

BI Bureau