Draft Digital Personal Data Protection Rules Mandate Parental Consent for Children's Data Processing

The government has unveiled the draft Digital Personal Data Protection Rules. These rules propose that parents must give verifiable consent and identification for creating a child's online account. The draft also suggests potential data localisation requirements for certain personal data. Parental approval is essential for processing children's personal data, with identity and age verification required through legal or government-issued proof.

Data Localisation and Cross-Border Oversight

A surprising element in the draft is the focus on data localisation and oversight on cross-border data sharing. While the DPDP Act generally allows cross-border data sharing, except with blacklisted regions, the draft hints at additional scrutiny. It states that significant data fiduciaries must ensure certain personal data isn't transferred outside India, based on government recommendations.

Entities can process personal data only if individuals consent through consent managers. These managers are tasked with maintaining consent records. The draft specifies that significant data fiduciaries must conduct a Data Protection Impact Assessment annually. They must also audit to ensure compliance with the Act's provisions.

Significant Data Fiduciaries' Responsibilities

Significant data fiduciaries are determined by the volume and sensitivity of processed data, risks to individuals' rights, and potential impacts on India's sovereignty and security. They must verify that their algorithmic software doesn't risk individual rights. Additionally, they must ensure personal data isn't transferred outside India without meeting government-specified requirements.

In case of a child's account creation, entities must verify parental identity using details from a legally entrusted entity. Parents can provide these details via a Digital Locker service provider. This ensures only identifiable adults can create accounts for children on online platforms.

Data Breach Protocols

If a data breach occurs, entities must immediately inform affected individuals. They should describe the breach's nature, extent, timing, location, potential consequences, and risk mitigation measures being implemented. This ensures transparency and accountability in handling personal data breaches.

Shreya Suri from IndusLaw highlighted the new obligations for significant data fiduciaries regarding cross-border data sharing. While the Act permits such transfers, the draft suggests more oversight. A committee might recommend restricting certain personal data from being transferred outside India, adding complexity to regulations.

The draft rules emphasise parental consent for children's data processing and introduce potential localisation requirements. Significant data fiduciaries have added responsibilities to ensure compliance and protect individual rights. These developments mark important considerations for stakeholders in India's digital landscape.