New Delhi, Jan 4: The Ministry of Electronics and Information Technology on Friday released the draft rules for the Digital Personal Data Protection Act which make it mandatory for a Data Fiduciary to ensure verifiable consent of a parent before processing any personal data of a child. The Act was passed in Parliament in August 2023 and the government is seeking feedback on the draft rules through the MyGov portal till February 18, 2025.

According to the draft rules, “A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable.”

The identity must be established through government-issued IDs or digital tokens linked to identity services like Digital lockers. This is aimed at ensuring the privacy of a child on various social media platforms and other websites. The government will also extend exemptions from these specific provisions pertaining to processing of children's data to educational institutions, and child welfare organisations, the draft rules proposed.

The draft rules also state that consent managers must register with the Data Protection Board and must have a minimum net worth of Rs 12 crore. The rules propose the establishment of a Data Protection Board as a regulatory body which will operate as a digital office, with remote hearings. It is envisaged to have powers to investigate breaches and enforce penalties.

According to the draft rules, a Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent a personal data breach. Such steps would include securing personal data through its encryption and appropriate measures to control access to the computer resources used for the data.

The rules also make it mandatory for the Data Fiduciary to immediately intimate any personal data breach "to each affected Data Principal, in a concise, clear and plain manner and without delay".

The rules further state that the processing of personal data outside India is subject to the restriction that the Data Fiduciary shall meet such requirements as the Central government may, by general or special order, specify in respect of making such personal data available to any foreign state, or to any person or entity under the control of or any agency of such a state.

The rules are expected to provide clarity on various provisions of the law such as the notice by data fiduciary to individuals, processing of personal data of children, and registration and obligations of consent manager. The rules also provide clarity regarding the setting up of the Data Protection Board, appointment and service conditions of the Chairperson and other members of the board.

MeitY has said that the submissions made during the consultation will not be disclosed, and that only a summary of the feedback received will be published after the finalisation of the rules.

Commenting on the rules, Deloitte India partner Mayuran Palanisamy said: "We foresee that businesses will face some complex challenges in managing consent as it forms the heart of the law. Maintaining consent artefacts and offering the option to withdraw consent for specific purposes could necessitate changes at the design and architecture level of applications and platforms. Further, organisations will need to invest in both technical infrastructure and processes to meet these requirements effectively. This includes relooking into data collection practices, implementing consent management systems and establishing clear data lifecycle protocols.”