Draft DPDP Rules: Parental Consent Mandatory For Children To Create Social Media Accounts Under Proposed Norms

The Union government on Friday released the long-awaited draft of Digital Personal Data Protection rules, over a year after Parliament approved the Digital Data Protection Bill 2023. Notifying the draft rules, the Ministry of Electronics and Information Technology invited stakeholders to share feedback until February 18.

The draft rules have laid down various pecautionary measures such as need for parental consent for children under the age of 18 to create a social media account. The DPDP Act seeks to strengthen the legal framework for protecting digital personal data by providing necessary details and actionable framework, a statement by the ministry said.  

"Draft of rules proposed to be made by the central government in exercise of the powers conferred by sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023), on or after the date of coming into force of the Act, are hereby published for the information of all persons likely to be affected thereby," the draft notification said.

"In line with the SARAL framework, certain principles like simple language, unnecessary cross referencing, contextual definition, and illustrations etc. have been used while drafting the rules," the ministry's statement read.

The draft rules include legal provisions such as ways to process children's data, role of consent managers, formation of data protection board, and its appointment details. 

The draft rules have mentioned the process of suspending or cancelling registration of consent manager in case of repeated violation. However, there is no mention of penalties approved under the DPDP Act, 2023. The Act has the provision to impose a penalty of up to Rs 250 crore on data fiduciaries. 

Data Fiduciaries

The Digital Personal Data Protection (DPDP) Act 2023 describes entities collecting and using personal data as "data fiduciaries".  The draft defines the process for a notice given by a 'Data Fiduciary (an oganisation) to Data Principal (users) and obligations of a 'Consent Manager'.

"A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach," read the draft rules.

In case of a data breach, the data fiduciary has to "intimate each affected data principal, in a concise, clear,and plain manner and without any delay, through her user account or any mode of communication registered by her."

The rules also define the process for provision ot issue of benefit, service, subsidy, certificate, licence or permit by State and its instrumentalities. However, the draft rules have not mentioned penalties that were approved under the DPDP Act, 2023.

"The State and any of its instrumentalities may process the personal data of a Data Principal under clause (b) of section 7 of the Act to provide or to issue to her any subsidy, benefit, service, certificate, licence or permit that is provided or issued under law or policy or using public funds," the draft rules read.

Parent's Consent For Social Media

The draft rules specify that social media or online platforms will need  parent's "verifiable consent" before children can create an account. The idenitity of the parents and their age will have to be verified through voluntarily provided identity proof.

Only certain data fiduciaries including healthcare professionals and educational institutions will be permitted to process the personal data of children with some restrictions. 

"A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child," the draft rules say.

According to the draft, the data fiduciary will have to exercise due diligence to check that someone identifying themselves as the parent of a child is an adult and that they are identifiable if needed regarding compliance with any law in force in India.

Data fiduciaries will have to keep this information only for the time being, for which consent has been provided, and delete it thereafter. Those who fall under the category of data fiduciaries are e-commerce, social media, and gaming platforms.

Consent Managers

As per the rules, entities will be able to process personal data only if individuals give their consent to 'Consent Managers' – entities entrusted to manage records of consents of people.

As per the DPDP Act, a consent manager is a board-registered individual who acts as a point of contact "to enable a Data Principal to give, manage, review, and withdraw her consent through an accessible, transparent and interoperable platform".

"Consent Manager must be a company incorporated in India with sound financial and operational capacity, having a minimum net worth of two crore rupees, a reputation for fairness and integrity in its management, and a certified interoperable platform enabling Data Principals to manage their consent," an excerpt from the explanatory note shared by MeitY noted.

Formation Of Board

The draft also states the formation of the Data Protection Board by the central government to recommend candidates for the position of the board's chairman. "The committee will be led by the Cabinet Secretary, Secretary DLA, Secretary MeitY, and two other subject experts."

"A Search-cum-Selection Committee shall be formed by the Central Government to recommend candidates for the position of Chairperson of the Data Protection Board. The committee will be led by the Cabinet Secretary, Secretary MeitY, Secretary DLA and include two subject matter experts," MeitY stated in its explanatory note.

It will also recommend candidates for boards members while the Ministry of Electronics and Information Technology Secretary will oversee the process closely.