Safiya Malik

On January 3, 2025, the Ministry of Electronics and Information Technology published draft rules under the Digital Personal Data Protection Act, 2023, inviting public comments. These rules aim to implement a robust regulatory framework governing the collection, processing, and transfer of personal data, with specific provisions for children and individuals with disabilities.

The draft rules mandate that Data Fiduciaries—entities responsible for managing personal data, such as social media platforms, e-commerce companies, and gaming intermediaries—must secure verifiable parental consent before processing the personal data of children. The rules specify: “A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India, by reference to—

(a) reliable details of identity and age available with the Data Fiduciary; or

(b) voluntarily provided details of identity and age or a virtual token mapped to the same, which is issued by an entity entrusted by law or the Central Government or a State Government with the maintenance of such details or a person appointed or permitted by such entity for such issuance, and includes such details or token verified and made available by a Digital Locker service provider."

The draft rules provide detailed illustrations to clarify the process for obtaining verifiable parental consent in scenarios involving a child (C), their parent (P), and a Data Fiduciary (DF). These scenarios pertain to the creation of a user account for C on the online platform of DF by processing C's personal data.

Scenario 1: When C informs DF that she is a minor, DF must facilitate a process for P to establish her identity through its online platform or other suitable methods. If P is already a registered user on DF's platform and has previously submitted her identity and age information, DF must ensure these details are reliable before proceeding with the processing of C’s personal data to create her account.

Scenario 2: In cases where C notifies DF of her minor status, and P identifies herself as a parent but is not a registered user on DF's platform, DF is required to validate P’s identity and age. This can be done by referencing identity and age details issued by a government-authorized agency or through a virtual token linked to such details. P may voluntarily provide this information using a Digital Locker service or similar means.

Scenario 3: P confirms to DF that she is C’s parent and that she is already a registered user of the platform. P also declares that her identity and age details were submitted previously. In this situation, DF must verify the reliability of these existing details before initiating any processing of C’s personal data for the creation of her user account.

Scenario 4: P identifies herself as C’s parent but states that she is not a registered user on DF's platform. Here, DF must authenticate P’s identity and age by cross-referencing records maintained by government-authorized entities or by utilizing a virtual token mapped to such data. This information can also be provided by P through Digital Locker services voluntarily before DF processes C’s personal data.

In cases involving persons with disabilities, Data Fiduciaries must ensure that verifiable consent is obtained from guardians appointed under applicable laws, such as those designated by courts or local-level committees.

The mandate for parental consent does not apply to specific categories of fiduciaries, including health professionals, mental health professionals, and educational institutions.

The draft rules specify the requirement of obtaining informed consent from Data Principals (users) before processing their personal data. Data Fiduciaries are required to provide notices that are clear, specific, and detailed, enabling users to make informed decisions. These notices must include:

1. An itemized description of the personal data being processed.
2. The specific purpose for processing the data and the associated goods or services.
3. A communication link for withdrawing consent.

Further, fiduciaries are required to prominently display on their websites or applications the contact details of their Data Protection Officer (DPO) or another authorized individual responsible for addressing user queries about data processing. The draft rules also mandate the publication of grievance redressal timelines on fiduciaries’ digital platforms, ensuring accountability and user access to dispute resolution mechanisms.

The draft rules impose conditions on the transfer of personal data outside India. Any cross-border transfer is contingent upon meeting the requirements set by the Central Government, which may include restrictions concerning foreign states or entities. The rules ensure that such transfers align with national security, sovereignty, and public interest considerations.

Every Data Fiduciary must establish a transparent grievance redressal mechanism, providing users with clear timelines for resolving complaints. Consent Managers, entities tasked with managing users’ data-related permissions, must also publish grievance redressal details on their platforms to facilitate user engagement and compliance.

Ministry of Electronics and Information Technology  has invited objections and suggestions to the draft rules, which can be submitted via the MyGov portal (https://mygov.in)  until February 18, 2025.

[View/Download Gazette]