The parent may voluntarily make such details available using the services of a Digital Locker service provider: Draft Digital Personal Data Protection Rules
New Delhi, Jan 5: The government has released the long-awaited draft of Digital Personal Data Protection Rules which proposes to make parent’s verifiable consent and identification mandatory for creation of child’s user account on online or social media platforms, and also moots possible data localisation requirements for specified personal data.
Notably, the draft rules – which are key to operationalisation of the data protection Act – seek to make parental nod essential for processing of personal data of children. Further, parents’ identity and age will also have to be validated and verified through voluntarily provided identity proof “issued by an entity entrusted by law or the government”, say the draft rules.
A major – and a surprise – takeaway from the draft rules, according to industry experts, is the aspect of localisation and additional oversight on cross-border data sharing in specified cases.
On processing of personal data of child, the draft rules state: “A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India…”
This would have to be referenced to reliable details of identity and age available with the platform or entity itself, or through voluntarily provided details of identity and age or a virtual token mapped to the same, which is issued by an entity entrusted by law or the government.
Citing an example of how this would work, the rules said in case a child’s account is sought to be created on an online platform, the said entity will by referencing identity and age details (issued by an entity entrusted by law or the Government) check that the parent is indeed an identifiable adult.
“The parent may voluntarily make such details available using the services of a Digital Locker service provider,” it said.
As per the rules, entities will be able to use and process personal data only if individuals have given their consent to consent managers–which will be entities entrusted to manage records of consents of people.
Provision related to data localisation has also caught the industry’s attention. Industry watchers pointed out that while DPDP Act largely permits cross-border data sharing, except to blacklisted jurisdictions, the draft rules hint at the possibility of additional oversight.
On processing of personal data outside India, the rules propose that “transfer to any country or territory outside India of personal data processed by a Data Fiduciary… is subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State”.
Shreya Suri, Partner at IndusLaw noted that “an interesting development” is the introduction of potential obligations for significant data fiduciaries regarding cross-border data sharing.
In case of a data breach, entities will have to intimate affected individuals immediately giving a description of the breach, including its nature, extent and the timing and location of its occurrence; the consequences likely to arise from the breach; and risk mitigation measures being implemented. (PTI)
