In order to facilitate the implementation of India’s Digital Personal Data Protection Act (2023), the Centre released draft regulations on Friday night. The regulations said that youngsters would require permission from their parents or legal guardians in order to create social media accounts.
The Rules were released on August 11, 2023, a long time after the Act was ratified by the president.
Data fiduciaries, which include social media companies like Facebook, Instagram, and others that utilise and handle personal data, are required under the rules to get customers’ express consent before processing their personal data.
“A Data Fiduciary (DF) shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable,” it states, imposing strict guidelines on children’s access to social media accounts.
The Rules use the following example: “A child discloses her age to a data fiduciary (Facebook, Instagram, or X).” The DF will allow a parent of a child to identify herself via its app, website, or other suitable channels. The parent certifies that she is the legal guardian and tells DF that she has previously given the fiduciary access to her name and age information and is a registered user on its platform. The fiduciary must verify that the child’s personal information has accurate identification and age information of the parent before processing it to create her user account.
On the MyGov website, the government has asked for public comments on the Rules by February 18. According to the Rules, the DF’s notification to the Data Principal (consumers) must be unambiguous, stand-alone, and easy to comprehend.
In order to give the Data Principal a complete and clear description of the information required to give their informed permission for the processing of their personal data, it must use straightforward language. An itemised list of the personal data being gathered, a clear explanation of the processing’s goal, and a list of the products, services, or uses made possible by the processing should all be included in the notice. According to the Rules, the notice must include a communication link to the DF’s website or app and, if applicable, other ways for the Data Principal to exercise their rights, file complaints with the Data Protection Board as permitted by law, and withdraw consent as simply as possible.
According to the legislation, DF is any anyone who chooses the method and goal of processing personal data, either by themselves or in collaboration with others. According to the legislation, social media companies like Facebook, Instagram, WhatsApp, and X are considered DFs.
Data fiduciaries are also required by the Rules to designate a Consent Manager, who must be an Indian-incorporated business with a minimum net value of two crore rupees.
A search-cum-selection committee established by the Centre will choose the chairman of the Data Protection Board, which will receive applications to register the consent manager.
The Cabinet Secretary, the Secretary of the Ministry of Information Technology and Electronics, the Secretary of Legal Affairs, and two subject matter experts will serve as the committee’s leaders.
The Rules also outline the circumstances in which the verified consent requirement will not apply, such as when data is being utilised by childcare providers, educational institutions, and healthcare professionals.
According to the Rules, the State and its agencies may use people’s personal information to grant or provide subsidies, benefits, services, licenses, permits, or certifications as specified by law or policy, or to use public funds. The Rules further state that “processing in these cases must adhere to the specific standards which ensure lawful, transparent, and secure handling of personal data for such purposes.”