NEW DELHI, Jan 4: The recently released draft Digital Personal Data Protection (DPDP) rules, which require parents to provide verifiable consent for creating child user accounts on social media platforms and impose data localization mandates for certain types of personal data, could significantly impact large tech corporations. Experts indicate that businesses may encounter “complex challenges” in managing consent, which is central to data protection regulations.
Deloitte India emphasizes that maintaining consent records and allowing users to withdraw their consent for specific purposes will require fundamental design and architectural changes to applications and platforms.
This commentary follows the government’s release of the much-anticipated draft of the DPDP rules, which aim to mandate parental consent and identification for creating child user accounts on online or social media platforms, along with possible data localization requirements for specific personal information.
Industry observers note that provisions regarding data localization and increased oversight on cross-border data sharing may face pushback from the industry, particularly from major tech firms like Meta, Amazon, and Google.
Probir Roy Chowdhury, Partner at JSA, Advocates & Solicitors, expressed concerns about certain elements of the DPDP rules. “For instance, the rules allow the government to impose data localization requirements on significant data fiduciaries/controllers, which could be difficult to enforce,” Chowdhury stated, while also acknowledging that the draft regulations bring much-needed clarity on various compliance-related matters within the DPDP Act.
The draft rules stipulate: “A significant data fiduciary must take measures to ensure that personal data designated by the central government, based on a committee’s recommendations, is processed under the stipulation that personal data and associated traffic data are not transferred outside India’s borders.”
Notably, the draft aims to enforce the data protection Act by making parental consent essential for processing personal data concerning children.
Moreover, the identity and age of parents must undergo verification through voluntarily supplied ID proof issued by an authorized entity or government body.
“We anticipate that companies will face considerable challenges in managing consent as it is fundamental to the law. Maintaining consent records and enabling withdrawal of consent for specific purposes might necessitate changes in the design and architecture of applications and platforms,” remarked Mayuran Palanisamy, Partner at Deloitte India.
Palanisamy added that businesses will need to invest in both technical infrastructure and procedural adjustments to effectively adhere to these requirements, which includes reassessing data collection practices, implementing consent management systems, establishing clear data lifecycle protocols, and ensuring these practices are integrated at the implementation level.
“The DPDP rules are comprehensive and provide much-needed guidance to businesses in India regarding their compliance obligations, such as the responsibilities of significant data fiduciaries, the registration and obligations of consent managers, and the establishment and operation of the Data Protection Board,” Deloitte India noted.
Shreya Suri, Partner at IndusLaw, observed that while the draft rules clarify some aspects of how notices should be framed and displayed under the Digital Personal Data Protection Act, they fall short of providing explicit guidance regarding the method of issuance or delivery, an area well defined within GDPR.
In the absence of clearer guidelines, much may be left to market practices and stakeholder discretion, Suri suggested.
An additional expected feature was the introduction of thresholds for reporting data breaches. The current draft treats all breaches uniformly, requiring consistent reporting and notification to the Data Protection Board and affected data principals, without offering any discretion to data fiduciaries for minor breaches.
“Furthermore, although the rules specify certain reasonable security practices, the lack of detailed guidance leads to various interpretations. Stakeholders will likely adopt practices that align with the nature and volume of their data processing, but additional government guidance is essential to ensure consistency and compliance across the industry,” she added.
Suri also noted that the draft rules provide limited insight into how children will be identified for the purpose of obtaining verifiable parental consent from their guardians.
“It appears that the approach may depend on self-declarations by users, where they indicate whether they are minors or adults. This could open the door for broader processing of parental or guardian data, raising interesting considerations regarding the extent of such data collection,” she explained.
While the Act mentions the processing of personal data for individuals with disabilities, the rules predominantly focus on children and their parents, resulting in some ambiguity about the application of self-declaration in cases where individuals cannot independently disclose their status.
Moreover, the classification of data fiduciaries in the draft rules, which centers on defining retention periods for data, currently seems limited to three categories of fiduciaries, according to Suri. “However, concerns remain among various stakeholders about the necessity for additional use cases that have yet to be addressed, leaving several critical questions surrounding data retention practices for specific types of data fiduciaries unanswered,” she highlighted.
In essence, data fiduciaries are entities that decide what personal data to collect and how it will be processed. (PTI)
Leave a Reply