The government released the long-awaited draft digital personal data protection rules on Friday, which states that verifiable consent from parents must be obtained by social media or online platforms before children create any account. In addition, under the draft rules, it is necessary to verify and verify the identity and age of parents by voluntarily providing identity evidence “issued by law or government-mandated entities.”
Under the rules, the entity can use and process personal data only if the individual agrees to the administrator’s consent – this will be the entity that the administrator consents to record.
If child data processing is required, the digital platform will need to conduct due diligence to check whether an individual identifies himself as a child’s parent being an adult and can be identified in any case related to legal compliance.
The draft rules state: “The data trustees should take appropriate technical and organizational measures to ensure that verifiable consent from parents is obtained before processing any personal data of their children.”
E-commerce, social media and gaming platforms will fall under the data trust category.
Under the draft rules, the data trust must retain the data only for the time of providing consent and delete thereafter.
The draft rules have been released after parliament approved the Digital Data Protection Act of 2023.
“In terms of the exercise of the powers under Articles 40, (1) and (2) of the Digital Personal Data Protection Act, draft rules proposed by the Central Government, 2023 (2023). 22 volumes), after or after the bill is intended to issue the date of entry into force of the bill to obtain information about all those who may be affected.
The draft rules mentions the process of suspending or canceling the consent to manager registration, but does not mention a data trust with a fine of Rs 250 crore approved under the DPDP Act 2023.
Induslaw partner Shreya Suri said there are thresholds for expected data breach reporting, in which case there may be fewer compliance obligations for small violations.
“However, the current draft will uniformly violate all violations, requiring the same reporting and notification to the Data Protection Commission and the affected data supervisors without any discretion to the Data Trust. In addition, the rules outline reasonableness is outlined in the meantime. Some considerations in security practices, the lack of detailed guidance leaves room for various explanations,” Suri said.
A draft rules issued for public consultation will be finalized after February 18. The draft is available for public comment on the Mygov website.
Mayuran Palanisamy, partner at Deloitte India, said the draft rule is very detailed and urgently needed instructions for businesses to implement by clarifying compliance with regulations, such as obligation measures for important data trustees, obligation managers for registration and consent, establishment of data protection committees and The process of operating, including details of data breaches and board details to enable the principal to exercise his rights and schedules to respond to complaints.
“We foresee that businesses will face some complex challenges in managing consent as it forms the core of the law. Maintaining consent artifacts and providing the option to withdraw consent for a specific purpose requires at the design and architectural level of the application and platform Make changes,” Palanisamy said.
In addition, organizations will need to invest in their technology infrastructure and processes to effectively meet the requirements. This includes regaining data collection practices, implementing consent management systems, establishing clear data lifecycle protocols, and effectively removing those practices at the implementation level, Palanisamy added.
(This story has not been edited by Tech Word News’s staff and is automatically generated from the joint feed.)
