The Ministry of Electronics and Technology (MeitY) on Friday released draft rules of Data Digital Personal Data Protection Act (DPDPA) for public consultation. The policy think tanks and civil society members are raising concerns over multiple aspects of the draft rules. The government will seek feedback from stakeholders till February 18.
In an overview of the draft rules of DPDPA, personal data has been mandated to be localized in India, barring in cases and countries as exempted by the Centre. Further, the rules state that the parents and guardians will have to verify their identity before an individual under 18 years of age can sign up for online platform or on social media.
Experts suggest that the parental consent rules are likely to add a heavy compliance burden on all parties involved. E-commerce, social media and gaming platforms will all come under the category of data fiduciaries.
The DPDP Act was passed by Parliament on August 9, 2023 — about six years after the Supreme Court upheld privacy as a fundamental right. Despite being announced last year, the Act has not yet taken effect since its rules and regulations are still have not been released or finalised.
Dhruv Garg, Partner – Indian Governance & Policy Project said, “The public consultation on draft DPDP rules is likely to see expansive and critical discussion on multiple aspects. Provisions relating to data localisation for certain specified personal data when being processed by significant data fiduciary will definitely take centre stage. Additionally, restrictions and requirements imposed on sharing of personal data with foreign state and their agencies will see concerns from data fiduciaries operating across jurisdictions.”
The draft rules of DPDPA states that, “A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India.”
This is in reference to reliable details of identity and age available with the Data Fiduciary. It further refers to the details voluntarily being provided identity and age or a virtual token mapped which is issued by an entity entrusted by law or the Central Government or a State Government.
Garg said, “The language and intent of provisions in relation to verifiable parental consent and proof of adulthood of parents will need greater clarity in due course. Civil society may stress on the need to create balance between privacy and power of government to access data on ground of national security/state function.”
Multiple think tank policy consultants have raised concerns over the challenges posed by emerging technologies like Artificial Intelligence. Civil Society members have raised severe concerns over government’s intent to demand and collect data of Indian citizens citing national security concerns.
Aparajita Bharti, Founding Partner, The Quantum Hub Consulting said, “DPDP Rules have been much awaited and a draft gives broad direction to the industry to start preparing for compliance. However, from the rules it is still not clear what the implementation timelines are likely to be.”
Bharti further said, “On Children’s data, while the government has left room for innovation on age estimation, there are more specific obligations for verifying parents identity. This may lead to a high compliance burden on platforms. There are also some positives around allowing tracking of children’s data and behavioural monitoring for their safety and ensuring that they do not encounter inappropriate content. One key concern in the rules is potential room for bringing data localisation requirements for significant data fiduciaries as they mention that a committee may do so in the future. The draft rules also do not explicitly address exemptions, processing grounds, or other frameworks specifically tailored for AI model training purposes.”
Experts argue that the central government retains the authority to restrict the cross-border transfer of specific personal data by significant data fiduciaries while Rule 15 does not explain the exemptions under Section 17(2)(B) related to research, archiving, or statistical purposes, leaving ambiguity around whether AI models trained on personal data for research are covered by these exemptions.
Kazim Rizvi, Founding Director, The Dialogue – a thinktank – said, “The DPDP Rules provide essential guidance for implementing the legislation. However, advancing the framework requires multi-stakeholder discussions to offer deeper insights into its application, fostering innovation while safeguarding the rights of data principals. Key areas that demand further attention include verifiable consent mechanisms, cross-border data transfers, and breach notification processes.”
DPDP Act: MeitY releases draft data protection rules for public consultation
The DPDP Act has a provision to impose a penalty of up to ₹250 crore on data fiduciaries which are bodies responsible for determining the purpose and means of processing of personal data.
The DPDPA rules, which have been delayed for several months, will reinforce the existing data privacy law, while amendment to the IT rules will address crucial issues like artificial intelligence-driven misinformation and deepfakes until a comprehensive Digital India Act is formulated.