NEW DELHI: The Centre on Friday night issued draft rules to enable the implementation of India’s Digital Personal Data Protection Act (2023) and said children would need parental or legal guardians’ consent to open social media accounts.
The Rules come long after the Act received presidential assent on August 11, 2023.
The Rules make it the responsibility of data fiduciaries (social media firms such as Facebook, Instagram, etc, that use and process personal data) to seek explicit consent of consumers to process their personal information.
It makes stringent rules for children to open social media accounts saying, “A Data Fiduciary (DF) shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable.”
As an illustration, the Rules cite a scenario, “A child informs a data fiduciary (FB or Instagram or X) that she is a child. The DF shall enable a child’s parent to identify herself through its website, app or other appropriate means. The parent identifies herself as the legal guardian and informs DF that she is a registered user on its platform and has previously made available her identity and age details to the fiduciary. Before processing a child’s personal data for the creation of her user account, the fiduciary shall check to confirm that it holds reliable identity and age details of the parent.”
The government has sought public feedback on the Rules by February 18 on MyGov website. The Rules add that the notice provided by the DF to the Data Principal (consumers) must be clear, standalone and understandable.
“It must use simple language to provide the Data Principal with a full and transparent account of the information necessary for giving informed consent for the processing of their personal data. Specifically, the notice should include, itemised list of the personal data being collected and a clear description of the purpose for processing, along with an itemised explanation of the goods, services, or uses enabled by such processing. The notice must provide a communication link of the DF’s website or app, and describe other methods,if applicable, for the Data Principal to withdraw consent easily as comparable to the process of giving consent, exercise their rights and make complaints with the Data Protection Board which the law provides for,” the Rules read.
The law defines DF as any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data. Social media firms such as Facebook, WhatsApp, X, Instagram qualify as DFs under the law.
The Rules also mandate data fiduciaries to appoint a Consent Manager which should be a company incorporated in India with a minimum net worth of two crore rupees.
Application to register the consent manager will have to be made to the Data Protection Board whose chief will be selected by a Search-cum-Selection Committee formed by the Centre.
The committee will be led by Cabinet Secretary, Secretary Ministry of IT and Electronics and Legal Affairs Secretary and two subject experts.
The Rules also specify conditions under which there will be an exemption from the verifiable consent rule, as in the case of data being used by healthcare professionals, educational institutions and childcare providers.
The State and its instrumentalities, the Rules say, may process the personal data of people to provide or issue subsidies, benefits, services, certificates, licences or permits, as defined under law or policy or using public funds. “Processing in these cases must adhere to the specific standards which ensures lawful, transparent and secure handling of personal data for such purposes,” the Rules add.