One step closer to privacy: A dive into the Draft DPDP Rules - Part II

On January 3, 2025, the Ministry of Electronics and Information Technology (“MeitY”) released the much-anticipated Draft Digital Personal Data Protection Rules 2025 (“the Draft Rules”) for public consultation, resuscitating the Digital Personal Data Protection Act 2023 (“the Act”).

This article takes a close look at the introduction of stringent parental consent measures for minors introduced by the Draft Rules and how it brings about both benefits and concerns.

The Draft Rules provide for further clarifications regarding the Data Protection Board, the new adjudicating authority established under the Act to govern all matters pertaining to its operations. On top of its primary responsibility of receiving and deciding upon complaints related to data privacy, it is also entrusted with the task of registering and regulating Consent Managers, overseeing data breaches by Data Fiduciaries, and monitoring DPIAs and audits of Significant Data Fiduciaries.

The Draft Rules offer additional insight into the Board’s operation as a digital office with the authority to summon and enforce attendance remotely. This furthers the “digital by design” nature of the Act and positively promotes ease of access for Data Principals and business convenience for Data Fiduciaries. Any entity aggrieved by a decision of the Board can appeal against such order or direction to the Telecom Disputes Settlement and Appellate Tribunal. The Draft Rules also give the Board discretionary powers to demand any disclosure it deems necessary from Consent Managers in the interest of transparency.

One of the most significant introductions brought about by the Draft Rules is the expansion of the concept of Verifiable Parental Consent. While the Act had previously made mention of verifiable consent and prescribed for stringent treatment of personal data related to minors, the Draft Rules now takes it further in solidifying this by requiring digitally verifiable consent of a parent or a guardian where Data Fiduciaries collects data from minors and persons with disabilities. If implemented, this directly impacts the ability of minors to sign up with social media intermediaries such as Instagram or Snapchat through self-declarations. Such policy, though new to India, has already been introduced in other countries, although with limited success.

Most recently, on November 27, 2024, the Parliament of Australia had passed the Online Safety Amendment (Social Media Minimum Age) Bill setting minimum age of access to social media services at 16 and prohibiting access entirely for everyone below this threshold. The law requires intermediaries to implement some form of age assurance mechanism during registration to all social media services excluding messaging and online gaming services. The bill also excludes services run with the primary objective of fostering health and education and all services that do not require users to create an account such as YouTube. This move was met with polarized responses from stakeholders. While many viewed it to have positive implications on the mental development and social lives of children, much of the criticism comes from the perceived lack of effectiveness of such a measure without creating new privacy concerns.

While the Australian model is yet to be tested in practice and is more drastic than India’s proposed rule, Germany’s policy permits minors aged between 13 and 16 to use social media with parental consent. However, the lack of a verification measure has made the control highly ineffective, despite the country already having implemented such measures for preventing children from accessing age-sensitive media. Similar policies were also introduced in France and Norway. However, both countries have faced significant difficulties in enforcing it.

With the introduction of verifiable parental consent, the Draft Rules mandate Data Fiduciaries to individually confirm parental identity and age through the submission of identification documents or through a government-controlled digital locker and ensuring that an age-gating system is employed wherever personal data of children is collected. While this goes a long way in ensuring authenticity of the consent, it poses some concern on how such collection and processing shall be regulated. Furthermore, although the Data Fiduciary is required to obtain verifiable consent from a guardian, no specific measures or guidelines are provided to determine whether the person to whom the personal data pertains is a child or person with disability.

If measures are uniformly enforced to determine whether someone is above or below the age of 18, adults would also be forced to submit sensitive personal data to the Data Fiduciary which results in excessive data collection. If a less strict approach is adopted and adults are not required to produce such verification data, then the system could be undermined by underage users who can self-declare themselves as an adult. Therefore, the Draft Rules could certainly be a step forward in creating a safer digital environment for minors, although not without raising a few alarms.

The Draft Rules strengthens the privacy protection measures laid down by the Act for Data Principals, offering better control over the manner in which their personal data is processed and protected. It clarifies rights, tangible redressal mechanisms and timelines. However, it also brings along a few challenges for both Data Principals and Data Fiduciaries. While the concept of verifiable parental consent, introduced in the context of protecting children from the perils of the internet against their personal data, it also causes concerns and confusions regarding its implementation. Similarly, the cross-border transfer restrictions placed on Significant Data Fiduciaries promotes national security and privacy, it could become a double-edged sword especially in the age of artificial intelligence, the assistance of which is utilized by industries at large and might not be situated inside India or even clearly attributable. While the Draft Rules can certainly benefit from further clarifications and safeguards prior to its final notification, it nevertheless moves India’s first data privacy regime one step closer to existence.

About the authors: Antra Ahuja is a Principal Associate, Ayush Maheshwari is a Senior Associate and Sidharth S Kumar is an intern at Saga Legal.

You can submit your feedback on the Draft Rules through the MyGov portal until February 18, 2025.

If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.