New Data Protection Rules: Focus on Children’s Privacy and Cross-Border Data Transfers

The Ministry of Electronics and Information Technology (MeitY) released the Draft Digital Personal Data Protection Rules, 2023, on January 3, 2025, for public consultation. These rules, issued under the Digital Personal Data Protection Act, 2023, propose significant measures to safeguard the personal data of children. Among other provisions, the rules mandate parental consent for data fiduciaries processing children’s personal data. The draft is open for objections and suggestions until February 18, 2025, on the MyGov website.

Key Provisions in the Draft Rules

Parental Consent for Children’s Data

• Data fiduciaries, including social media platforms, gaming sites, and e-commerce companies, must secure verifiable parental consent before processing a child’s data.
• Data fiduciaries are required to adopt technical and organizational measures to verify the identity and age of parents or guardians.

Illustrations Provided in the Rules

The draft rules offer practical scenarios to explain how data fiduciaries should ensure compliance:

1. Scenario 1:
   • The child informs the platform of their status as a minor.
   • The parent identifies themselves as a registered user of the platform.
   • The platform must verify the parent’s identity and age before creating the child’s account.
2. Scenario 2:
   • The parent is not a registered user.
   • The platform must verify the parent’s identity through Digital Locker services or details issued by an authorized entity.
3. Scenario 3:
   • The parent is a registered user and has already provided age and identity details.
   • The platform confirms these details before processing the child’s data.
4. Scenario 4:
   • The parent is not registered.
   • The platform uses authorized identity verification mechanisms to confirm the parent’s status.

Special Considerations for Guardians of Disabled Individuals

• Guardians must provide proof of legal appointment by a court, designated authority, or local-level committee to process the data of disabled individuals.

Exemptions

• Parental consent mandates do not apply to data fiduciaries who are:
  • Health professionals
  • Mental health professionals
  • Engaged by educational institutions.

Notice and Consent Requirements

Informed Consent

• Data fiduciaries must provide a clear and detailed notice to users, including:
  • An itemized description of the personal data being processed.
  • The purpose of processing.
  • A communication link to withdraw consent.

Transparency Obligations

• Data fiduciaries must prominently display contact details of their Data Protection Officer or other designated representatives for grievance redressal.
• Platforms must publish timelines for addressing user grievances on their website or app.

Cross-Border Data Transfer

Regulations on Processing Personal Data Outside India

• The transfer of personal data outside India is subject to restrictions imposed by the Central Government.
• Data fiduciaries must comply with additional requirements for providing personal data to any foreign state or agency.

Submission of Feedback

Public objections and suggestions to the draft rules can be submitted until February 18, 2025, on the MyGov website.