DPDP draft rules raise concerns on parental consent, national security checks

The rules have also proposed to give the Centre exceptional powers to seek personal data—or withhold it—of and from a citizen, citing national security.

Published3 Jan 2025, 10:02 PM IST

The rules mandated localization of all personal data within India apart from exceptional circumstances. **(HT_PRINT)**

New Delhi: A draft of rules for India’s data protection law has proposed that parents mandatorily identify themselves before their children can join certain online platforms. The draft also proposes giving exceptional powers to the Centre on matters said to be of national security.

These are part of the first draft of the rules that will enforce the Digital Personal Data Protection (DPDP) Act, 2023. The draft rules were published on the website of the ministry of electronics and information technology (Meity) on Friday for public consultation.

Among key points, personal data has been mandated to be localized in India, barring in cases and countries as exempted by the Centre. Then, parents and guardians will have to verify their identity before an individual under 18 years of age can sign up for a ‘significant’ online platform.

Companies operating online platforms will have to ensure that verifiable parental consent is obtained” before an individual below 18 years of age signs up for a platform. The draft rules also state that companies must observe “due diligence for checking that the individual identifying herself as the parent is an adult who is identifiable, if required”.

Also read | Meta works to comply with India’s data protection Act

Such a verifiable identity can be established through a “verified token”, or through DigiLocker—the Centre’s Aadhaar-linked digital identity storage and authentication platform—the rules state.

Security concerns

National security is another area of focus in the draft rules. For instance, it is proposed to give the Centre exceptional powers to seek personal data of—or withhold them from—a citizen, citing national security.

The Centre has retained powers to seek personal data without any specified checks in concerns involving national security. Such instances will require a company to divulge personal information of an individual without disclosing it to the individual himself, also citing national security and integrity.

“Further clarity will certainly be sought in the public consultation process that follows, including clarity on what happens to all the minors and their data that are already in public domain,” a senior consultant to the Centre said, requesting anonymity.

Also read | Mint Explainer: Concerns around Digital Personal Data Protection law

The rules, to be sure, are not immediately notified, but will now go through a consultation process, following which they would be notified with a time period afforded to companies to comply with them.

Industry views

Industry consultants raised several concerns over the draft rules, especially that the parental consent rules are likely to add a heavy compliance burden on all parties involved.

“The public consultation is expected to spark significant discussions on various aspects of the rules,” said Dhruv Garg, partner at think-tank Indian Governance and Policy Project, adding that a critical area of focus will be the potential for data localization, where specific categories of personal data may be required to remain within India.

“Equally important is the need for robust mechanisms to ensure verifiable parental consent, particularly requiring identification of parents and their adulthood before processing children’s personal data. Provisions allowing government access to personal data for national security reasons will likely draw close scrutiny, addressing questions about transparency and oversight,” Garg said.

Kazim Rizvi, founding director of think-tank The Dialogue, added that the parental consent mechanism is unclear about methods that would be used such as phone calls, video conferencing, signed forms, financial information, or other personal identification documents like a driver’s licence.

“Another potential issue could be that this rule presumes that the parent in question is digitally literate, at least to effectively navigate and assist in this process,” Rizvi said. “A more challenging aspect of the rules is the mandatory requirement for parental supervision for the majority processing of children’s data, defined as individuals below the age of 18 years.”

According to Rizvi, this provision could lead to substantial consent fatigue for parents or guardians, given the frequency with which children interact with digital platforms.

“The lack of a graded or nuanced approach to evaluating the capacity of minors to provide informed consent independently may render this requirement overly rigid and controversial, particularly for older adolescents who may possess the maturity to make decisions about their data,” Rizvi added.

And read | The new data protection bill: Five takeaways

For companies, too, Rizvi added that the rule, in its current form, “introduces risks of inconsistent implementation, especially in cases involving guardians”.

Catch all the Technology News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates & Live Business News.

Business News TechnologyDPDP draft rules raise concerns on parental consent, national security checks

MoreLess

First Published:3 Jan 2025, 10:02 PM IST

Get Instant Loan up to ₹10 Lakh!

Most Active Stocks

Market Snapshot

Top Gainers
Top Losers
52 Week High

Trending In Market

Recommended For You

More Recommendations

Gold Prices

Fuel Price

Petrol
Diesel

Popular in Technology