Naavi.org

One of the most discussed provisions of the DPDPA Rules is the rule 10 and 11 related to the handling of personal data of a minor.

As per the Act, a data fiduciary intending to process the personal data of a minor or a person with a disability who has a lawful guardian needs to obtain the consent from the parent or guardian. Additionally the law requires that the processing shall not harm the child and there shall be no behavioural monitoring or targeted advertisements to the children.

The issues involved here are

1. How do we know if a data principal is a minor or a disabled person?
2. How do we know who is the guardian who is legally authorized to provide consent on behalf of the minor or the disabled person
3. How do we know at what future date the consent given by the guardian as expired?
4. How do we know if the parent/guardian is not having conflicts of guardianship?
5. Does a “Verifiable” consent include verification of disability, verification of guardianship and verification of age

Under Rule 10 of the rules it is mandated that the Data Fiduciary shall observe “Due Diligence” and adopt “appropriate” technical and organizational measures to ensue

a) That the identity and age available with the data fiduciary is reliable

b) The claimed guardian is an “adult” himself

The words “Due Diligence” and “Appropriate” read with “Fiduciary” means that it is the responsibility of the data fiduciary to find such technology and procedure that satisfies compliance.

The compliance to this section requires that every data principal has to be verified that he is not a minor. If the person is a minor, the age should be collected and verified. Also the data fiduciary needs to collect the identity of the guardian and check if he is the authorized guardian.

There is at present no proper solution available to meet this requirement. There are some views that this section leads to denial of some internet services to persons with digitally illiterate parents. There is every possibilities that “Andolan Jeevies” will latch onto such comments and try to stall the implementation of the rules.

It is our view, if in an attempt to protect Children from the adverse impact of the Internet and the Social Media, some minors or disabled persons are unable to open Face Book accounts or Instagram accounts, it would be a blessing in disguise.

In the era of Artificial Intelligence, I donot see how the technology can accept defeat in not being able to protect the interest of the children. We had already discussed in an earlier article titled “Is there no solution for Age-gating?” some solutions in this direction.

Now we can look forward to a workable technical solution that is “DGPSI Compliant”.

As we are aware, Australia has been the first country to ban access to social media for children below the age of 16. The tech companies will face a penalty of Australian Dollars 49.5 million for violation. The Indian provision for “Parental Consent” is therefore not as stringent as the Australian provision. If the rule is challenged in a Court, it is necessary to defend the rule citing the Australian approach.

Naavi

The DPDPA Rules on Consent Manager (Rule no 4 with Schedule 1) is disappointing since it indicates that the ministry is stuck with its concept of account aggregator and has failed to go beyond the myopic view that the consent manager should be an intermediary without any visibility on the data being submitted by the data principal to the data fiduciary.

It is strange that the Consent Manager is expected to be a platform to “Provide”, “Manage”, “Review” and “Withdraw Consent”, retain the consent information for 7 years, provide access to the consent all without having any visibility to the data exchanged.

Consent Manager is envisaged as a glorified log manager and the only personal data maintained is about the log account of the data principal. The log itself will have the information on the notice issued but not what the data principal has furnished.

For example, if the notice says, please give your name, address and e-mail, the data principal may give some name, some address and some email and the consent manager will not know what is the information given. He just keeps the log record that a notice was received and was responded to.

If the Consent Manager account is kept in the name of Vijayashankar Nagaraja Rao and I submit Vijay as a response to the notice, the consent manager has no way to know. If all the information required to be submitted to a notice is to be validated by the consent manager then he needs visibility to the data. If not, he cannot have any control.

Further, the consent manager may only have a few fields of data with him which can be automatically uploaded as a response to the notice and additional information may be either directly provided by the data principal directly on the data fiduciary website or through another data fiduciary (as indicated in the illustration). This means that the consent manager has to aggregate data elements available with him and the data elements collected from the second data fiduciary and populate the notice response in a “Data Blind Environment”.

The “Consent” in DPDPA environment is not a consent given by a data principal X to a data fiduciary B. It is a consent for a specified purpose of processing by B. It is possible that today I give a consent to B for Process 1 and next week I give a consent to process 2. Each notice is therefore distinct and the consent manager will not have the information with him for all the purposes for which I may like to provide consent at different points of time.

Hence his services are only useful to share information that either he himself has or what he can fetch at the instance of the data principal from another data fiduciary which may be the Digi Locker or another Bank etc.

Hence the replication of the Account Aggregator model to this “Consent Manager” was a mistake.

Having prescribed that the consent manager shall not have any visibility to the data exchanged by the data principal to the data fiduciary, or by one data fiduciary to another at the instance of the data principal, there is no need for stringent credentials for the consent manager and the capital criteria etc.

The rule as proposed has killed the potential of the Consent Manager who could have been used to assist in overcoming the language barrier and the tendency of data fiduciaries to ask for and obtain permissions which are not required.

Instead, the system envisaged duplicates the flow of data in the loop, data principal to data fiduciary-consent manager- data principal-back to consent manager- data fiduciary, where as presently the data principal while being on the data fiduciary’s web site provides all the information himself.

May be a “Form completion assistant” with a cookie could be a better option for the data principal to reduce his consent fatigue and fill up the forms faster than what he does not without reading and evaluating the permissions.

There is an urgent need to change the rule regarding the consent manager. …..

Naavi

The DPDPA Rules contain two sets of rules. One set appliable immediately on publication and another set for which separate dates will be notified.

The rules that will become immediately applicable namely Rules 1, 2 and 16 to 20 are related to

1. Short title and commencement and Definitions
2. Establishment and functioning of the Data Protection Board

The other rules are related to the obligations.

There is however lack of clarity on when will Section 44 of DPDPA 2023 be considered effective.

Section 44 is the section which addresses the amendments to ITA 2000 and RTI Act. This determines when the obligations under Section 43A of ITA 2000 will extinguish and penalties under Section 33 of DPDPA 2023 kick in.

Since there is no rule associated with either Section 33 or 44 of the DPDPA 2023, in the present set of rules, we need to await the next notification for this purpose probably within the 2 year limit which the Minister has indicated in his interview.

FDPPI had presented a set of comments on 5th August 2024 based on the first draft of the rules then available in which we had made the comment that this should be made effective after one year.

It is considered necessary that a separate rule or a notification should specify when Section 44 of the DPDPA 2023 becomes effective and it has to be synchronized with the notification of Section 33 of DPDPA 2023 on penalties.

For this purpose, either a separate Rule 23 is added to the rules or one more sub clause could be added in Rule 1 stating

4. The sections 33 and 44 of DPDPA 2023 shall come into force with effect from ………………..

If a separate Rule 23 is added, it can also define the current and future role of the Adjudicator of ITA 2000 including a mention that the Adjudicator of ITA 2000 shall continue to be the authority to which a data principal affected by a personal data breach can apply for compensation under Section 43 of ITA 2000.

Naavi

Honourable Minister of IT Sri Ashwin Vaishnaw has indicated that the Government may create a Central body which works with other ministries and sectoral regulators to effectively implement local storage of data without causing any disruptions to the industry. The Committee will collate requests from other ministries and sectoral regulators and come up with its recommendations.

The committee is expected to indicate data export restrictions related to sensitive data and/or by significant data fiduciaries based on the assessment of its impact on the sovereignty and integrity of India, electoral democracy, security, and public order. 

A report at Indian Express suggests that the Government is looking at a two year timeline for full implementation. This however may be restricted to some specific provisions of the Act and many of the provisions may be implemented earlier.

Naavi

The much awaited draft rule on DPDPA for public comments finally was published on January 3, 2025 in the form of a Gazette Notification.

The set of rules follow the pattern that were discussed earlier at FDPPI as Version-1 with some important modifications such as dropping of the model consent form and dropping of the definitions.

The awareness level of DPDPA and the rules are so high at present in the professional circles that a lot of discussions have already started on the rules in the discussion groups. Naavi.org will continue to provide its comments as we go along.

One of the noticeable rule is Rule number 22 accompanied by the schedule 7.

This rule invokes the power under Section 36 of DPDPA 2023 and states

22. Calling for information from Data Fiduciary or intermediary.—

(1) The Central Government may, for such purposes of the Act as are specified in Seventh Schedule, acting through the corresponding authorised person specified in the said Schedule, require any Data Fiduciary or intermediary to furnish such information as may be called for, specify the time period within which the same shall be furnished and, where disclosure in this regard is likely to prejudicially affect the sovereignty and integrity of India or security of the State, require the Data Fiduciary or intermediary to not disclose the same except with the previous permission in writing of the authorised person.

(2) Provision of information called for under this rule shall be by way of fulfilment of obligation under section 36 of the Act.

Under this rule, different officials are proposed to be designated to guide the industry in respect of “Exemptions” and applicability of the Act.

Accordingly an official will be notified to authorize the use of personal data by the State or any of its instrumentalities in the interest of sovereignty and integrity of India or security of state.

Additionally if any official has been authorized under any other applicable law (eg CERT IN) for the purpose of performance of any function under law or for disclosure of information, such official will be the authorized person also under this Act.

Additionally, another interesting observation is that the Government proposes to designate an officer from the MeitY as a person to carry out assessment for notifying any Data Fiduciary or Class of Data fiduciaries as a Significant Data Fiduciary.

This role will be a very important role that defines the applicability of the Act to a large section of the industry. It is possible that a notification may follow on any “Class” of data fiduciaries that may be considered Significant Data Fiduciaries automatically.

DGPSI has covered this requirement by a requirement that a data fiduciary shall develop a self status determination document which will be assessed by the auditor. This requires the data classification to include a “Sensitivity Score” with which the auditor may provide his view.

While we may wait for any further notifications from this officer, organizations need to make their own assessments about the sensitivity of the data processed by them and self determine their status as a Significant Data Fiduciary as proposed by the DGPSI framework.

Naavi

Comments to continue…

The Government has released the draft DPDPA Rules for public consultation. Public can submit their feedback on the mygov.in website till 18th February 2025.

The notification is available at https://naavi.org/uploads_wp/2025/dpdpa_draft_rules_english_.pdf

Naavi