Consent Management, Localisation, Parental Nod for Kids on Social Media in Focus: Experts on DPDP

Experts on DPDP: The draft DPDP rules which moot parents' verifiable consent to create a child's user account on social media platforms, and adds localisation requirement for certain types of personal data has significant ramifications for big tech firms, experts say noting that businesses may also face "complex challenges" in managing consent which is core to data protection norms.

According to Deloitte India, maintaining consent artefacts and offering the option to withdraw consent for specific purposes would necessitate changes at design and architecture level of applications and platforms.

The comment comes against the backdrop of government releasing the long-awaited draft of Digital Personal Data Protection Rules which proposes to make parent's verifiable consent and identification mandatory for creation of child's user account on online or social media platforms, and also moots possible data localisation requirements for specified personal data.

The provision related to localisation and additional oversight on cross-border data sharing in specified cases may see pushback from the industry, particularly big tech companies such as Meta, Amazon and Google, say industry watchers.

According to Probir Roy Chowdhury, Partner, JSA, Advocates & Solicitors, certain aspects of DPDP rules are concerning.

"For example, they enable the government to impose data localisation obligations on significant data fiduciaries/controllers - which may be challenging to implement," Chowdhury said adding that overall draft rules provide much needed clarity on a number of practical aspects relating to compliance with the DPDP Act.

Draft rules say: "A significant data fiduciary shall undertake measures to ensure that personal data specified by the central government on the basis of recommendations of a committee constituted by it is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India,"

Notably, the draft rules - which are key to enforcing and operationalising data protection Act - seek to make parental nod essential for processing of personal data of children.

Further, parents' identity and age will also have to be validated and verified through voluntarily-provided identity proof issued by an entity entrusted by law or the government.

"We foresee that businesses will face some complex challenges in managing consent as it forms the heart of the law. Maintaining consent artefacts and offering the option to withdraw consent for specific purposes could necessitate changes at the design and architecture level of applications and platforms," Mayuran Palanisamy, Partner, Deloitte India said.

Companies will need to invest in both technical infrastructure and processes to meet these requirements effectively, Palanisamy said adding this includes relooking into data collection practices, implementing consent management systems, establishing clear data lifecycle protocols and actually percolating down these practices at an implementation level.

"The DPDP rules are quite detailed and give much needed direction to the businesses in India by expounding upon compliance to be carried out by them, such as obligations measures for significant data fiduciaries, registration and obligations of consent managers, the establishment and functioning of the Data Protection Board," Deloitte India said.

Shreya Suri, Partner at IndusLaw said although draft rules provide some clarity on framing and displaying notices under the Digital Personal Data Protection Act, they fall short in offering guidance on the mode of delivery or issuance, something well-defined under GDPR.

In the absence of further clarity, much of this is likely to be left to market practice and stakeholder discretion, according to Suri.

Another anticipated aspect was the introduction of thresholds for data breach reporting, where minor breaches could have had fewer compliance obligations. The current draft treats all breaches uniformly, requiring the same level of reporting and notification to the Data Protection Board and affected data principals, without granting any discretion whatsoever to data fiduciaries.

"Additionally, while the rules outline certain considerations for reasonable security practices, the lack of detailed guidance leaves room for varied interpretations. It is likely that stakeholders will adopt practices aligned with the nature and scale of their data processing, but further guidance from the government would be crucial to ensure consistency and compliance across the industry, she said.

She said the draft rules offer limited guidance on how children will be identified for the purpose of seeking verifiable parental consent from their parents/ guardians.

"It seems the approach might rely on self-declaration by users, allowing them to indicate whether they are minors or adults. This could potentially lead to broader processing of parental or guardian data, which raises interesting considerations regarding the scale and scope of such data collection," she said.

While the Act references the processing of personal data for persons with disabilities, the rules primarily address children and their parents. There remains some ambiguity around how self-declaration would apply in cases where individuals may not be able to disclose their status independently, she added.

Additionally, the classification of data fiduciaries in the draft rules, which focuses on defining retention periods for data, seems to currently apply only to three categories of fiduciaries, Suri said.

"However, there are concerns among various stakeholders regarding the need for additional use cases, which have yet to be addressed. This leaves some important questions about data retention practices for certain types of data fiduciaries still unanswered," she said.

Put simply, data fiduciaries are entities that determine which personal data is to be collected and purposes for it to be processed.