According to the draft laws, corporations must obtain government authorisation before transferring personal data outside of India, and youngsters under the age of 18 must obtain parental consent before opening social media accounts.
Children under the age of 18 will now require parental authorisation to register social media accounts, according to the draft guidelines of the Digital Personal Data Protection Act, 2023, released by the Centre on Friday.
The Ministry of Electronics and Information Technology (MeitY) declared in a notification that the public is encouraged to submit complaints and comments to the draft guidelines via MyGov.in, the governmentโs citizen engagement website. Feedback will be accepted after February 18, 2025.
The new guidelines stress greater safeguards for the personal data of children and people with disabilities under authorised care. Data fiduciaries, or companies tasked with managing personal data, must get the approval of a parent or guardian before processing any personal data belonging to children.
To validate permission, fiduciaries must employ government-issued IDs or digital identity tokens, such as those associated with Digital Lockers. However, educational institutions and child welfare groups may be excused from certain of the regulations.
In addition to focussing on childrenโs data, the proposed guidelines suggest increased consumer rights, enabling users to request that their data be deleted and corporations provide clarity about why their data is acquired.
A penalty of up to Rs 250 crore has been recommended for breaches, creating more accountability for data fiduciaries. Consumers will also be able to question data gathering methods and request transparent explanations for data usage.
The regulations specify essential digital intermediaries, such as โe-commerce entitiesโ, โonline gaming intermediariesโ, and โsocial media intermediariesโ, and provide particular requirements for each.
The proposal defines social media platforms as intermediaries that primarily facilitate online interaction between users, such as information exchange, distribution, and modification.
To ensure compliance with these requirements, the government intends to establish a Data Protection Board, which will serve as a completely digital regulatory agency.
The Board will hold remote hearings, investigate violations, impose penalties, and register consent managers, which are responsible for monitoring data permissions. Consent managers would be needed to register with the Board and have a net worth of at least Rs 12 crore.
These extensive procedures are intended to guarantee that data fiduciaries implement strong technological and organisational protections, particularly for vulnerable populations like as minors.
The draft guidelines also include provisions for exclusions in particular instances, such as educational usage, to prevent unnecessary obligations on organisations that serve minors.
