The Union Ministry of Electronics and Information Technology (MeitY) unveiled the draft Digital Personal Data Protection Rules, 2025, on Friday. These proposed regulations aim to bolster the protection of children’s personal data and enhance data security practices across the board. The draft rules build on the Digital Personal Data Protection Act, 2023, passed by Parliament in August 2023.
Stakeholders are invited to submit objections and suggestions regarding the draft rules by February 18, 2025.
Child Protection Measures
The draft rules introduce stringent measures to safeguard children’s personal data:
Parental Consent Requirement: Social media platforms and online services must obtain verifiable parental consent before processing children’s personal data. Parents must explicitly agree to their child’s data being collected and processed.
Guardian Verification: Data fiduciaries (entities collecting and storing personal data) are required to verify the identity of individuals claiming to be a child’s guardian. Verification methods may include checking government-issued IDs or using digital tokens linked to identity services.
ALSO READ: Piyush Goyal responds to Blinkit ambulance service, says company should…
For example, if a child wants to create an online account, the data fiduciary must seek from the parent an identity through secure means before processing the child’s data.
Processing of Personal Data by the State
The draft rules permit State entities to process personal data for providing subsidies, benefits, or services. This is intended to ensure alignment with established safeguards, promoting accountability in public sector data handling.
Data fiduciaries must implement robust security measures to protect personal data from breaches, including:
Encryption: Securing personal data through encryption.
Access Control: Restricting access to computer resources used for data processing.
Monitoring and Logging: Maintaining logs and monitoring access to detect unauthorized use.
Breach Notification Requirements
In the event of a data breach, fiduciaries are obligated to: Notify affected individuals promptly, including details about the breach’s nature, extent, and potential consequences.
They should also report the breach to the regulatory board within a specified timeframe.
These measures aim to ensure transparency and accountability in data breach management.
Data Retention Policies
The draft rules mandate that personal data should be erased within a defined timeframe if it is no longer required for its intended purpose. This encourages regular reviews of data retention practices and prevents unnecessary data storage.
