The draft Digital Personal Data Protection Rules, 2025, announced by the Indian government, aim to safeguard personal data, especially for children, by requiring parental consent for data collection and secure identity verification. The rules also mandate strict data security measures, timely breach notifications, and proper data retention and deletion policies. Additionally, government entities can process personal data for benefits or services, ensuring accountability. Feedback from stakeholders is open until February 18, 2025, to finalize these measures under the broader framework of the Digital Personal Data Protection Act, 2023.
Thank you for reading this post, don't forget to subscribe!
NEW DELHI: The Indian government released the draft Digital Personal Data Protection Rules, 2025, which were announced on January 3 by the Ministry of Electronics and Information Technology (MeitY).
These rules are designed to strengthen the protection of children’s personal data online. They are part of a larger framework established by the Digital Personal Data Protection Act, 2023, which was approved by Parliament in August 2023.
The government is inviting feedback, objections, and suggestions from the public and other stakeholders regarding these rules. The deadline to submit these is February 18, 2025.
The rules propose the following:
Parental Consent for Children’s Data
Social media platforms and online services will be required to obtain explicit consent from parents before collecting or using children’s personal data. This ensures that parents are aware and approve of how their child’s data is handled.
Organizations managing personal data, called data fiduciaries, must verify the identity of the individual claiming to be a parent or guardian. This verification could be done by checking government-issued identification documents or using digital identity systems.
For example, if a child wishes to create an account on a platform, the rules require the parent or guardian to verify their identity securely. The draft includes an example scenario for better understanding:
C is a child, P is her parent, and DF is a Data Fiduciary. A user account of C is sought to be created on the online platform of DF, by processing the personal data of C.
Case 1: C informs DF that she is a child. DF shall enable C’s parent to identify herself through its website, app or other appropriate means. P identifies herself as the parent and informs DF that she is a registered user on DF’s platform and has previously made available her identity and age details to DF. Before processing C’s personal data for the creation of her user account, DF shall check to confirm that it holds reliable identity and age details of P.
Case 2: If C notifies DF that she is a child, DF must provide an option for C’s parent (P) to verify their identity through the platform’s website, app, or other suitable means. If P confirms that they are C’s parent but are not registered on DF’s platform, DF must validate P’s identity and age through official identity and age details issued by a government-authorized entity or a virtual token linked to such information. P can also choose to share these details using a Digital Locker service.
Case 3: If P declares themselves as C’s parent and confirms that they are already a registered user on DF’s platform, DF must ensure that it has reliable identity and age details of P before processing C’s personal data to create their user account.
Case 4: If P identifies as C’s parent but states they are not registered on DF’s platform, DF must verify P’s identity and age through official records maintained by a government-authorized entity or using a virtual token linked to such information. P may optionally share these details via a Digital Locker service to facilitate the verification process.
The requirement for parental consent does not apply to data fiduciaries who are healthcare professionals, mental health practitioners, or those working on behalf of educational institutions.
Data Usage by the Government
The rules allow government bodies to use personal data when offering subsidies, benefits, or services.
However, they must comply with safeguards and standards to ensure accountability in how data is handled in the public sector.
Data Security Measures
To prevent personal data breaches, data fiduciaries must implement strict security measures such as:
- Encrypting and protecting personal data.
- Limiting access to resources used for data processing.
- Maintaining logs and monitoring systems to identify unauthorized access.
Notifications for Data Breaches
If a data breach occurs, the affected individuals must be informed promptly.
The notification should include:
- A detailed description of what happened.
- Possible risks for individuals affected.
- Actions taken to minimize any harm.
Data fiduciaries are also required to report breaches to the regulatory board within a specific timeframe, ensuring transparency and accountability.
Data Retention and Deletion Policies
The draft rules emphasize that personal data should not be stored indefinitely. Organizations must delete data when it is no longer needed for its original purpose.
This encourages regular reviews of data retention policies to prevent unnecessary storage.
By introducing these measures, the draft rules aim to establish robust protections for individuals’ personal data while ensuring transparency and accountability in how data is managed, especially for children.
Feedback from the public and stakeholders will shape the final version of these rules.
Click Here to Read Previous Reports on MeitY
FOLLOW US ON YOUTUBE FOR MORE LEGAL UPDATES
