A closed-door consultation with industry stakeholders on proposed rules on the new Digital Personal Data Protection Act, 2023 (the “DPDP Act”)

Posted On - 30 December, 2023 • By - King Stubb & Kasiva

The Ministry of Electronics and IT (“MeitY”) had a closed-door consultation on December 19, 2023 with all the stakeholders of the industry for framing the rules for the new DPDP Act which was notified on August 11, 2023.

The DPDP rules will be tabled in parliament in the winter session of 2023 and will be implemented in a phased-wise manner. The aim is to formulate 25 (twenty-five) rules with the aim of operationalising the new DPDP Act. The key rules that were discussed are as follows:

  1. ‘Age verification’ of children through ‘verifiable parental consent’: The rules may recommend two methods for obtaining parental consent, for providing digital services by companies to children under the age of 18 (eighteen) years, (a) Use of parents DigiLocker app where kids Aadhar details are uploaded on their parents DigiLocker platform. Aadhar authentication will be done using the Aadhar database. No Aadhaar data will be disclosed to the companies, and (b) Use of ‘electronic token system’ approved by the government authorities, will be handled by the consent managers of the company who will be encrypting the government ID collected for verification. However, some entities like healthcare and educational institutions will be exempted from a few norms of age-gating system.
  • Notification of Data Breaches: The rules proposed a two-step notification process for data breaches as soon as the companies have knowledge of the breach. Initially, the companies may be required to alert the user about the nature and quantum of the breach and in the second stage they have to notify within 72 (seventy two) hours with regards to any additional details related to the breach.
  • Notice of the government institutions: The rules may propose that government institutions issue a notice to citizens that contains the details with respect to usage of personal data for offering welfare services and subsidies, or other similar activities.