The government has released the long-awaited draft of Digital Personal Data Protection Rules which proposes to make parent’s verifiable consent and identification mandatory for creation of child's user account on online or social media platforms, and also moots possible data localisation requirements for specified personal data.

Notably, the draft rules - which are key to operationalisation of the data protection Act - seek to make parental nod essential for processing of personal data of children. Further, parents' identity and age will also have to be validated and verified through voluntarily provided identity proof "issued by an entity entrusted by law or the government", say the draft rules.

A major - and a surprise - takeaway from the draft rules, according to industry experts, is the aspect of localisation and additional oversight on cross-border data sharing in specified cases.

On processing of personal data of child, the draft rules state: "A Data Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India..." This would have to be referenced to reliable details of identity and age available with the platform or entity itself, or through voluntarily provided details of identity and age or a virtual token mapped to the same, which is issued by an entity entrusted by law or the government.

Citing an example of how this would work, the rules said in case a child's account is sought to be created on an online platform, the said entity will by referencing identity and age details (issued by an entity entrusted by law or the Government) check that the parent is indeed an identifiable adult.

"The parent may voluntarily make such details available using the services of a Digital Locker service provider," it said.

As per the rules, entities will be able to use and process personal data only if individuals have given their consent to consent managers–which will be entities entrusted to manage records of consents of people.

Provision related to data localisation has also caught the industry's attention. Industry watchers pointed out that while DPDP Act largely permits cross-border data sharing, except to blacklisted jurisdictions, the draft rules hint at the possibility of additional oversight.

This, since the draft rules state that: "A Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the Central Government on the basis of the recommendations of a committee constituted by it is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India." Put simply, `data fiduciaries' are entities that determine which personal data is to be collected and purposes for it to be processed. Significant data fiduciaries, as per the DPDP Act, are to be determined on the basis of the volume and sensitivity of personal data processed, risks to the rights of individuals (data principals), and potential impact on sovereignty and integrity of India, security of the state and public order.

"A Significant Data Fiduciary shall, once in every period of twelve months from the date on which it is notified as such or is included in the class of Data Fiduciaries notified as such, undertake a Data Protection Impact Assessment and an audit to ensure effective observance of the provisions of this Act and the rules made thereunder," the draft rules have said.

A Significant Data Fiduciary would also have to observe due diligence to verify that algorithmic software deployed by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of an individual.

On processing of personal data outside India, the rules propose that "transfer to any country or territory outside India of personal data processed by a Data Fiduciary... is subject to the restriction that the Data Fiduciary shall meet such requirements as the Central Government may, by general or special order, specify in respect of making such personal data available to any foreign State, or to any person or entity under the control of or any agency of such a State".

Shreya Suri, Partner at IndusLaw noted that "an interesting development" is the introduction of potential obligations for significant data fiduciaries regarding cross-border data sharing.

"While the Act largely permits such transfers, apart from blacklisted jurisdictions, the draft rules hint at the possibility of additional oversight. A proposed committee may recommend that certain personal data be restricted from being transferred outside India, which adds a new dimension to the regulatory landscape that will be important for stakeholders to consider," she said.

In case of a data breach, entities will have to intimate affected individuals immediately giving a description of the breach, including its nature, extent and the timing and location of its occurrence; the consequences likely to arise from the breach; and risk mitigation measures being implemented.

Except for the headline, this story has not been edited by The Telegraph Online staff and has been published from a syndicated feed.