The Digital Personal Data Protection Act, 2023 (“DPDPA”) prescribes a comprehensive framework for the protection of the data of children and for the disabled, rightly so since they are in vulnerable position with regard to ‘consent’.The Draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”) provide further clarity on the same under Rule 10 and Schedule IV, an analysis of which is provided as below:
Who Qualifies As A Child As Per The Act?
The DPDPA prescribes a child to be an individual who has not completed the age of 18 (eighteen) years. The same can be drawn to the Indian Contract Act, 1872 which provides for the same age for a person to be capable to contract. It is considered that a child is incapable of forming a rational judgment thus requiring their parent/ guardian to protect their interests.
Who Is A ‘Person With Disability’?
The DPDPA provides for the Data Principal for a person with disability (“PwD”) to be the lawful guardian of such person. However, a qualified definition has not been provided. The Draft Rules refer to the Rights of Persons with Disabilities Act, 2016, the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999, and state that the “law applicable to guardianship” applies to individuals, despite having adequate and appropriate support are unable to make “legally binding decisions” due to long term intellectual or sensory, or physical or mental impairments which hinders or barriers their “full and effective participation in society” equally. Thus, such guardians protect the interests of PwD.
Verifiable Consent
DPDPA, under Section 9, provides for ‘verifiable consent’ to be procured from a parent/guardian to process the personal data of children or PwDs. The Central Government exercising its powers under Section 40(i) has prescribed the procedure for obtaining such verifiable consent, under Rule 10 of the Draft Rules.
Child Oriented Rules
Rule 10(1) of the Draft Rules states that a Data Fiduciary shall assume organizational and technical measures to ensure that a parent’s verifiable consent is obtained prior to the processing of the personal data of a child. They are to additionally undertake, if required in compliance with any law, due diligence activities to ensure that the claimant matches the identity of the parent who is an adult of such child by referencing:
1. reliable details of the identity and age available with the Data Fiduciary. The term ‘reliable’ is vague but may be assumed to be the official documents issued by the government (“Mode A”); or
2. verified details of identity and age or a virtual token mapped to the same voluntarily provided and made available by a digital locker service provider, issued by an entity or person appointed by such entity, trusted by the Central Government, State Government, or law (“Mode B”).
The Draft Rules, via illustrations provide 4 (four) scenarios of implementation of the above:
1. Where the Data Fiduciary enables a parent registered on their platform to identify themselves. In such instance, Mode A is adopted.
2. Where the Data Fiduciary enables a parent not registered on their platform to identify themselves. In such instance, Mode B is adopted.
3. Where the parent registered on the platform of the Data Fiduciary identifies themselves. Mode A is adopted in this instance.
4. Where the parent not registered on the platform of the Data Fiduciary identifies themselves. Mode B is adopted in this instance.
However, it is unclear as to how the Data Fiduciary may enable, or the parent independently identify themselves.
However, implementation of the abovementioned points could potential violation of privacy, contrary to the intent, as the rubrics and access mechanisms are unclear. It is further noted that there is no provision for a guardian provided under the Draft Rules, in case the child does not have a parent of the age of majority, or no parent, thus leaving a gray area therein. These unaddressed issues create gaps in these rules, creating potential exclusions from obtaining the benefit of protection.
PwD Oriented Rules
Rule 10(2) of the Draft Rules states that a Data Fiduciary shall undertake due diligence while obtaining verifiable consent from the lawful guardian of a PwD, verifying under the law applicable to guardianship, that the person is thereby appointed by a local level committee constituted under the National Trust for the Welfare of Persons with Autism, Cerebral Palsy, Mental Retardation and Multiple Disabilities Act, 1999, a designated authority under the Rights of Persons with Disabilities Act, 2016, or a court of law. The same shall ensure empowerment of the PwD by ensuring that their welfare.
Exemptions
Rule 11 of the Draft Rules read with Section 9(4) of DPDPA, scribe exceptions of obligations for the processing of the personal data of a child for certain classes of Data Fiduciaries. Such Data Fiduciaries under Schedule IV shall not be subject the sub-sections 1 to 3 of Section 9 of the DPDPA which carve out the need for verifiable consent for children and PwD, the prohibition on the processing of such data which is ‘likely to cause’ detrimental effect of the well-being of the minor, and the bar on targeted advertising, tracking/behavioural monitoring of children. While the Rules specifically mention the exemptions are for a child, Section 9(1) particularly mentions the PwD, thus causing confusion to the scope of application.
Schedule IV of the Draft Rules prescribe the instances when the abovementioned exceptions are provided to certain Data Fiduciaries:
1. Clinical establishments, healthcare professionals, and mental health establishments. The processing is limited to the provision of such “health services” necessitated extent for the protection of the child’s health.
2. Allied healthcare professionals. The processing is limited to the supporting implementation of the referral plan and treatment necessitated extent for the protection of the child’s health.
3. Educational institutions. The processing is limited to tracking/behavioural monitoring for the safety of the child enrolled in, and the education activities of the said institution.
4. Individuals in a child day care centre or creche who are entrusted with the care of infants. The processing is limited to tracking/behavioural monitoring for the safety of the child in the care of such centre, institution or creche.
5. Person engaged for transportation of a child by a creche, educational institution or child care centre. The processing is limited to tracking location the child whilst travelling to or from such creche, educational institution or child care centre for the safety of the child.
A parallel can be drawn to the processing of personal data of Data Principals for ‘legitimate uses’ Sections 7(f), 7(g) and 7(h) the DPDPA.
In addition to the exemptions for Schedule IV Entities, the Draft Rules outline specific purpose-based exemptions for processing children’s personal data, as detailed below:
1. In the exercise of any power, performance, any function or fulfilment any duty for the interest of a child under the applicable law, the processing is restricted insofar as is necessary for the power, performance or discharge in question.
2. In the exercise of Section 7(b) of the DPDPA the processing is restricted insofar as is necessary for such acts.
3. Creation of, for communicating via email, a user account, the processing is restricted insofar as is necessary for such creation for the purpose provided.
4. To restrict access of the information that is likely to cause “detrimental effect” on the well-bring of such child, the processing is restricted to prohibit such access.
5. For the purpose of verifiable consent as provider above for a child under Rule 10, the processing is restricted to such verification.
On one hand, the Draft Rules depict how parents and/or guardians play a pivotal role in the protection of children and/or PwDs and their data, as the incapacitated can provide personal information to any person on the internet. However, post-implementation of the finalized rules, they may not do so without ensuring adequate protection of their interests. On the other hand, the Rules do have glaring exceptions and loopholes which may act against the very intent of the Rules in the first place, as an array of loopholes may allow misuse of the personal data of the incapacitated.
Authors: Malaika Karia & Dev Agarwal