The Indian government’s emphasis on a consent-based framework is evident, with “consent” being one of the most frequently mentioned terms in the draft rules. While this marks a significant step in protecting user data, industry stakeholders are navigating the nuances of compliance and implementation.
Aparajita Bharti, Founding Partner of The Quantum Hub Consulting, highlighted that the DPDP Act’s foundation rests firmly on consent. She noted that this framework requires all data fiduciaries—ranging from MSMEs to large corporations—to establish systems ensuring user consent for personal data processing.
“The implementation timeline of two years is crucial as this shift demands significant operational adjustments. The feedback window until February 18 allows stakeholders to provide input on challenges, costs, and compliance mechanisms,” Bharti stated.
One of the draft rules’ most significant provisions is the introduction of parental consent for minors. Mayuran Palanisamy, Partner at Deloitte India, underscored its importance, especially given the increasing digital footprint of children. However, he acknowledged the complexity of implementation stating, “Verifiable parental consent is critical for ensuring children’s safety online. Leveraging existing digital infrastructure could streamline this process, but organisations must develop practical mechanisms like tokenisation to make this work effectively.”
The industry’s challenge lies in creating systems that verify a child’s age and secure parental authorisation without overburdening users or compromising innovation.
Minister of Electronics and IT Ashwini Vaishnaw has expressed his intent to avoid overly complex regulations akin to Europe’s General Data Protection Regulation (GDPR). Instead, India seeks a simpler framework that encourages innovation while upholding user privacy.
Below are the excerpts of the discussion.
Q: The word that the government is clearly stressing is that we have a consent-based framework. There’s no denying that a consent-based mechanism has been introduced. What will it look like in the weeks and months to come? Are we expecting a number of notifications that will give me an ‘accept versus decline’ option on granting consent for personal use? How does this look in reality?
Bharti: Good start to the New Year for everyone who has been waiting for the DPDP rules for one and a half years. Our framework in the DPDP Act is a consent-based mechanism that is the only basis on which data can be processed for data principles.
However, the minister has also said there will be an implementation timeline of two years because this is a significant shift for the industry. Every MSME, big company, and company of every size now is a data fiduciary, and they need to have systems in place to implement these rules once they are notified. These rules are also under discussion, so we still have some time till we start seeing the effects of this in our daily lives as users.
But the industry has already started preparing for some simple things, like consent notices. However, how they will exactly do will be based on the rules that are finally notified, which are still under discussion, and we have time till 18th February to give feedback to the government.
Speaking of rules, I think it’s important that the industry gets an indication of how the government is thinking about implementing them. I think it’s a two-way process because some of the things that the government has proposed now will be discussed by product teams internally on how the data flows will be, what will be the cost of compliance, and where it will likely cause operational issues. On that basis, the government will receive feedback.
The government has been very open to listening to and engaging with the industry to understand operational challenges. In all the meetings, it has been very clear that innovation is paramount, and it has to be balanced with privacy concerns. And in that sense, we have a much more balanced approach.
Q: Parental consent is already an issue, and the industry is beginning to voice some concerns. Some obvious loopholes have been pointed out. For instance, there is no rule when it’s been codified, and the age that is being determined and given by a child will be verified. There is no mechanism for that. As far as these rules are concerned. Then, of course, is the bigger challenge of implementing this parental consent mechanism. What are the kind of conversations within the public policy rooms of companies as they look at parental consent and implementing that over the next two years.
Palanisamy: Parental consent is in a fairly early stage. This was a little bit of a surprise because we all knew that the government would propose some solution around it, but verifiable parental consent came as something reasonably new.
But this is a very, very critical one considering the safety of Children. We all know that children can access and share a fair amount of data online. So, we must have a mechanism put in place for that.
Coming to the side of the organisations, yes, we’ll have to think about how we make it practical. So, this is where the verifiable tokenisation, etc, all become critical. I believe that whatever the existing digital infrastructure the government has established, we would be leveraging on that largely, or the organisation may be leveraging on that to implement this.
Watch the accompanying video for the entire discussion.
