Data Protection Bill allows for consent architecture to evolve: MoS IT Rajeev Chandrasekhar

The framework for the Digital Data Protection Bill gives the government flexibility to add elements and tweak the consent architecture based on the requirement, minister of state for information technology and electronics, Rajeev Chandrasekhar said on Friday.

The comments from the minister assume significance given the industry, especially the big tech companies expressing concerns over the definition of child under the draft bill and urging the government to reduce it to 13 years from 18 years at present.

According to the provisions of the bill, the companies will have to take verifiable parental consent before processing the data of children below 18 years of age.

Also Read: Digital Data Protection Bill 2022 and challenges of app-based Digital Lending in India

Further, these companies are barred from tracking or monitoring behaviours of children or targeting advertising at them.

“There is a lot of effort and time that has gone into the section on children. But the government is open to discuss, if you (industry) think you have a better way of formulating (this)to protect children’s data from being misused,” Chandrashekhar said at the stakeholders’ meeting on the Draft Data Protection Bill.

“We are all operating on certain assumptions and some of these assumptions will be proved wrong, six months down the road, one year down the road. There is no playbook today that anybody has anywhere in the world, that says, this is the Personal Data Protection Bill that will work perfectly,” he added.

In its submission on the Draft Data Protection Bill, Asia Internet Coalition, that represents big tech companies like Google, Meta, Apple, said that not only should the age cap be reduced but the government should also allow tracking and monitoring in the interest of children.

Also Read: Govt extends deadline for comments on data protection bill to January 2

“For children younger than this age group (13 years), the government could look at prescribing verifiable parental consent. This will allow the children in the age group of 13-17 years with sufficient autonomy as they look to define and shape their digital experiences,” Asia Internet Coalition said.

During the stakeholders’ meeting, the participants also sought clarity on the cross border data flows, framework for consent managers, data protection board, and penalty regime for data fiduciaries.

On cross border data flows, Chandrasekhar said the additional geographies will be defined based on a reciprocal data sharing agreement with them, and free flow trust. The list of countries will be notified by the ministry of home affairs, he said, adding that there will be enough transition time that will be given to companies to comply with the new legislation.

Besides, the government will also come up with a separate framework for consent managers that will be an intermediary between a data fiduciary and data participant. According to the bill, the data principal may give, manage, review or withdraw her consent to the data fiduciary through a consent manager.

On penalties, the minister said that the data protection board will decide the penalty amount based on the extent of breach. Currently, the government has prescribed a maximum penalty of `500 crore on data fiduciaries for data breaches under the bill.

“Post the bill, the intermediaries will have to go for deep behavioural changes — it will no longer be business as usual for them,” Chandrasekhar said.

The government aims to table the bill in the Budget session.