.svg)
.avif)
Headlines
NCPCR Asks Social Media Platforms to Explore Ways to Protect Children's Data
The National Commission for Protection of Child Rights (NCPCR) met with major social media platforms to discuss child safety online. Key issues discussed included mechanisms for age verification, tools for identifying and blocking Child Sexual Abuse Material (CSAM), support for law enforcement agencies, and parameters for reporting cases to the National Center for Missing and Exploited Children (NCMEC). The commision called for mandatory Know Your Customer (KYC) procedures to verify user identity on platforms and mandatory reporting of CSAM under the Protection of Children from Sexual Offences (POCSO) Act, 2012. The Commission also stressed the importance of parental consent for minors entering contracts on social media platforms and the need for clear disclaimers warning parents about adult content.
Source: Economic Times
DPDP to Offer Consent Framework instead of Rules
Rules under the Digital Personal Data Protection (DPDP) Act may prescribe an umbrella framework for companies on consent management instead of issuing exact rules. The rules are also likely to prescribe the use of a government-issued identity card-based age and consent management verification for now while leaving the scope for companies to develop their in-house age-verification systems, they said. The provisions of the DPDP Act, 2023 state that all users below the age of 18 will be considered children. Such users must obtain verifiable parental consent for using social media and a host of other services provided by internet intermediaries, as per the provisions. The rules may provide certain exemptions to schools, colleges and universities on processing and obtaining parental consent for children’s data; they are unlikely to extend the benefits of the provision to ed-tech companies.
Source: Economic Times
ITIC Urges Indian Government to Balance Privacy & AI Innovation
Global tech body Information Technology Industry Council (ITIC) has urged the Indian government to strike a balance between individual privacy and innovation in the country's yet to be notified rules under the Digital Personal Data Protection (DPDP) Act. ITIC, which represents 80 technology firms including giants like Apple, Amazon, Google, Dell, and Microsoft, also recommends the use of aggregated sensitive personal data to foster artificial intelligence (AI) driven innovation in India. Members of the ITIC, are also concerned about the timelines that would be prescribed for compliance to the Act once the rules are out. The tech body has asked the Ministry of Electronics and IT for an 18-24 month-long time period for complying with the legislation, citing global practices.
Source: Business Standard
Analysis
Study Reveals Over 60% India Follow Problematic Data Practices
In a recent survey conducted jointly by CII and Protiviti, 61 per cent of the respondents felt that companies in India were taking part in activities such as excessive data collection and secondary processing without consent, which are not in line with the DPDP Act. According to the report, around 82 per cent of the mid, senior, and entry-level employees who participated also said that they perceived companies in India to be less transparent or not transparent at all about the use, processing, and sharing of personal data. On data breaches, the study found that more than half of the organizations (52 per cent) were victims of a data breach in the last five years. Among key concerns, consent and data principal access request management, visibility of personal data, data retention and disposal, breach response, and cross-border transfer of data were some of the main issues that participants identified. The report also highlighted that large organisations (above Rs 1,000 crore in revenues) were investing more in privacy setups than smaller ones with below Rs 1,000 crore revenues. Indian Businesses should invest in solutions like Leegality Consent Manager to effectively solve DPDP compliances.
Source: Business Standard
Firm’s Across Sectors Seeking Legal Guidance Regarding their Use of Generative Intelligence
Firms across sectors including IT, banking, and cloud storage are seeking legal guidance due to concerns that their use of generative artificial intelligence (GenAI) may not comply with data protection laws. Many companies are building proprietary GenAI models without enough transparency about the use of personal data being processed for training purposes. This goes against the principles of lawful consent, fairness and transparency as prescribed in the Digital Personal Data Protection (DPDP) Act. Companies are consulting with lawyers on issues such as how to define the scope of their privacy policies to seek appropriate user consent, the kind of contractual obligations needed for data processors while offering AI-as-a-service and the global laws and regulations that apply to multinational data exchange. Experts believe that doors must not be shut on large language models (LLMs) for fear of future legal setbacks.
Source: Economic Times
Insight
Far and Wide: The Applicability of DPDP Act
Read our blog about the applicability of the DPDP Act. The DPDP Act applies to digital personal data, defining 'Data Principles' and 'Data Fiduciaries' with specific rights and obligations. It covers data processed within India and, in some cases, outside. Certain scenarios, such as employment processes and state functions, are exempt. Full enforcement awaits the release of DPDP Rules and the establishment of the Data Protection Board.
How will the DPDP Act Impact the Indian BFSI Sector?
Read our blog to understand the compliance obligations under the DPDP Act for the Indian BFSI Sector. India's new data protection law mandates explicit consent for personal data use. BFSIs must prepare to balance the obligations of multiple regulators, including RBI, SEBI, and IRDAI, alongside the new data protection requirements. Failure to comply can bring heavy fines up to 250 Crore Rupees. Integrating Consent Managers, overhauling data practices, and staying agile in the face of evolving data governance laws are now critical moves for every BFSI player.
Compliance Tip
Define Data Collection and Retention Policies
Indian businesses are advised to craft policies that do more than compliance. The practices should enhance your data governance, fostering trust and transparency. Policies should clearly lay down the details on data collection, PI retention and data modification requests.
Provide for End-User Rights
Indian businesses should equip robust mechanisms to honor user rights requests effortlessly. They should provide users the option to edit, modify and delete their personal data post retention periods.
Explore Leegality Consent Manager
Discover how our Leegality Consent Manager can streamline your data protection processes and ensure compliance with the DPDP Act. Our Consent Manager offers:
- Compliant consent notices across all customer touchpoints
- Storage of verifiable and auditable records of each consent
- Dashboard for customers to change consent preferences and exercise data rights
- Oversight over the data practices of your third parties