According to Rajeev Chandrasekhar, former State Minister, Ministry of Electronics and Information Technology (MeitY), there is no need to have a separate penalty regime for consent managers for violations under the Digital Personal Data Protection (DPDP) rules.
The Centre has released a draft DPDP framework, which suggests suspending consent managers’ registration in cases of repeated violations, but does not propose penalties under the DPDP Act, 2023. The former minister clarified that if a consent manager manages a consent with a data fiduciary platform, and breaches personal data, they will face the same penalties under the DPDP Act.
It advocates setting up of a robust Data Protection Board of India (DPBI) which may act as a cornerstone for the effective implementation of the new framework. The rules advocate graded financial penalties based on the severity of violations. Organisations may voluntarily submit undertakings to DPBI to avoid penalties during proceedings that could ensure fair enforcement under the law.
The draft personal data protection norms aim to establish a secure and accountable digital ecosystem in India. Final rules will be made after February 18, 2025, providing compliance direction to businesses and establishing healthy practices in handling personal data in a rapidly growing digital landscape.
The draft rules in India require “verifiable parental consent” for children under 18 years to access social media platforms, based on the basic personal data safety principle. The new regime also prohibits platforms from tracking or monitoring children’s behaviour. Platforms can face a fine of up to Rs 2 billion if they fail to obtain such consent, carry out targeted advertising or behavioural monitoring, or process data that negatively impacts a child’s well-being.
