DataProtection – NHRC Flags Gaps in Child Data Safety Compliance

DataProtection – The National Human Rights Commission (NHRC) has raised concerns over possible shortcomings in the enforcement of the Digital Personal Data Protection (DPDP) Act, especially in relation to protecting children’s data on digital platforms.

NHRC Takes Action on Report-Based Complaint
Acting on a complaint supported by findings from policy research group ASIA, the Commission has initiated proceedings to examine whether key provisions of the DPDP Act are being properly implemented. A bench headed by NHRC member Priyank Kanoongo reviewed the matter and subsequently issued notices to several central government departments. These include the Ministry of Electronics and Information Technology, the Ministry of Education, and the Ministry of Communications. The Ministry of Home Affairs has also been informed of the developments.

Concerns Over Missing Data Tracking and Redress Systems
At the core of the issue is the reported absence of robust systems to monitor how children’s personal data is handled and transferred across digital platforms. Additionally, the Commission noted the lack of accessible grievance redressal mechanisms, which are crucial for addressing complaints related to data misuse. These gaps, according to the NHRC, could expose minors to significant online risks.

Questions Raised on SIM Card Access for Minors
The Commission has also sought detailed clarification from the Ministry of Communications regarding how SIM cards are issued to minors. Presently, there appears to be limited clarity or publicly available information about the procedures for registering SIM connections in the names of children. This lack of transparency has raised further concerns about unregulated digital access among younger users.

DPDP Act Framework and Implementation Timeline
The Digital Personal Data Protection Act, passed in 2023 and brought into force through rules notified in late 2025, is considered a comprehensive legal framework designed to strengthen data security in India. It places particular emphasis on safeguarding vulnerable groups such as children, women, and senior citizens from digital threats.

While some provisions, including the requirement for verifiable parental consent, have been given an 18-month transition period for compliance, other critical measures were expected to be implemented immediately. These include ensuring secure data storage, tracking data transfers, and establishing effective grievance handling systems.

Major Digital Platforms Under Scrutiny
The report referenced in the complaint indicates that several widely used platforms have yet to fully meet these mandatory requirements. Among those mentioned are Meta Platforms, Khan Academy, WhatsApp, Grok, Gemini, Perplexity AI, and Microsoft Math Solver. The Commission has expressed concern that non-compliance by such prominent services could have widespread implications for user safety, particularly for children.

Deadline Issued for Compliance Reports
In response to these findings, the NHRC has directed all concerned entities to submit detailed reports outlining their compliance status within 15 days. The Commission emphasized that failure to address these issues promptly could undermine the objectives of the DPDP Act and weaken protections for vulnerable users.

NHRC Signals Broader Oversight Ahead
The NHRC, an independent statutory body with powers similar to those of a civil court, plays a key role in upholding human rights standards in India. Its members hold authority equivalent to that of Supreme Court judges. In its latest observations, the Commission indicated that it may extend similar scrutiny to issues affecting other vulnerable populations, including senior citizens, in the near future.

The development highlights growing regulatory attention on digital platforms and their responsibility to ensure user safety in an increasingly connected environment.