Most assumed this meant managers who would map the consent provided by a data principal (the individual to whom the personal data relates) with the ways in which that data could be used.
Also Read: Mint Explainer: The digital personal data protection Act, its rules, and roadblocks
With onerous laws like Europe’s General Data Protection Regulation in force, entities around the world have sprung up to help data fiduciaries (entities that determine the purpose and means of personal data processing) manage the consent they need to operate. Most international websites rely on these entities to not only record your agreement with the terms of their privacy policy, but also provide dashboards for you to manage cookies and enable notifications.
This January, India’s draft DPDP Rules were released for public consultation, finally clarifying what the government had in mind. It is now clear that consent managers under the DPDP Act have much more to do than just map consent to the ways in which personal data can be used.
They will also have to set up a digital architecture to facilitate data transfers between data fiduciaries, while ensuring that the privacy of the underlying information is preserved in a manner consistent with the design of India’s digital public infrastructure.
Also Read: India’s drive to globalize Digital Public Infrastructure: Time to take stock
Under Rule 4 of the DPDP Rules, a consent manager must set up an interoperable platform on which data principals can give, manage, review and withdraw consent in a manner consistent with the data protection standards prescribed.
This platform will have to facilitate data portability, either directly from the data principal (or you the user) to the requesting entity or from a data fiduciary that maintains personal data for you to that entity. To better explain how all this will work, a couple of illustrations have been provided in the Rules.
The first refers to a situation where a given data fiduciary wants access to personal data that the data principal has stored in a digital locker system (such as, say, India’s DigiLocker wallet). In this case, the role of the consent manager would be to forward the data-access request to you, and, with your consent, enable the data fiduciary’s access to the personal data in your digital locker.
The second illustration refers to personal data that is currently under the control of one data fiduciary (a bank) that another data fiduciary (a new lender) wants to use. In this instance, the lender sends a request for that data to the consent manager, who then forwards it to you the data principal. If the data principal agrees to let the new lender have access to her personal data, the consent manager conveys this consent to the data-holding bank, instructing it to give the other lender access to the personal data.
Also Read: India’s Digital Data Protection rules: A story of hits and misses
From these illustrations (and Rule 4), it is clear that consent managers must put in place digital data portability infrastructure that will unlock the sharing of personal data from one digital store to another, so that it can be used for a wide range of use cases. Described this way, consent managers under the DPDP Act are expected to perform data portability services no different from those offered by account aggregators in the financial sector.
To underscore this point, the Rules stipulate that all data sharing facilitated by a consent manager has to take place in such a way that the contents of the data package being transferred should not be visible to this manager.
This data-blind approach to data transfers is one of the primary features of the account aggregator system and has been introduced in direct reference to that architecture. All of which seems to suggest that the government will only allow entities like account aggregators to register as consent managers under the new privacy law being implemented.
Also Read: India’s drive to globalize Digital Public Infrastructure: Time to take stock
India’s Data Empowerment and Protection Architecture (DEPA), on which the account aggregator system is based, has often been referred to as a digital consent management framework. I have long opposed this characterization on the grounds that DEPA does much more than manage consent. Even if it uses a digital consent artefact to obtain consent for data transfers, DEPA enables data portability. Calling it just a digital consent management framework minimizes all that it stands for.
It is this colloquial reference to DEPA that has somehow found its way into the DPDP Act.
In an effort to provide statutory legitimacy to the DEPA framework, the government inserted a reference to consent managers into the Act, not realizing that, in the world of data protection, this term has a very different connotation.
When data businesses saw the term in the DPDP Act, many of them came up with entirely new business offerings to qualify for registration under the Act. That confusion has now been laid to rest by the Rules that clarify what the term ‘consent manager’ refers to and how the government intends to regulate these managers.
I am glad that the DPDP Act legitimizes the techno-legal solutions that have been made possible by India’s digital public infrastructure. With the new law serving as the regulatory framework for our digital data portability architecture, data sharing can take place not just within the economy’s financial sector, but across all sectors that have implemented DEPA.
The author is a partner at Trilegal and the author of ‘The Third Way: India’s Revolutionary Approach to Data Governance’. His X handle is @matthan.
#finally #clarity #role #consent #managers #Indias #privacy #law
