When the rules under DPDPA is released, apart from the definition of Significant Data Fiduciary, industry would be keenly looking at the rules related to “Consent manager”.
This is one area where Naavi may have divergent views with one section of professionals who may think that the current Account Aggregator (AA) scheme under DEPA and used by RBI is good enough to be adopted to the DPDPA. Obviously the 14 licensed Account Aggregators would be happy to be presented with an additional opportunity to expand their current business.
The system of AAs is currently built as an “Intermediary” under ITA 2000 subject to provisions of Section 79 of ITA 2000. These AAs hold the consent of individuals to “Fetch and Share” their personal information from a set of approved “Data Providing Agencies” or “Financial Information Provider (FIP) to a set of “Data Requesting Agencies” or “Financial Information user (FIU)”through a technical process of exchange that can be triggered by the requester. The system operates through an AA platform. The platform is a data routing platform and should not provide any access to the AA to the data. Data should flow directly from the FIP to FIU and the role of the AA is only to open the gate when the request is made after ensuring that it has the permission from the individual subscriber to its service.
Under DPDPA, the Consent Manager is a Data Fiduciary licensed by DPDPA. Hence current AAs who want to act as Consent Managers, need to obtain an additional license from DPDPA. The procedure for AA licensing There are many agencies which is trying to assist organizations go through this process of registration.
If any of the licensed AAs need to register themselves as a “Consent Manager -Data Fiduciary” it would amount to a diversification of their current business and therefore may in principle violate the terms of license. Whether this is permitted under the RBI’s current AA registration is not clear.
Since AAs will now also come under the DPDPA, unless they declare and obtain a “Conformity Assessment Certificate” that they have no access to identifiable personal information, they will be subject to all compliance requirements of a Significant Data Fiduciary.
They will therefore be subject to “Continuing Consent” for existing data principals as per DPDPA unless they are exempted.
If however the AAs have established systems as envisaged under the AA scheme without any deviation, they may claim to be exempt from DPDPA provisions since they may not process identifiable personal data.
This however could be a point of contention at some point of time in future if any data breach exposes the stream of data flow through the system to a hacker attack. If the FIP and FIU use their own encrypted network as they are supposed to, using an approved digital signature system, then the responsibilities of the AA will remain that of an intermediary and does not extend to a data fiduciary.
I am not fully aware of how the different AAs have structured their IT architecture and hence I request those of you having the information to share the data security features in the AA system. In particular any of you may confirm if there is a digital signature based data encryption system between FIP and FIU.
I look forward to clarification from any of you who is aware.
Naavi