A day after the Presidential assent to DPDPB 2023, Sansad Dhvani, an organization created by Mr Tejasvi Surya, the MP from South Bangalore organized a public awareness program on DPDPA.
It was great to see the MoS of IT, Sri Rajeev Chandrashekar and Sri Tejasvi Surya explain the salient features of the new law. Mr Sharat Sharma of ispirit was also present and explained certain technical aspects. The event was held in the auditorium of BMS Engineering College, Bengaluru.
After the initial presentations, the trio answered the questions of the audience and there was a healthy participation from the audience which consisted of many Privacy professionals as well as students.
During the discussions Mr Rajeev Chandrashekar also indicated that the work on Digital India Act is also progressing and a draft for public discussion should be available in the next two weeks.
One of the topics which came under repeated discussion during the talk was the role of “Consent Manager”. One could observe that there is still a confusion on the role of a “Consent Manager” under DPDPA 2023 vs “Consent Manager” in the NDHM and in the Account Aggregator project of RBI.
Under Section 2(g) of DPDPA, “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform;
Under Section 6(9), “Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.”
We can therefore observe that the “Consent Manager” under DPDPA is a “Data Fiduciary” and not completely a “Technology Platform”. The Consent Manager under DPDPA can use a technology platform but is an entity with a visibility on the personal data where as Consent Manager in the Account Aggregator framework (AAF) is a pure technology platform like an ISP.
Legally the Consent Manager under Account aggregator account is an Intermediary under ITA 2000 where as the Consent Manager under DPDPA is a Data Fiduciary with obligations as set out in the DPDPA.
Considering that the Consent Manager platform under AAF can be technically configured in such a manner that the identity of the individuals is not accessible to any human being, it opens up the debate that there may be no apparent “Disclosure” from the data principal to the Consent Manager and hence the liabilities associated with DPDPA for a data fiduciary may not attach to the Consent manager platform. In a way it can be configured as an “Anonymised Transmission of identifiable data”.
Whether all Consent Managers under AAF have configured the system in this manner or not is a matter of audit. If they have not done so, they will also be Data Fiduciaries under DPDPA.
It is expected that when the requirements for accreditation of Consent Managers is released, there could be a criteria of minimum capital and net worth so that it may become a business of the large companies. It would however be necessary to have another layer of Consent Manager Registration Agencies who work as agents of Consent Managers. This could be similar to the Certifying Authority-Registration Authority set up in the ITA 2000 rules where the RA was not mentioned in the Act but brought in through practice.
The rules for Consent Managers need to be therefore drafted with the provision of individuals or entities who can be agents of Consent Managers who will be the real interface between the Data Principal and the Consent system.
Another area where there appeared to be some grey spots is about the “Data Minimization” .
The DPDPA does not specifically mention the Data Minimization though we expect this principles to appear in the subsequent notification of rules [under Section 8(4)]. Presently these have to be interpreted in the “Purpose Limitation” .
Probably we need to wait for the notifications to come up for further discussion on these subjects.
Naavi