Naavi.org

One of the key provisions of DPDPA is the introduction of the concept of a “Consent Manager” who could represent the data principal for a better protection of his privacy.

According to Section 6 of DPDPA 2023,

The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager, shall be accountable to the Data Principal and shall act on her behalf in such manner and subject to such obligations as may be prescribed and every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.

Accordingly, the DPDPA Rules address the requirements of how a Consent Manager may be registered under DPDPA 2023 and what are his functional requirements. Since there is already a term “Consent Manager” under the DEPA architecture proposed by MeitY in another context and used in the Account Aggregator scheme of RBI, we need to distinguish that Consent Manager as “CM-DEPA” and refer to the Consent Manager under DPPDA 2023 as “CM-DPDPA” or simply the “CM”.

Naavi.org has been, since the days when PDPB 2019 introduced the term “Consent Manager” and has been consistently projecting it as a very innovative thought. The introduction of a specialist as a Consent Manager who could act as an expert to decipher the request for permissions and assisting the data principal was a master stroke which could enable overcoming of the multiple issues such as “Consent Fatigue”. “Lack of Privacy Appreciation in the society”, “Language barriers”, as well as the difficulty in deciphering the permissions to overcome dark pattern or misleading notices.

We donot know if this was just a follow up of the DEPA Framework or a deliberately introduced feature that could make the Indian law stand out in the world as an innovative legislation. It could have been an accident but a beneficial accident that the concept was introduced in Section 21 of PDPB 2019 stating

“The data principal, for exercising any right under this Chapter, except the right under section 20,(ed: Right to be forgotten) shall make a request in writing to the data fiduciary either directly or through a consent manager with the necessary information as regard to his identity, and the data fiduciary shall acknowledge the receipt of such request within such period as may be specified by regulations”.

“The data principal may give or withdraw his consent to the data fiduciary through a consent manager.” and , a “consent manager” is a data fiduciary which enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform. (Section 23 of PDPB 2019).”

The same provisions prevailed in the Data Protection Bill 2021 and are now reflected in DPDPA 2023.

The interpretation provided by Naavi.org that CM-DPDPA is different from CM-DEPA and is having better utility than merely being a software platform was therefore a tribute to the innovative thought of some body in MeitY who drafted the PDPB 2019 whether they had similar intentions or otherwise.

The Rules now under discussion seems to have however ignored the potential of “Consent Manager” as a special kind of data fiduciary who could act as a “Power of Attorney Holder” of a Data Principal or a Trustee of his/her personal data. The rules have relegated the role of CM as a “Software Platform”. This is a classic case of a diamond in the hand being thrown away as just another piece of black charcoal.

The Rule 5 of the draft rule that we now have for discussion that indicates the present thinking of Meity (Check https://www.dpdpa.in/dpdpa_rules/) suggests inter-alia the following provisions which we feel requires a re-look

1. Not specifying that the definition of a foreign company should go beyond mere “Constitution outside India”

2. Stating that every consent manager shall establish …a platform that enables a data principal to give, manage, review and withdraw her consent to herself obtain her personal data from a data fiduciary or to ensure that such personal details shared with another data fiduciary of her choice, without the consent manager being in a position to access that personal data

3. Specifying that the Consent Manager shall  not sub-contract or assign the performance of any of its obligations as a consent manager

4. Specifying that the Board may suspend or cancel the registration without specifying how the interests of the data principals are protected.

5. Not specifying prohibition of data transfer outside India.

For the reasons specified below we request the MeitY to reconsider these provisions.

Consent Manager under DPDPA and DEPA

It is recommended that the definition of Consent Manager under DPPDA 2023 should be distinguished from the definition of Consent Manager under the Account aggregator scheme.

At present MeitY seems to be constrained by its own DEPA architecture where Consent Manager (CM-DEPA) was a technology platform and meant for the limited purpose of data users like portfolio managers etc requesting for consent for financial management purpose and such requests were forwarded to data givers like Banks who could provide the information. This served the purpose of relieving the service user from filling up long forms including assets and liabilities, KYC information etc besides demographic information. RBI applied this system in the account aggregator scheme. These use cases are a single purpose usage and not meant for repeated use.

The Consents under DPDPA 2023 are for multiple purposes, required repeatedly for different sets of data elements by different types of data fiduciaries. It includes the financial service providers such as account aggregators as well as Amazon or Zomato type of data fiduciaries who may require one set of data for clearance of payments and another limited set for logistics management etc.

The CM-DEPA system envisages that every consent request is received from a data fiduciary to the data principal during the subscription of a service is referred to the consent manager who again refers it to the data principal, receives the consent and then communicate the  information to the data fiduciary. What data has to be shared remains the decision of the data principal and he is required to look through the permission request understand the permission requirement and then approve. For every purchase from Amazon and for every order of food from Zomato, separate notice and consent is required and this process of referring to the CM-DEPA needs to be followed.

In the ordinary course, a data principal goes to a data fiduciary service site and receives the notice which he may click for acceptance. The data goes directly from the data principal to data fiduciary as part of the order.

In the CM-DEPA scheme, there is also a necessity for the CM-DEPA to check the identity of the Data Principal whose request is coming from a third party.

In this process the CM-DEPA does not have any visibility of the data and as long as the platform is suitably configured, data flows in and out like an ISP. It is therefore an “Intermediary” under ITA 2000.

The CM-DPDPA was not conceived to be the replica of this CM-DEPA since it was necessary to address problems such as the Consent Fatigue, the Language barrier and technology understanding barrier in providing consent.

The CM-DPDPA was therefore considered as a person who can represent the data principal with the data fiduciary for not only providing the consent on demand but also for withdrawal of consent or raising any grievance. Hence CM-DPDPA was conceived as a “Trustee of the Data Principal” and not as a simple ISP type intermediary.

CM-DPDPA could therefore have visibility to personal data, he could filter the data for delivery to a particular purpose and challenge the permissions with his superior technical and language capability to avoid dark patterns or misleading permission requests.  He could use anonymization and pseudonymisation if required and deliver only such data as is required for a purpose.

For example, amazon order placement team would get the financial information which is normally shared with the payment gateway but may not obtain the demographic or locational data (unless they justify the requirement for appropriate reasons). The amazon or Zomato delivery team would only get the information about the delivery address and not the other details which they can share it with any logistic company. This serves the purpose wise data minimization requirement.

In such a system, the data principal is relieved of the need to check the permissions and understand and be satisfied that a particular data element requested is reasonably required for the purpose or not.

If the concept of CM-DPDPA is merged with CM-DEPA, this  advantage would be given up.

The Consent Manager provision in DPDPA 2023 was innovative and like the “Copyright Society” in Copyright law could be considered as an instrument through which Privacy Culture can be built up in the Country and data principals could be helped in protecting their privacy against business which is driven by their profit motive.

We feel that this great opportunity should not be missed. Hence a review of Section 5 as suggested.  

Even this system requires the “Fit and Proper Criteria” and hence many of the current provisions are relevant.

However Rule 3(a) needs to be modified to remove the words “Without the consent manager being in a position to access the personal data”

In as much as every “Significant Data Fiduciary” is allowed to sub-contract their work with responsibility, the need to prevent “Consent Manager” from sub-contracting can be reviewed.

On the other hand, it may be specified that every  Data Processor of a Consent Manager would be deemed to be a Significant Data Fiduciary himself.

It shall be made mandatory that when a Consent Manager needs to exit or is suspended or services cancelled, the service shall be ported to another licensed Consent Manager so that the data principal is not inconvenienced. Alternatively a time of upto 1 year should be provided for the data principals to switchover to another consent manager of his choice.

The rules prescribe that CM-DPPDA shall be a company but not a “Foreign Company”.

P.S: As per Companies Act

(42) ―foreign company means any company or body corporate incorporated outside India which— (a) has a place of business in India whether by itself or through an agent, physically or through electronic mode; and (b) conducts any business activity in India in any other manner.

This definition is restricted to “Incorporation outside India” and is not sufficient to prevent data laundering. “Data” is a sovereign asset and it has to be protected from being stolen or surreptitiously laundered. Hence the definition of “Foreign  Company” should be expanded to include any foreign or non resident share holding that exceeds 10% or controlling interest that exceeds 33% of the members of the Board.

If the Consent Manager is only a platform and every consent has to be approved by the Data Principal, the very purpose of the consent manager to relieve the consent fatigue and difficulty in understanding the permission requirements is defeated. The CM should therefore be more like a “Power of attorney holder” who can take some decisions on his own without disturbing the data principal.

It is also suggested that the rules  should prescribe that Consent manager shall not store personal data abroad.

We request the MeitY to consider this suggestion before they release the final version of the draft.

We also request professionals to comment on the above.

Naavi

DPDPA 2023 has introduced a concept of “Nomination” of personal data. The Act defines “Nomination” as a right of a data principal and relates it to the “Personal Data”.

Section 14 of the Act states:

 Right to nominate.

(1) A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder.

(2) For the purposes of this section, the expression “incapacity” means inability to exercise the rights of the Data Principal under the provisions of this Act or the rules made thereunder due to unsoundness of mind or infirmity of body

Though “Nomination” as a word has not been defined in the Act or in the draft rules published so far, it is clear that the section 14 of the Act considers “Nomination” as a right that transfers the control on other rights such as “Right to Access”, “Right to Correction and erasure”, and “Right to Grievance Redressal” to the nominee. Perhaps we should consider that the “Right to nomination” also gets transferred to the nominee.

In this context we can debate what is the “Right to Nominate”, “How it can be executed in respect of personal data” and “What processes are to be introduced by the Data Fiduciary for registration of nomination and settlement of claim”. We have discussed some aspects of this earlier and now we shall discuss one offshoot of Nomination namely the property rights on Meta Data.

It is interesting at this stage to recognize the difference between a “Nominee” and a “Power of Attorney Holder” or a “Personal Consent Manager”.

Power of attorney or appointing a consent manager is an act of “Contract” and operates during the lifetime of an individual. However this should be considered as automatically revoked on the death of a person. On the other hand, the rights of a Nominee actually takes birth on the death of the data principal.

The introduction of the “Nomination” aspect in the Data Protection law has now introduced two specific Jurisprudential issues.

Firstly if there are some rights that survive the death of a person on some aspect, then that aspect takes the nature of a “Property” on which the data principal had rights prior to his death.

Thus, if DPDPA 2023 grants the four rights to a living individual about “Personal Data” meaning “Data about the individual who is identifiable by or in relation to such data”, all these rights are meant to be nominated to another individual in the contingent event of the death or incapacitation of the data principal. In other words the “Nominee” inherits all the four rights including the right to nominate the inherited personal data.

This has unintentionally also provided a status of a “Property” for personal data. If “Personal Data” is a property for “Nomination”, it should be so for any other purpose such as “Sale” or “Transfer”.

However, “Nomination” in tangible property scenario is normally considered as not a “Right” but an “Obligation” assigned to a person to receive the property on death and ensure its distribution to the legal heirs. The “Executor” of a “Will” is one such person nominated in the Will by the deceased person.

The need for “Nomination” is brought in to make it convenient for the asset holder to get rid of the responsibility of the asset which he is holding during the lifetime of an individual to the nominee. We therefore consider that the “Asset holder” is discharged from his liabilities by transferring the property to the nominee.

In the case of a physical property, the property transferred to the nominee ceases to be in the hands of the transferor. But the nature of data is such that even after transferring the property to the nominee, a copy will remain with the transferor. Hence “Transfer of Data to the Nominee” also involves “Deletion of Data by the Transferor”. In the DPDPA scenario, the rules should define whether the data transferred to the nominee should be immediately deleted by the data fiduciary or archived for a reasonable period.

There is a second jurisprudential challenge on the nomination which is related to the “Instrument of Nomination”. ITA 2000 does not recognize an electronic document that acts like a Will, transferring the rights of a property on the death of a person. Hence the most natural way of executing the nomination which is adding it as a part of the “Consent” in electronic form appears to be not feasible.

This means that we have to re-define the meaning of “Nomination” as restricted to “Transfer of the custody of the personal data from the Data Fiduciary who is permitted to make commercial use of the data to another Datta Fiduciary who is permitted to use it only for distribution to the legal heirs and not for exploitation himself.

If therefore the First Data Fiduciary offers to the nominee that the benefits of the data principal (say an account) will be transferred to him if he allows the continued to use the personal data, it may not be legally proper for him to accept it and continue to be the manager of the personal data of the deceased. (This situation may arise if the personal data has value even after the death of a person).

If Personal Data can be considered as an “Asset” whether it is intangible or only a licensable right, that can be “nominated” on death through an instrument, then the question of “who can nominate” the property also has to be settled.

If personal data is a property of the data principal, then obviously he is the person who has to nominate.

However there is one type of data that arises in the context of processing of personal data which relates to “Data about Data”. Eg: Transaction data in a E Commerce transaction or a Header information generated by a messaging service like WhatsApp or G Mail but is generated by the Data Fiduciary.

This meta data may also be identifiable with the individual but whether the ownership is to be assigned to the person or to the data fiduciary is a legal issue which needs to be settled.

This meta data is a combination of two parts namely information is generated by the data fiduciary and information contributed by the data principal. Hence it cannot be treated entirely as the property of the data principal and eligible for nomination and absolute transfer of property. The part contributed by the data fiduciary is his property and the mix of identifiable personal data of the individual, should be considered as “Jointly owned”.

The consequences of identifying “Meta Data” as joint property has other deeper implications of law that will be explored in future. For the time being let us leave it as a Privacy Jurisprudential thought.

One such consequence is when a disclosure of Meta Data is required whether the data fiduciary who is also an “Intermediary” under ITA 2000 can disclose without specific consent, the whole of Meta Data or only the part of Meta data that is created by him. Should the “Consent artifact” include a statement that Right on Meta Data is considered as jointly owned or singularly owned by the data fiduciary.

All these issues need to be discussed and clarified in the rules to DPDPA 2023. But the draft of the rules so far made available does not have this explanation. Hope it would be added in the next version.

Comments and Debate are welcome.

Naavi

FDPPI and Naavi thanks all the physical and virtual participants of the event held yesterday at Bangalore. Special thanks to the panellists for sharing their valuable views. It was a hybrid event with the physical event happening at Suchitra Auditorium, Bengaluru.

Chief Additional Metropolitan Magistrate Sri C.K. Veeresh Kumar inaugurated the event and shared important suggestions for the effective functioning of the Dispute Resolution Mechanism under DPDPA/ITA 2000. Professor N K Goyal and Mr Rakesh Maheshwari (former Senior Director of MeitY) participated in the inaugural session (virtually).

Sri Rakesh Maheshwari gave a brief overview of the DPPDA Act and the proposed rules.

Naavi anchored the five panel discussions posing nearly 100 different questions to highlight the concerns related to the implementation of the proposed rules and the industry experts a few of whom participated virtually shared their views. In the process important insights have been gathered and are being collated.

All the participants have also been requested to present their views on the presently available rules and the suggestions will be collated and submitted to the MeitY.

Naavi

DPDPA will change the course of every company in India. The Rules are here for public debate. Use this opportunity to share your views . We all would be helping MeitY with our suggestions.

Register today at : www.fdppi.in

Naavi

The Tele Communications Act 2023 which was passed by the Parliament in December 2023 and received presidential assent on December 24, 2023. Some sections of the Act were notified for effect on 26 th June 2024 and More on July 5th 2024.

One of the immediate observation is that instead of designating the TDSAT as the Appellate as the immediate appellate authority after Adjudication, there is another appeal committee in between. Both ITA 2000 and DPDPA 2023 makes TDSAT the first appellate authority after adjudication or DPB inquiry. This has some merit so that matters of technical nature can be handled by the appeal committee and TDSAT will be left to deal only with the advanced legal matters.

Another matter that has been discussed in the past and may surface again is whether the messaging services could come under the Telecommunications Act because the definition of “Telecommunication” is provided as

“Telecommunication” means transmission, emission or reception of any messages, by wire, radio, optical or other electro-magnetic systems, whether or not such messages have been subjected to rearrangement, computation or other processes by any means in the course of their transmission, emission or reception”

Chapter IX of this Act covers offences and could interfere with ITA 2000 offences. Appropriate explanations in the rules may help in resolving the differences between the two Acts.

Naavi

Following are the objections raised by Editor’s Guild of India on DPDPA which require some comments.

Objections have also been raised on ITA 2000 as follows.

Earlier on February 18, 2024 EGI had sent a more detailed note to MeitY a copy of which is available here

The objections raised were to “Need for Prior Consent”, ” Purpose declaration”, “Withdrawal of Consent” and” power to call for information”. To this the RTI, Surveillance and lack of exemption has been added in the recent representation sent to the leader of opposition.

This could therefore be a point of debate during the Parliamentary session starting from tomorrow and even lead to disruption of this session and walk out by the opposition.

Let us see whether these 7 demands of EGI is justified. Views may differ and EGI has every right to interpret the Act and the proposed rules in a manner that suits their narrative. Our discussion can be more neutral.

Lack of Exemption:

There are hundreds of professions and industries and granting exemption to one industry or class will certainly raise a claim of discrimination. Hence Exemptions have to be handled with circumspection.

It should be noted that Journalists can work for an organization as employees or independently. If they work for another agency, the liability will be on the media. If they work independently they will be data fiduciaries by themselves. They will also be handling information which is sensitive to national security, electoral democracy etc. Hence they would be “Significant Data Fiduciaries”.

There are similar issues in Medical Practitioners who work independently and as employees of a hospital or Lawyers who work for a firm or independently or Charted Accountants and Business Analysts who work for themselves or for other organization’s. All these “Professionals” belong to a common category.

As far as these professionals act for a “Business Purpose” they will not have exemptions.

Currently exemptions are provided under Section 17(2) as follows

(a) by such instrumentality of the State as the Central Government may notify,in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and

(b) necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.

Apart from this Government may notify certain class of data fiduciaries to exempt them from “Prior Notice”, “Right to Access”, “Significant Data Fiduciary requirements” and “Erasure of personal data on withdrawal of consent or expiry of purpose”. However where the processing of data is likely to result in a decision that effects the Data Principal or disclosed publicly, the Government may not like to provide the exemption.

Investigative Journalism and Media Trials are always disputed and carry the risk of counter attack in the form of “Defamation”. In such cases, it is the responsibility of the Courts to come to the assistance of any unfair targeting of journalists and Indian Courts are more than obliging in this respect.

If an exemption is provided, the definition of a “Journalist” comes to a question and whether every YouTuber or Blogger should be treated as a Journalist needs to be resolved. The exemption is likely to be misused by that class of Journalists who are today commercial scribes and not part of the respected “Fourth Pillar of Democracy”. The leading fake news creators in India are funded from abroad and all of them are even registered as Journalists.

Hence providing “Exemption” does not seem to be a good idea. Government may still do it since it may not want to displease the Journalist community. This can be done easily through the rules where exemptions for “Research” may be defined as including “Journalistic Research”.

When journalists interview public and take their views, it can be considered as “Voluntary Provision of Data” and a “Legitimate use”. There are always situations where the source may request for anonymity and it is the duty of the journalist to provide it. Similarly when there is a “Withdrawal of Consent”, if the data has not yet been disclosed it can always be anonymised as media do at present. If it has already been published it has been my view that it becomes part of history and should not be tampered with. If there is a wrong reporting, it can be corrected with a counter view rather than tampering with a published information.

Other Objections

The other objections on surveillance, Censorship, RTI etc are political comments and can be ignored.

The objections on the “Fact Checking” are false and it was unfortunate that Bombay High Court went with the claim that the notification was meant to exercise power to curb genuine news. The Fact Checking unit was only to flag the fake news so that a Court may consider a complaint without the protection under Section 79 ITA 2000. It did not by itself penalized any organization.

Further the Government has given an option to Social media to create its own self regulatory mechanism to resolve complaints before it is escalated. Without using the provision, media is only complaining that their freedom has been affected.

The Right to erasure is subject to other laws and a journalist can always exercise his right to retain the data until his legal interests are not threatened. If we consider that after the data is made public through any disclosure through a journalist it would amount to making data publicly available, there would be no reason to worry. Let us remember that a journalist can always withhold the personal data (anonymise or pseudonymise) and release a news worthy story. If the information released is of a crime, it is for the law enforcement to take necessary action under due process of law.

I suppose no journalist has a right to suppress criminal information under his journalistic privileges since his basic commitment is to public good and protecting the identity of criminals is certainly not for “Public Good”

I therefore feel that the EGI’s contentions are borne out of mis conceptions and distrust of the regulation and there are ways and means to handle the concerns. For this purpose, Journalists should move towards self regulation.

Self Regulation

When FDPPI offered Bangalore journalists for creating a self regulatory body under the ITA 2000, there was no response and the Guild preferred to go to Court to get the notification itself scrapped. Even now FDPPI invites representatives of Press to join hands with FDPPI in creating a Special Interest Group (SIG) to discuss the impact of the Act and the Rules on the Journalists and be a part of the “DPDPA Advisory Group for the Media industry”.

FDPPI is inviting a discussion on DPDPA Rules on July 27 to form such SIGs for multiple industry segments and an invitation has been sent to EGI also to participate. An attempt has been made to invite some media persons in Bangalore through the Press Club and let us see if they respond.

Not doing anything when required and complaining later is the common problem with most of the professionals and I hope Journalists will be an exception.

Naavi