Today I received a query on DPDPA 2023 on Linked In. Since this could be interesting for others as well, I thought of answering this here in detail.
The query was ..
“I want your insight on how relationship between data fiduciary, consent manager and data principal would prevail (how is consent manager approached and by whom) under DPDP Act, 2023?“
The short answer to the above is that the Consent Manager is also a data fiduciary and provides certain services related to “Giving”, “Managing”, “Reviewing” and “withdrawing” of consent on behalf of the data principal to the principal data fiduciary. We may consider him as a “Joint Data Fiduciary”. To the data principal he is an agent. Ideally he is approached by the data principal for the services. The data fiduciary is only the user of the services rendered by the consent manager in behalf of a data principal. Consent Manager is not an agent of the Principal Data Fiduciary nor an employee.
However, in view of the confusion that prevails in the community and my own disagreement with the interpretation of the MeitY itself on this aspect, I would like to expand my answer and invite a debate. I also invite the MeitY to consider these views and make necessary corrections in the rules to justify their current interpretation.
P.S: I think this is a moment similar to my Jurisprudential interpretation related to Section 65B of Indian Evidence Act when ITA 2000 was introduced where for 14 years I held and justified a contrarian opinion to the community until it was validated by the Supreme Court judgement in the case of P V Anvar Vs P K Basheer case. My views expressed here as well as earlier on the status of Consent Manager may be validated some time in the future or DPDPA 2023 may be amended to prove my interpretation wrong.
Roles of different entities
DPDPA 2023 has indicated the roles of Data Fiduciary (including Significant Data Fiduciary), Data Processor and Consent Manager for entities besides “Data Principal”.
Data Principal is always an individual whose personally identifiable digital data is the subject matter of collection, processing, transmission, disclosure and destruction in India or in connection with offer of services to individuals in India. Out of such data, data publicly made available by the Data Principal or caused to be made publicly available by authorities under law as well as data used by an individual for personal and domestic purposes are outside the scope of the other regulatory restrictions. In many other contexts, personal data is selectively exempted from some or all the provisions of the Act.
Data Fiduciary is the entity (includes an individual processing personal data for business purpose) who determines the purpose and means of processing of personal data. He may act individually or in conjunction with another (who we refer as Joint Data Fiduciary). Naavi also uses the term “Super Data Fiduciary” when a data fiduciary lends his name for collection and processing of personal data but permits an agent to determine the purpose and means of processing as in the case of “Brands”.
Data Processor is the entity who does not determine the purpose and means of processing but processes the DPDPA protected data (DPD) on behalf of another data fiduciary who undertakes the responsibility for compliance.
Processing may happen in India or outside India. When personal data belongs to non Indians and is processed in India under a contract with an entity outside India, DPDPA exempts such data from the operation of DPDPA to some extent.
Consent Manager is a special kind of data fiduciary who determines the purpose and means of processing of data as a representative of a data principal in transactions with the other data fiduciaries who use the personal data of the data principal.
The data principal needs to maintain an account with the consent Manager and provide him the authority to give, manage, review or withdraw consent.
A Consent Manager to be pre-registered with Data Protection Board and will be accredited based on certain eligibility criteria and accepted obligations duly audited and certified. This means that the Consent Manager is approached by the data principal for an account even before he approaches a data fiduciary for a service for which he may use the services of the Consent manager to “give” his personal information. It is possible that a data principal might have already opened a service account with a data fiduciary and later becomes a customer of a consent manager in which case prospective aspects of “Giving further consent”, “Managing, monitoring or reviewing or withdrawing” of further consent may be routed by the data principal through the consent manager.
The above is a jurisprudential interpretation of DPDPA 2023 as it exists today and may be interpreted (or should be interpreted) by Courts in future.
Under our interpretation of the law, Consent Manager is an entity which is empowered like a Power of Attorney holder by the Data Principal to not only “Give” consent for data requested by a data fiduciary but also “Review” and “Monitor” the data given. Review and Monitoring may include withdrawing consent if required. Whether the Consent Manager is expected to only observe and inform the Data Principal for seeking further instructions or can act on his own is a matter of conjecture.
Visibility of Data
Our interpretation is that he should be considered as a “Data Fiduciary” since he determines the purpose and means of use of personal data under his authority to give, monitor, review and withdraw consent. As a Data Fiduciary he is obliged to ensure compliance of DPDPA 2023 which includes section 4(1) and 8(1) under which he is obligated to ensure that personal data is processed only for lawful purposes and in accordance with the provisions of DPDPA 2023.
To fulfil this duty, Consent manager requires “Visibility” to the data that is processed by a data fiduciary to whom consent is passed on by the Consent Manager.
The Data Fiduciary requires to enable his “consent acceptance mechanism” to accept instructions from a Consent Manager on behalf of a data principal. This means that the consent form should have an option to select provision of the details through the consent manager (similar to but not equivalent to completing the form through Google or Facebook). When the data principal choses this option, the requested data elements would be populated by the query processed by the Consent Manager so that when the form is submitted, it carries the validation from the data principal.
Alternatively the data may be consumed without being displayed on the form in which case there will be no validation by the data principal to the data fiduciary and he needs to depend on the deemed validation from the consent manager who himself is blind to the data.
Currently Meity has implied in its draft rules that this obligation of a consent manager can be fulfilled without visibility of the data elements similar to the status of “Account Aggregators” under DEPA architecture. Many technology firms think that they have products to support this “Data Blind” consent provision.
In our considered view, this interpretation is incorrect since the responsibilities of a Consent Manager includes “Review”, “Monitoring” and “Withdrawal of consent”. These responsibilities require visibility of data by the Consent Manager.
It is agreed that in the “Data Blind” architecture, each decision is conveyed by the Consent Manager to the data principal and his concurrence obtained, this means that the data principal while seeking the service and sitting in front of the consent form presented by the data fiduciary has to provide consent on pop ups that may come concurrently from the cosnent Manager who will be scouting for authorised sources from which different data elements can be sourced.
If the Consent Manager does not have the reference data resources previously approved by the data principal or if the data principal has approved more than one data resources where the data do not synchronize or is incorrect, he will have to admit that some data elements are to be separately collected by the data fiduciary directly from the data principal.
The law envisaged the Consent Manager as an expert who can act as an advisor to the data principal to manage the processing of personal data by a data fiduciary and prevent misuse of data either by collecting/processing it with a misrepresentation. He could understand the privacy notice better and compare it with the needs of the processing and contest of the data fiduciary exceeds his authority.
In our view, MeitY has diluted this provision and rendered the Consent Manager to be a worthless burden on the system who only acts under the instructions of the data principal and every time acts as a post office sending and receiving instructions from him without the ability to assist him. Unless the MeitY changes its view while notifying the rules, there is no useful role for a “Consent Manager” in the system.
Consent Manager under this system will be giving a deemed confirmation of data elements about which he himself is blind. It is like a blind man directing a person with normal vision to cross the road.
Some Data Fiduciaries loosely use the word “Consent Manager” even to their own employees or data processors who handle the responsibility of issuing notice, collecting and preserving the consent”. This is not a “Consent Manager” under the Act. Even the Google verification etc is not a Consent Manager since they are not registered with the DPB for this purpose and have their own vested interest in the data.
There is however a caveat to the above.
The law was framed by MeitY which is also taking on the responsibility for publishing rules from time to time through gazette notifications. They need to be placed before the Parliament and are also subject to scrutiny of the Court. What MeitY or any of its authorized officers publish as a notification therefore acquires a quasi legal status though they may be held incorrect later when questioned in a Court of law.
At present, there is an indication that MeitY has a view of the role of a Consent Manager which is not correct and which may not be in tune with the legislative intent that can be inferred from the law. (It is open to a Court to read down the law and give an alternate view of the role of a consent manager as expressed here in).
The draft rules published for public comments prescribe stringent conditions for accreditation of a Consent Manager all of which is redundant if a Consent Manager is not having visibility of data and acts only as a post office. It would be relevant only if the Consent Manager had visibility to the data. Hence Meity is itself in- consistent in its approach and exhibit confusion.
If Meity believes that a Consent Manager can function in a “Data Blind” manner, then there is no need to impose conditions equivalent to “Fit and Proper” criteria adopted for Financial regulated entities. The personal data in the custody of the Consent Manager would be only the name, email address and perhaps the phone of the data principal. Whenever other details are to be transmitted, he is expected to instruct one or more other data suppliers authorized by the data principal. In fact those data fiduciaries will be having access to what data has been requested by the data principal for a new service he is likely to avail. These reference sources are designated by the data principal and the data with them itself may be unreliable.
When the data fiduciary receives the data through the consent Manager, if the form is populated in front of the eyes of the data principal, for validation, then the same data is visible to the consent manager also. The consent Manager may however avoid visibility if he triggers the transfer of data and immediately disconnects himself so that he does not “View” the completed form. The system can also have the API call for data elements of the data fiduciary executed below the visible internet environment like a transmission of a https message. This however leaves the data principal to the mercy of vagaries of technical errors or even man in the middle attacks since the consent manager does not validate the data.
Hence the “are not readable” clause in the DPDPA Rules is impractical. (Refer Annexure IB, para 2)
While we have advocated and continue to advocate the Meity to change this rule related to Consent Manager, we are not confident that it would be modified. On the other hand, it is likely that the rule related to consent Manager may be deferred indefinitely. In the case of Section 65B, it took 14 years for the community to accept my view, in this issue of the role of a consent manager, I anticipate that the law itself may be amended to justify the current stand of MeitY.
I invite detailed debate on this aspect from professionals.
Naavi
