- Make consent managers significant data fiduciaries on registration with DPB
- Use mechanisms like zero-knowledge proof to prevent consent manager’s unnecessary access to data
- Even in case of deemed consent, there should be safeguards to protect privacy
“… so far as compliance of regulated entities goes this has become a bill which has considerably reduced the compliance burden and has allowed for many ways in which entities that are regulated can treat themselves to have done something legal when they are using personal data… there has been a massive dilution as I see it of some of the core principles of the right to privacy…” said Lalit Panda, Senior Resident Fellow at the Vidhi Centre for Policy, about the Digital Data Protection (DPDP) Bill, 2022 on December 8, 2022.
Speaking at MediaNama’s ‘Reworking the Data Protection Bill’ event, Panda and fellow discussant Sreenidhi Srinivasan, advocate at Ikigai Law, talked about the lack of purpose and collection limitation, storage limitation, transparency, and the possible consequences of the revised provisions on consent. Many stakeholders joined the open house discussion to talk about the intersections of obligations on companies in light of consent managers and implied consent.
The Ministry of Electronics and Information Technology (MeitY) is seeking chapter-wise public feedback on the draft law until December 17th, 2022. The submissions will be held in a “fiduciary capacity” and will not be publicly disclosed. Click here for more of MediaNama‘s journalism on the DPDP Bill and India’s data protection laws.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
Initial reactions to the data protection Bill, 2022
As may be prescribed may not be a bad thing: Addressing recent criticisms of the phrase “as may be prescribed” used often in the Bill, Panda pointed out that privacy is a contextual aspect and depends on sectors and particular situations. As such, he argued that there is going to be a lot that is left to delegated legislations in a data protection law.
Instead, the bigger problem was how the Bill hands out “blank cheques” to data fiduciaries to use publicly available information without safeguards, Panda argued. Previous versions of the Bill stated rules or regulations on using such data. Similarly, the older versions included details on the implementation of the right to erasure.
“That could have been left for prescription. Specifically, how it [right to erasure] is balanced with the right to free speech. Instead, it is left as it is,” said Panda.
For this reason, he called for more “as may be prescribed” suggestions in the Bill although he agreed the phrase was problematic when considering the independence of the Data Protection Board. Accordingly, referring to the GDPR, he dismissed suggestions that “fair and reasonable purpose should not be left to rules”. In the EU law, fair and reasonable purpose was the method by which legitimate interest was taken on as a state task, without leaving it to private bodies.
“It isn’t a question of excessive delegation so much as a question of the state choosing that it should be doing something that shouldn’t be left to private persons. Complete misdiagnosis there,” said Panda.
How does interplay of sectoral regulation pan out? Srinivasan approached the Bill from an operational perspective and called for more clarity in the law. She said that as opposed to the older versions that brought in other aspects like non-personal data and algorithmic accountability, the DPDP Bill is sharply focussed on personal data protection.
Yet there were some sections like Clause 29 of the Bill on interplay and consistency coordination with sectoral norms that required greater scrutiny. One part of the Bill says that this law is to be read in addition to any law that is already in force. The second part says that in case of a conflict, this Bill will prevail.
Srinivasan pointed out that sectoral regulators have made their own norms around several aspects of how their regulated entities collect and process data. For example, the RBI has asked payment businesses and payment system operators to store data on local servers. So if tomorrow India signs an FTA with the UK and agrees to free flow of data between India and the UK, Srinivasan asked, “Would we read this as in addition to or would we read this like a conflict. Would the RBI regulation prevail over this?”
“Would we read those appropriate technical and organisational measures to include some of these transparency principles and other requirements to be able to abide by the law?” she asked.
Stakeholders delve into the possibilities of a consent manager
Despite provisions in the consent manager framework about registration with the Data Protection Board and accountability to an individual, Srinivasan said this is “a fairly untested model.” Although similar concepts have been introduced in the form of account aggregator, she wondered how this would work at scale and recommended more clarity on a consent manager’s duties, and responsibilities, accountability and consequences when acting negligently.
Separation of consent manager from data fiduciaries: When discussing the need for a specific clause on consent managers, one participant suggested that all consent managers must be classified as significant data fiduciary by default the moment they get registered with Board. The speaker agreed that it is easier to deal with one consent manager instead of, say, four officials simply for having four bank accounts.
Consent managers require targeted regulation: Another stakeholder said that a consent manager will implement consent itself. As per the stakeholder, the consent manager is a peculiar data fiduciary acting as an intermediary and requires targeted regulation to ensure meaningful consent.
“If somebody is trying to give their consent or withdraw their consent not directly with the data fiduciary but through somebody else, that somebody else needs some dedicated regulation about it. What are the operational, security, and other substantive safeguards that need to be in place may have to be determined?” they said.
Consent managers – mediators or single points of failures? While some stakeholders argued that consent managers ease management and data collection, another person said they may act as single repositories which will then be accessible to the public.
Nikhil Pahwa, Founder of MediaNama said, “India is an under-credited, under-insured society. Insurance and credit agencies don’t have enough data and with the absence of the spread of credit cards you don’t have enough data to provide credit, insurance… All of this links back to empowering, profiling and credit scoring of the individuals at the backend.”
Essentially, this allows the consent manager to maintain a full profile of the Data Principal and share all sorts of information with, say, a credit information company that has never talked to the Data Principal.
Why should consent managers be allowed to profile? Reacting to this understanding, Srinivasan asked why should consent managers maintain people’s profile at all. She compared them to dumb pipes that transmit data from one end to the other. However, she also said that if there are enough safeguards, like in the account aggregator framework, consent managers may act as ‘consent artefact.’ This means they will only know about the type and nature of consent.
Three ways for consent managers to operate: To draw a conceptual distinction, Panda said consent managers could either function as consent artefact, an artefact and a ‘dumb pipeline, or data fiduciaries that will only manage consent but also funnel and use data for other purposes. While the former is what the Bill talks about, Panda pointed out that there is nothing in the draft to stop the other two models from becoming a reality.
Use zero-knowledge proofs to protect data: Another stakeholder, Partha from a product company, recommended that zero-knowledge proofs or similar mechanisms be used to keep consent managers from accessing data and meta-data.
“They can have my consent but they need not see what it is that I consented to and I think that’s where the interplay of technology to be able to solve this quagmire of being the section of the legal things versus how technology can benefit can come in,” he said.
Packaging implied/ non-consensual consent as ‘deemed consent’
Non-consensual consent revamped as deemed consent: Panda stated that only the first sub-clause within the ‘Deemed Consent’ section can be called “deemed consent” as per the Singapore Act. However, the Indian government also moved all non-consensual aspects under the ambit of deemed consent.
“This is an insult to personal autonomy. Do you realize that when you are literally not consenting to something the government is saying that you have deemed to have consented?” said Panda.
Provisions allowing processing under any law or medical emergency, fair and reasonable purpose were previously under provisions on “non-consensual processing.” It allowed for a conceptual distinction between when you use consent and/or non-consent as your ground. However, while laws like the GDPR disallow switching grounds, the DPDP Bill puts everything under implied consent.
Will consent managers be required for deemed consent? A simple reading of the Bill implies that consent manager and withdrawal of consent can also apply to deemed consent situation. However, non-consensual grounds, globally, are applied where consent isn’t necessary or isn’t appropriate.
As such, Panda estimated a conceptual distinction to exclude consent managers and withdrawal of consent from situations like deemed consent.
“Where it will fall apart is on deemed consent Clause 1. I think this particular clause is going to get a lot of focus especially when we are talking about private bodies trying to find out what is the ground under which they can comply with this law,” he said.
Purpose not mentioned in deemed consent: Although the GDPR does not recognise implied consent, many laws across the world still have this concept of implied consent. Such laws link the same to a specific purpose. However, there is no mention of the word purpose in Clause 8(1) of the DPDP Bill.
Panda claimed that the Indian government took this provision from the Singapore version of the law and “missed out on the word purpose” and other ‘reasonable provisions.’ Instead, the government has brought in ‘reasonable expectation of provision’ from a 1990 Candian law called PIPEDA. However, that law stated that one cannot use implied consent if sensitive data is involved or there is a likelihood of significant harm. This is not included in the Bill.
‘Legitimate interest’ picked from GDPR: In previous versions of the Bill, the provision on ‘legitimate interest’ was inspired from the legitimate interest ground in the GDPR. Since consent is so strict under the GDPR, many private bodies are forced to move into legitimate interest in the EU.
According to Panda, this is a little risky in the Indian situation because neither do we have great oversight nor great state capacity. The older versions asked the regulator to prescribe or specify these legitimate interests or reasonable interests. Moreover, the government would do the balancing and try to come up with safeguards. However, the DPDP Bill has made examples of what can be considered fair and reasonable purposes into grounds.
Does deemed consent pass the Puttaswamy test? Clause 2 under deemed consent also provides instrumentality of the state as opposed to all data fiduciaries “for the performance of any function under any law, or the provision of any service or benefit to the Data Principal, or the issuance of any certificate, license, or permit for any action or activity of the Data Principal.”
The phrasing in the Bill ring fences this provisions only for government entities. However, Panda pointed out that this provision may have failed the test of necessity. He argued that consent can be sought in the conditions mentioned in these provisions and that implied consent is not required here. Moreover, as per the phrasing of the provision only “performance of any function” is bounded by a requirement of law, which is one of the requirements under the Puttaswamy test.
Speakers also discussed the grounds mentioned under “public interest.” The definition of the phrase includes “sovereignty, integrity, prevention of crimes,” yet, the conditions mentioned in Clause 8(8) have nothing to do with public interest as defined.
Note: The headline was updated on December 15, 2022 at 2:02 PM for clarity
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- DPDP Bill 2022: ‘Deemed’ Consent, To Users’ Detriment
- Data Protection Bill 2022 Focuses On Enabling Govt Access To Data And Surveillance, Not Citizens’ Privacy #NAMA
- What Are The Shortcomings In India’s Data Protection Board In The New Draft Bill? #NAMA
- How Will The Data Protection Bill Approach Personal Data Transfers Outside Of India? #NAMA