The recently passed Digital Personal Data Protection (DPDP) Act, 2023, introduces the concept of Consent Managers, which are entities that users can use to give and manage their consent for processing personal data. Although very little is known about how these Consent Managers will work, we do know a bit about the workings of the Account Aggregators (AAs) framework—AAs are entities that act as Consent Managers for data sharing in the financial ecosystem and have been active since September 2021.
MediaNama last week held a briefing for members where we had Sahamati CEO BG Mahesh explain how data sharing works under the Account Aggregator (AA) framework and how might Consent Managers work under the DPDP Act.
You can watch a full recording of the briefing here, but here are selected excerpts from the Q&A with Mahesh:
The questions and responses from Mahesh have been paraphrased for clarity and brevity.
Is sharing data through Account Aggregators going to be voluntary but mandatory like Aadhaar? Will the financial institution say that if you don’t use an account aggregator, I will not give you insurance or I will not give you a loan? And what are the protections for consumers in that situation?
Firstly, this is a risk with the offline world as well, not just with AAs. Unless borrowers give their bank statements, nobody will give them a loan.
Right now, borrowers can still go and apply for the loan offline and give all documents offline. But as we go forward, financial institutions might require all the data through account aggregators. This will not happen immediately, but we will eventually get there.
Under the DPDP Act, will every data fiduciary in this country have to use a consent manager to manage user consent because this will then be a burden for all internet companies given the financial and other resources it demands?
We will have to wait for specifics of the DPDP Act to know this.
Article continues below ⬇, you might also want to read:
- Video: Briefing Call On Account Aggregators With Sahamati CEO BG Mahesh
- CRED Seeks To Become An Account Aggregator, Here’s Everything To Know About The AA Ecosystem
- Account Aggregator Ecosystem Goes Live With 8 Banks And Multiple Fin-Tech Firms
- Summary: India’s Digital Personal Data Protection (DPDP) Bill, 2023
One issue we have is consent creep. Do you think that institutions will ask for more data than they require because it is now easier to ask for data under the AA framework as compared to getting data in the physical world?
When entities ask for other data that is not required or is unrelated to the purpose they are serving, then it should be the role of the account aggregators to inform the user that this request is going outside the boundaries.
Also, Sahamati has formed a committee that is working on developing consent templates that outline what data and what quantum of data an entity should ask for.
In some cases, the additional data they ask for might help the user. For example, if the lenders have access to the investment information of a borrower, the way they look at the borrower changes.
Is there a regulatory mandate for all financial institutions to connect to the AA framework?
It’s like UPI where it’s not mandatory for banks to join UPI, but many end up participating because customers would want that. Similarly, in the AA framework, financial institutions can choose to join if they want to; it is not mandatory. But once an entity joins the AA ecosystem, it then has to work with all account aggregators and be ready to share data with all institutions in the ecosystem, obviously with the consent of the users.
What are the benefits of a consent manager outside of the financial space, which is what the DPDP Act requires? Because in the financial space, the FIUs and FIPs benefit from that data and they’re doing something with it. But when you take a social media platform, why should they implement a consent manager?
The DPDP Act is just one month old, we’ll have to wait for the Data Protection Board to be formed and other rules to be made to answer this better.
What control does a user have using an account aggregator over data deletion?
As of now through AA, users won’t be able to ask entities to delete their data.
What is the idea of recurring consent?
Sometimes banks need information about a borrower periodically. For example, when they give home loans, they like to see the borrower’s bank statements every few months. If the borrower gives recurring consent for the period of the loan term, then the bank will be able to access the statement every few months without requiring consent each time.
If norms and guidelines for AAs are formed by Sahamati, are these norms legally binding?
Sahamati has something called participation terms, which most entities have signed, but the organisation won’t be able to penalize anybody because it doesn’t have the powers.
Correction (18 Sept, 3:50 pm): Updated Mahesh’s response to the question on “What control does a user have using an account aggregator over data deletion?”
STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!