The Joint Parliamentary Committee submitted its report on the Digital Personal Data Protection Bill, recommending the inclusion of “consent managers” in the upcoming Data Protection Act. The bill defines consent managers as a “Data Fiduciary which enables a Data Principal to give, withdraw, review and manage his consent through an accessible, transparent and interoperable platform.” However, the bill does not provide details on the workings of this entity, leaving room for exploration of what consent managers would do and what individuals can expect. In this blog, we will understand the consent manager framework in the Digital Personal Data Protection Bill (DPDPB), India.
The adoption of a fiduciary approach to privacy protection in India was influenced by recommendations from the Justice Sri Krishna Committee in August 2018, evident in the objectives and provisions of the bill. To establish trust, the bill provides data principals with rights and imposes obligations on corporations to protect and uphold these rights. Consent is foundational to privacy protection and individual autonomy in the data privacy framework. The diverse nature of India necessitates an interoperable technology framework to enable effective consent management. Consent managers, as third-party entities, enable digital consent and uphold privacy protection, making India the only country to recognize and adopt a tripartite model for data sharing under the Digital Personal Data Protection Bill.
What is Consent?
According to the proposed Digital Personal Data Protection Bill, 20222 Section7(1) Consent of the Data Principal means any freely given, specific, informed, and unambiguous indication of the Data Principal’s wishes by which the Data Principal, by clear affirmative action, signifies agreement to the processing of her personal data for the specified purpose.
What are Consent Managers?
Consent managers are third-party entities that facilitate the management and administration of individuals’ consent for the sharing of their personal data. They operate as independent entities and are entrusted with the responsibility of managing and regulating the consent process for data subjects. These managers provide an accessible, transparent, and interoperable platform to enable individuals to give, withdraw, review, and manage their consent easily and efficiently.
The Personal Data Protection Bill, of 2019, recognizes the role of consent managers in protecting the privacy of individuals by providing an effective mechanism for obtaining and managing consent. These managers play a vital role in ensuring that data subjects’ rights are protected, and their personal data is processed in a manner that is consistent with the provisions of the data protection law.
The Bill envisages the establishment of a robust framework for consent management in India, which will be overseen by the data protection authority. The Ministry of Electronics and Information Technology (MeitY) has released a set of technology standards for electronic consent that will guide the development and implementation of consent management systems in the country.
The consent manager framework is an essential component of the data protection ecosystem in India. It is expected to facilitate the effective and efficient management of individuals’ consent, enabling data controllers to process personal data in a transparent and accountable manner. By ensuring that individuals have greater control over their personal data, the consent manager framework is expected to increase trust and confidence in the digital economy, foster innovation and promote the growth of the digital ecosystem in India.
How would they work?
Consent managers are entities licensed by the data protection authority to manage the consent of data subjects for sharing their personal information in a secure, transparent, and interoperable platform. This system is established under the Personal Data Protection Bill, 2022, which aims to protect the privacy and autonomy of individuals with respect to their personal data. Consent managers work as intermediaries between data subjects (individuals) and data fiduciaries (organizations or entities collecting, processing, and storing personal data). Their primary role is to ensure that data subjects are able to provide, withdraw, review, and manage their consent for the processing and sharing of their personal data in a seamless, secure, and transparent manner.
The consent manager framework involves three participating entities: information providers, information users, and consent managers. Information providers are the original custodians of data and collect and store individuals’ personal data. Information users are entities that require data from the data subject for providing certain services, such as banks, healthcare providers, and e-commerce websites. Consent managers facilitate the consent for sharing data between information providers and users.
To ensure compliance with required standards, the government will impanel independent certifying agencies to confirm that all participants comply with the standards set by the data protection authority and the Ministry of Electronics and Information Technology (MeitY). Application programming interfaces will be developed to connect all the entities to the common network.
Once the consent manager system is operational, data subjects need to register with a consent manager and select from a list of information providers linked to their account. They then select an information user and the services they wish to use. Once chosen, the information user sends an electronic data transfer request to the consent manager to fulfill the service request. The individual reviews and gives consent for the information to be shared with the information user. Once the request has been approved, the consent manager notifies the information provider of the transfer request. Finally, the information provider transfers the data to the information user in an encrypted form.
The data transferred through the consent manager is encrypted and flows from the data fiduciary (information provider) to the data user. Consent managers cannot view the data, and their role is limited to managing the consent of data subjects for sharing their data.
To achieve this, consent managers use an interoperable, technology-driven platform that allows data subjects to exercise their rights over their personal data. This platform may include features such as a user-friendly interface, multi-lingual support, consent templates, granular consent options, and privacy dashboards.
When a data fiduciary needs to collect or process personal data, they must first seek the data subject’s consent through the consent manager’s platform. The consent manager then verifies the identity of the data subject, ensures that they have provided informed consent, and records the details of the consent in a tamper-proof manner.
If the data subject wishes to withdraw or modify their consent, they can do so through the consent manager’s platform. The consent manager then communicates the withdrawal or modification to the data fiduciary and ensures that the data subject’s wishes are respected.
Why Consent Manager are important?
The consent manager framework is an important aspect of the Indian Personal Data Protection Bill as it standardizes consent, which is a key obligation for companies under the proposed legislation. The Bill outlines principles for data protection, but it does not provide specific guidelines for consent. As a result, the role of consent managers becomes critical in streamlining consent.
By leveraging the consent manager framework, companies can comply with the requirements of the data protection principles and increase consumer trust, giving them a competitive edge. The Bill mandates consent obligations, such as consent for sharing, informed and categorical consent, consent linked to a specific purpose, consent withdrawal, and consent for collection and repurposing of data. Data fiduciaries must demonstrate compliance with these requirements.
While companies may adopt their own frameworks and practices to comply with these requirements, codes of conduct developed by the Authority may not guarantee uniformity in consent management. A consent manager, on the other hand, offers a predictable and automated solution, with a standardized approach.
The consent manager framework is expected to offer several benefits. Firstly, it will lead to standardization since consent managers will incorporate technical and legal standards specified by the Authority. Secondly, personal information will flow directly from the information provider to the information user after the data subject consents to share. This will eliminate practices like data scrapping, unauthorized collection from public sources, aggregation websites, etc., and ensure accuracy and quality. Thirdly, user-centricity and customer trust will be prioritized, and transparency, trust, control, and data minimization will be the standard principles of consent managers approved by the Authority.
How can companies prepare themselves to participate with consent managers?
Additionally, the consent manager framework operates through a common network with information providers, information users, and consent managers as the participating entities. The data subject registers with a consent manager, selects information providers and users, and gives consent for sharing their data. The consent manager then facilitates the transfer of data between the information provider and user in an encrypted form, without accessing the data itself. This provides a secure and interoperable platform for managing the consent of data subjects for sharing their data.
To ensure compliance with the required standards, the government will impanel independent certifying agencies to confirm compliance for all the participants. Once the consent manager system is operational, the data transferred through it will be encrypted and flow from the data fiduciary to the data user, with consent managers not able to view the data.
About Concur – Harmonizing Data Complaince
Concur is a technology company that provides a suite of enterprise solutions to help organizations manage their data compliance and other business operations. Our solutions include consent management, digital policy management, legacy customer notice guidelines, data principal rights solutions, and more. With a focus on innovation and use of blockchain technology, Concur helps enterprises to stay compliant with various regulations such as DPDPB, while streamlining their operations and enhancing overall efficiency. Additionally, they offer dedicated support through their Support Center to ensure customers have the assistance they need to achieve their compliance goals.
Check out: Best Consent Management Platforms in India 2024