February 18th, 2023
An op-ed by Soujanya Sridharan on the need for a more robust framework on consent managers in the draft Digital Personal Data Protection Bill, 2022. This article originally appeared on the Medianama website, and can be accessed here.
The release of the new Digital Personal Data Protection Bill, 2022 (DPDP Bill) for public consultation is a welcome announcement in a milieu that begs for greater regulatory clarity within India’s data governance landscape. One salient provision that has been a mainstay of the different instalments of the data protection legislation, whether the Personal Data Protection Bill, 2019 or the Report by the Joint Parliamentary Committee on Data Protection, 2021 and now, the DPDP Bill, 2022, is the clause on ‘Consent Managers’ (CMs). Section 7(6) of the DPDP Bill, 2022 defines a CM as a “data fiduciary which enables data principals (re: users) to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform”. CMs constitute an additional and optional mode for consent provisioning, in addition to other direct modes of consent that may be directly brokered between the data principal and the data processing entities.
Specifically, the DPDP Bill, 2022 mandates that CMs be accountable to data principals, that CMs would act on behalf of the principals and would have to be registered with the proposed Data Protection Board. However, the Bill remains vague on the terms of governance of CMs, merely suggesting that the technical, operational, financial, and other conditions may be prescribed later, presumably by the Central Government. The regulatory ambivalence around an instrument so essential to facilitate data exchange – the CM framework – is disconcerting for several reasons.
For one, the conceptual continuum between CMs as defined in Section 7(6) and the ‘data fiduciary’ as defined in Section 2(5) requires considerable inquiry to ensure that CMs can function as autonomous entities that are not overshadowed by the interests of data fiduciaries. This is because CMs are essentially data-blind entities that do not store a principal’s data nor determine the purpose for which it is shared, but merely facilitate exchange between various entities.
Further, data principals are expected to entrust CMs with the ability to transact consent decisions and direct personal data flows among different data fiduciaries, but principals have little understanding of how this framework would be governed currently. The absence of governance guidelines encoded in law produces much anxiety in a country troubled by poor standards of digital literacy – important determinants of a data principal’s ability to provide informed consent – which in turn requires an expansion in the functions of the CM framework.
Conceptual clarity on the definition and role of consent managers
The DPDP Bill, 2022 classified CMs as a class of data fiduciaries that help data principals manage, log and track their consent preferences. Separately, the DPDP Bill, 2022 defines a category of data fiduciaries in Section 2(5) as individuals or entities that “determine the purpose and the means of processing personal data”. Such an overlap in definition produces ambiguity around the role envisaged for consent managers. Though the ability of consent managers to determine the purpose of data processing is moot as it is a data-blind institution, it nonetheless constitutes a powerful intermediary to facilitate consent-driven data sharing between different data-holding and data-requesting entities.
Moreover, it remains to be seen whether all or certain data fiduciaries would automatically be designated as consent managers, given that the latter category is explicitly defined as a data fiduciary itself. Such considerations are particularly complex in an age where ‘social login’ functionalities afforded by large social media platforms serve as proxies for user authorization and consent provisioning to participate in the digital economy. For example, a data principal may choose to log into the travel website using their Facebook or Gmail credentials and thereby authorize certain data-sharing transactions. In this context, it is possible to construe the social login functionality afforded by Facebook or Gmail as a consent management institution. Thus, deliberate probing about the differences between a consent manager and other classes of data fiduciaries is necessary to avoid such overlaps, but also to assign responsibility and accountability to appropriate institutions to protect data principals’ rights. The Central Government must be cognizant of the conceptual concerns laid out here while contemplating and drafting terms for the governance of CMs.
Elsewhere, a version of the CM institution has been operationalized in the banking sector through the instrument of ‘Account Aggregators’ (AAs). Under the Ayushman Bharat Digital Mission, the ‘Health Information Exchange – Consent Manager’ framework has been mooted as a tool to authorize consent-driven healthcare data sharing between health information providers and health information users. What is noteworthy, however, is that neither the AA nor the HIE-CM embed fiduciary responsibilities within their respective definitions. This marks a significant departure from the fiduciary duties ascribed to CMs within the DPDP Bill, 2022 that opens doors for accountability and adherence to the best interests of data principals. The conception of CMs as fiduciary agents must be imbibed by the AA and the HIE-CM frameworks, taking the lead from the DPDP Bill, 2022 which is foundational privacy legislation of the country.
Governance of consent managers
The institution of CMs has its essential genesis in the Electronic Consent Framework and the Data Empowerment and Protection Architecture, which lay out the technical specifications for building a network of CMs that would operate across several domains to facilitate consent-driven personal data sharing. The express aim of the CM institution is upholding an individual’s data rights and imparting greater control to data principals over their personal data. The move to embed the CM in the DPDP Bill, 2022 edifies a techno-legal approach to data regulation such that open protocols, APIs and encrypted personal data flows become the gold standard for building consumer-centric digital public infrastructure.
Given its mounting significance, it is crucial that the specific rules to govern CM embed provisions for grievance redressal for harms arising from CM’s data-sharing actions as well as procedural provisions for appeal. As stated in the DPDP Bill, the CM bears fiduciary responsibility towards a data principal, giving rise to twin duties of care and loyalty that are characteristic of agent-principal relationships such as this one. Consequently, it is incumbent upon the CM to act in the best interests of the data principal and to ensure that their data is used for specific authorized purposes for which consent was originally provided.
Additionally, the responsibility to oversee and regulate CM institutions must rest with the Data Protection Board to ensure the autonomy of the institutional framework. The Board can borrow from the rule-making process of the Reserve Bank of India (RBI) in outlining the governance mechanisms for CMs, along the lines of how the AA framework is regulated. The RBI’s guidelines shed light on several governance considerations, including the process for registration of AAs, duties and responsibilities of AAs, standards for data security, pricing, audits, risk management and corporate governance, among others.
Reconsider functions attributed to consent managers
The current definition of the CM under the DPDP Bill, 2022 regards CM as an instrument that facilitates the exchange of personal data and management of consent. Thus, the CM is poised to play the role of a data-blind layer that allows for data flows between various data holders and requestors, after notifying and obtaining consent from the user or data principal. In turn, CM facilitates consent decisions along several variables such as time, type of information, and date of expiration, among others. Granular as consent may be within the CM, the presence of multiple variables risks burdening users with complex decision-making processes.
A plausible solution to this crisis of informed consent is the inclusion of advisory functions within the role envisaged for CMs in the attendant rules of governance to be notified by the Central Government. Consequently, the CM ceases to be a mere data-blind layer for personal data exchange and is transformed into a trusted agent which works in consultation with data principals about the use and exchange of their data as well as the management of their consent. Advisory functions considered herein are best captured through the prism of data stewardship – an approach to data governance that is responsible, rights-preserving and participatory such that individuals and communities are empowered to make data decisions. Several documented examples of such operational data stewards exist, and research demonstrates that such institutions are critical intermediaries that would aid data principals to realize their data rights and make informed consent decisions. In fact, there is growing consensus around the significance of data stewards and have since been included in the EU’s proposed Data Governance Act.
The institutional thrust for CMs within the DPDP Bill, 2022 is a promising move that anchors the principal-fiduciary relationship within a rubric of transparency and accountability. In fact, once this architecture is fully operationalized, India would be among the earliest jurisdictions to recognize and adopt a tripartite model for personal data sharing. Such a precedent promises to uncover valuable insights for other jurisdictions looking to implement consent-driven, responsible data exchange. The CM framework is the lynchpin of India’s quest for digital sovereignty, coming at the heels of several innovations around building open, inclusive digital public infrastructure.
But it is just as crucial to ensuring that the CM institution is founded with respect for the rights of data principals and that the rules governing CMs are made in a manner that is transparent and open to public input. Similarly, clarifying the specific roles and functions of the CM, while also aligning the many versions of the framework contemplated across domains is essential to operationalizing a comprehensive consent architecture for the jurisdiction. Reimagining CMs through the prism of data stewardship is a stepping stone to address these abiding concerns.