The Indian Personal Data Protection Bill, 2019 (Bill), introduced before the Indian Parliament, was subsequently referred to a joint parliamentary committee for review. The proposed legislation is a modified version of an earlier draft recommended by an expert committee under the chairpersonship of Justice B.N. Srikrishna (set up by the Indian Government).
The Bill, unlike its previous draft, enables a data principal (ie, a natural person to whom the personal data relates) to give or withdraw consent for processing personal data to a data fiduciary (ie, an entity determining the means and purposes of processing personal data) through a ‘consent manager’. The Bill delegates to a Data Protection Authority (DPA) the power to specify the technical, operational, financial and other rules regulating consent managers.
In this article, we suggest that instead of delegating the power to regulate consent managers entirely, broad principles governing such entities should be incorporated into the Bill itself based on which the DPA can regulate further. We further suggest that strong fiduciary obligations be imposed on consent managers to increase transparency and trust within the digital economy.
Who are Consent Managers?
A consent manager, as envisaged in the Bill, is a data fiduciary that enables data principals to delegate the exercise of their agency (ie the power to provide, withdraw, review and manage consent) through an accessible, transparent and interoperable platform.
Consent management was perhaps enabled in the Bill to address consent fatigue, a phenomenon due to which the data principal is unable to authorise the processing of personal data. This could happen either due to unavailability of the data principal or because of the complexity of the platform on which they are required to consent (such as interoperability, ie the involvement of multiple information service providers requiring authorisation at the same time).
In these situations, enabling someone else to consent on behalf of the data principal (similar to ‘proxies’ in the context of the exercise of the shareholder’s voting rights) could perhaps address consent fatigue.
Is the Idea of Consent Management New to the Indian Digital Economy?
Businesses engaged in aggregating financial data from different silos (ie financial institutions, government bodies, business entities) and presenting it to a customer or a third party such as a financial intermediary on a single platform, have been operating in the Indian financial sector for a few years now. These businesses, known as ‘account aggregators’, are entities that obtain, manage and submit consent on behalf of an individual. Consent is managed through a standardised ‘consent artefact’. A consent artefact is a document containing information necessary for the purposes of providing informed consent (such as the purpose of collection, disclosure of third parties to whom data must be shared, etc).
At present, the Reserve Bank of India (RBI) regulates consent management of financial data. Consent management of other categories of personal data, however, is not subject to analogous regulation. The Bill only requires consent managers to mandatorily register with the DPA, delegating the power to regulate consent management entirely to the regulator, so long as consent management takes place through an ‘accessible, transparent and interoperable platform’. The Bill is bereft of guiding principles indicating how the DPA should regulate consent management in the future. This exacerbates uncertainty as to how the consent management architecture will manifest in practice, raising concerns since consent management could permeate a wide range of industries including social media websites, hospitals, authentication and financial institutions.
Need for Regulation
The failure to regulate consent managers adequately can undermine consumer and business trust in the digital economy. This is because of the inherent delegation of authority (to provide, withdraw and manage consents) by the data principal to the consent manager.
Consider a situation wherein a social media company establishes a separate affiliate company as a consent manager. It is reasonable to assume that this affiliate company will have the right to provide and withdraw the consent on behalf of thousands (if not millions!) of individuals who have user accounts with that social media company and with other social media companies.
This affiliate company could provide consent on behalf of these social media users for a variety of esoteric purposes to the social media company. Perhaps more crucially, the affiliate may withdraw consent to process personal data for certain purposes (which are perhaps not essential to provide the service but relevant for business development) for other competing websites and applications. This is worrying as it could enable a company (in this case, the social media company) to gain a distinct data advantage especially for targeted advertising and product/service personalisation. In fact, this situation may play across any industry where data, information and insights derived from such data are considered to be highly valued commodities.
Regulation of Consent Managers: Envisaging a Broad, Principle-Oriented Framework
The regulatory framework surrounding consent managers should reflect the fiduciary duties of care, loyalty and confidentiality broadly. Ideally, guiding principles towards regulating consent managers should emerge from the Bill itself and not subsequent regulation. This is because delegating the power to regulate the entire framework to the DPA may result in excessive delegation of administrative powers.
Consent managers should generally be precluded from using personal data held on behalf of the data principal for their own benefit. This is in line with the duty of loyalty owed to data principals, a principle recognised implicitly in the Bill along with several proposed legislations across the globe (including, the Data Care Act, 2018 and New York’s Privacy Act, 2019, both in the United States of America).
Further, consent managers should refrain from engaging in any business other than consent management. The RBI imposes the same restriction on account aggregators. This would reduce moral hazard by addressing the disjunct between the consent manager’s corporate interest and the data principal’s best interests. Consent managers under the Bill therefore should operate exclusively in the business of consent management.
Consent Managers’ involvement in Tradable Securities and Politics
Consent managers should be precluded from investing in tradable instruments given the information asymmetry resulting from the huge repository of information they would be likely to hold. Individuals behind the corporate veil controlling the operations of consent managers should also not have any political affiliations. If members of political parties begin to simultaneously indulge in the business of consent management, manipulating electoral politics would likely become significantly easier. This is because consent managers would possess information from different silos of the life of a user, which could be susceptible to behavioural monitoring through big data analytics. This could potentially increase the ability of political parties to target users with political advertisements and increase the likelihood of a repeat of the Cambridge Analytica fiasco. Even today, there is no overriding restriction by the RBI on account aggregators precluding them from sharing information with political parties.
Adequate research must be conducted to ensure that consent managers are practical (as opposed to superfluous and bureaucratic) and genuinely reduce the problem of consent fatigue. The consent management architecture can be tested and implemented on a trial basis, perhaps through a regulatory sandbox, to (a) stress-test the relevance and practicality; and (b) fine-tune and improve the consent management architecture, if found practical and useful.
Crucially, if it is found to be useful and necessary, regulating consent managers adequately would enhance transparency and trust in the digital economy. In a framework which encourages informed consent, regulation surrounding delegation of agency over personal data must seek to empower the data principal in a fair, reasonable and non-partisan manner.
Samraat Basu is a Technology and Data Protection Lawyer in Bengaluru, India.
Siddharth Sonkar is a Final Year Student of Law at National University of Juridical Sciences (NUJS), India.