Companies want access to more and more of your personal data. The Personal Data Protection Bill 2019 [currently referred to a Joint Parliamentary Committee (JPC) of both the Houses of Parliament] requires entities to take Consent from Data Principals (data owners) to access and further process their data.
Consent helps both entities – Data Principals are in control of their data and entities get Consent from the Data Principals in an unambiguous way which removes their liability.
Individual consent given becomes the bedrock for data accessing and processing by the business entities. The success of this is linked to the detailing of the consent in the consent framework. The current practice adopted by the businesses is such that the consent is often taken in a surreptitious manner with little or no flexibility in choosing what you want to share.
The Personal Data Protection Bill (PDP) aims to bring this consent management to the forefront and give the users the opportunity to choose the data they are willing to share, keep a track of all the consents that have been given by them over time.
MeitY (Ministry of Electronics & Information Technology, Government of India) has defined the data structure in which the consent would be stored and it’s called a consent artifact. It defines consent artifact as,
a machine-readable electronic document that specifies the parameters and scope of data share that a user consents to in any data sharing transactionElectronic Consent Framework, Technology Specifications, Version 1.1 (section 5.1)
The Account Aggregators provide an electronic consent dashboard to the Data Principals where they are able to track their consents. The consent must be free, informed, specific, clear, and revocable.
What is an Uninformed Consent?
Internet users unintentionally allow ads to follow them all around the internet via browser cookies. Smartphones are able to track to your physical location and have been known to track even when we disable location services. The problem here is that we as users have given consent to these businesses in an uninformed way.
What is Informed Consent?
Personal data should never be shared without the Data Principal’s consent. The entities not only takes an explicit Consent from the data principal but also declares,
- Entities involved: Declares the FIP and FIU entity names
- The purpose of seeking the data – lending, wealth management, personal finance app, loan monitoring
- Data Life: The period for which the entity can hold and process the data
- Frequency of fetching data: Onetime (e.g. for the purpose of a loan application) or recurring (e.g. for the purpose of loan monitoring, wealth management)
- Data fields: Which data fields are being shared – e.g. bank balance, transaction details of the bank statement
- Consent time validity: The duration in which the consent request is valid.
- Digital Signature: The Consent Artefact (explained later) is digitally signed by the Account Aggregator. This guarantees the FIPs that the request came from that particular AA.
Uninformed Vs Informed Consent
|Loan Application Consent Seen by Borrower|
|Uninformed Consent||Informed Consent|
|- Borrower gives FIU the consent to get data from FIPs|
- Details of which data, for what purpose, frequency, period not shown to the user
|Borrower sees 'under the hood' of the Consent
- Purpose: Loan application
- Frequency:- Onetime
- Period: 6 months of bank statement
- Data Life: FIU can process the data for 15 days only
The example above clearly demonstrates the benefits of seeking informed consent from a Data Principal. The Data Principal clearly understands what they are consenting to and he is now empowered because of informed consent.
ORGANS Framework Enables Informed Consent
|Open Standards||The consent architecture must follow the principles of open standards.|
|Revocable||The consent given should be revocable by the user at any stage.|
|Granular||The consent given must be presented in granular level, where the data is broken down in terms of its characteristics and each characteristic has its own time and sharing privileges.|
|Auditable||All events in the consent flow and data flow must be digitally signed and logged using the MeitY Consent Log artefact. These non-repudiable transaction trails shall lead to higher trust.|
|Notice||The user must be informed and given due notice through Email, SMS, In-App Notice, and other notification mechanisms when consent is created or revoked and when data has been requested, sent or denied.|
|Security By Design||The internal and external software and systems must be designed from the ground up to be secure. There must be end-to-end security of data (PKI, DSC, tamper detection) and it must be network agnostic and data-centric.|