Empowering Digital India: Consent-based Sharing and Data Protection
Rutvik Paikine
Policy & Communication AnalystIndia’s rapid digitalization has created a need to safeguard personal data. The Digital Personal Data Protection (DPDP) Act addresses this concern by creating consent-based data-sharing mechanisms which ensure data control and protection. The legislation introduces Consent Managers (CM) responsible for enabling users to manage their data consent through an accessible platform. Data fiduciaries, determining data usage and processing, are tasked to maintain accurate data, prevent breaches, and limit data collection and usage. The AA framework, empowering individuals with control over financial data, aligns harmoniously with the DPDP Act, setting a global precedent for responsible data governance. This interconnected approach can potentially revolutionize personal data usage across sectors, with Account Aggregators leading the way.
Imperatives for Data Protection
With the rapid proliferation of smartphones, cheap internet connectivity, and a significant young digital native population, Indian society has witnessed widespread digitalization. This exponential growth of digital interactions and transactions has created a large digital trail of users. It is crucial to safeguard this digitally generated consumer personal identifiable information (PII).
Due to the lack of a dedicated data protection regime, data governance relied on section 43A of the Information Technology Act 2000, with rules issued thereunder. Digital Personal Data Protection (DPDP) Act comprehensively addresses the data protection concerns in the digital realm across sectors.
The core principle of this data protection legislation is about data-sharing based on consent, which ensures both data control and security. It outlines that consent must be the fundamental ground to access and process personal legitimately. It also lays down a stringent requirement for obtaining consent to be “free, specific, informed, unconditional, and unambiguous.”
Consent Managers (CM)
The legislation defines consent managers as “a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.” The consent manager is accountable to the data principal. Each Consent Manager must register with the Board, meeting set technical, operational, and financial criteria. As the data processing hinges on a principal’s consent, the legal proceedings can question its validity. Therefore, the data fiduciary must obtain proper notice and consent under the Act and its rules. Therefore, a consent history of the user would be created and stored. Consent managers must offer accessible grievance redressal mechanisms for data principals. These mechanisms address acts, omissions, obligations, and rights under the Act and its rules. Data fiduciaries and consent managers must respond to grievances within prescribed timelines.
Data Fiduciaries
Data fiduciaries that determine how personal data is processed bear a significant role under the data protection legislation. They are accountable for maintaining accurate and complete user data, preventing breaches, and ensuring legal adherence, applicable to all data fiduciaries covering digital and digitized data in India. They must provide users with explicit consent requests, accompanied by notices explaining consent withdrawal and grievance mechanisms.
Consent requests and notices are intertwined elements in data protection. A notice is an upfront disclosure of data processing details, empowering individuals with information about the purpose, data types, and rights. The consent request follows, seeking permission for data processing clearly and simply. Together, they empower informed decision-making and uphold data privacy, translating transparency into actionable consent.
Additionally, when processing data on children or disabled individuals, verifiable parental or guardian consent is essential. While the data fiduciaries can obtain the services of data processors, the legislation mainly focuses on data fiduciaries’ responsibilities.
Data Protection Board
The Data Protection Board of India is designated to oversee compliance and impose penalties according to the Digital Personal Data Protection Act. The Act outlines that the Data Protection Board will impose fines after a comprehensive inquiry process. Furthermore, the board functions as the designated body for addressing user grievances. Additionally, the Act mandates every Consent Manager to undergo registration with the Board, following specific technical, operational, financial, and other conditions as deemed appropriate by the regulatory authorities.
Establishing a Data Protection Board introduces an additional regulatory layer for data governance within the Account Aggregator (AA) ecosystem, distinct from the oversight provided by financial sector regulators. This development bolsters the regulatory framework and paves the way for Sahamati to actively contribute to shaping policies concerning data sharing and protection in India.
The inception of this board, coupled with the mandatory registration requirement for AAs, creates novel avenues for the AA ecosystem to play a pivotal role in shaping the landscape surrounding data sharing and data governance practices in the financial as well as other relevant sectors. The AA ecosystem recognizes this Act’s importance and enthusiastically supports its objectives.
Account Aggregators in the Financial Ecosystem
The Account Aggregator (AA) framework for sharing financial data empowers consumers by giving them greater control over their financial information, potentially transforming lending and investing. AAs, regulated by the RBI, enable individuals to securely share data between financial institutions, expanding opportunities for users and financial institutions. Importantly, data sharing within AA requires individual consent to ensure privacy. The term “consent managers” aptly describes AA, as it doesn’t aggregate data but manages user consent for financial data access.
An RBI-authorized entity known as an NBFC-AA serves as a consent manager within the financial system, facilitating the sharing of financial data among regulated entities. This flow aims to enhance the creation of more refined, improved, and personalized financial services and products for individuals.
The DPDP Act aligns with the electronic consent artefact design in the AA ecosystem notified by the Ministry of Electronics and Information Technology (MeitY), encompassing purpose and usage limitations, revocation, granular data access, and nominees/consent delegation. It underscores data protection aligned with consent principles, allowing individuals to define data usage, revoke consent, and delegate control. This alignment reinforces a robust legal framework for safeguarding data rights and privacy, fostering a secure and empowered data environment.
Electronic Consent Artefact
Ministry of Electronics and Information Technology (MeitY)
<Consent xmlns="http://meity.gov.in" timestamp="YYYY-MM-DDThh:mm:ssZn.n">
<Def id="" expiry="" revocable="" />
<!-- Identifiers -->
<Collector type="URI" value="" />
<DataConsumer type="URI" value="" >
<Notify event="REVOKE" type="URI" value="" />
</DataConsumer>
<DataProvider type="URI" value="" >
<Notify event="REVOKE" type="URI" value="" />
</DataProvider>
<User type="AADHAAR|MOBILE|PAN|PASSPORT|..." value="" name="" issuer="" >
<!-- User’s account IDs at DP/DC/CM; required to disambiguate-->
<Account dpID="" dcID="" cmID="" />
</User>
<!-- Revoker details should be specified if consent is revocable -->
<Revoker type="URI" value="" />
<!-- Logging; logTo can be any valid URI, including an email address -->
<ConsentUse logTo="" type="URI" />
<DataAccess logTo="" type="URI" />
<Data-Items>
<!-- following element repeats -->
<Data id="" type="TRANSACTIONAL|PROFILE|DOCUMENT">
<Access mode="VIEW|STORE|QUERY" />
<!-- how long can consumer is allowed to store data →
<Datalife unit="MONTH|YEAR|DATE|INF" value="" />
<!-- frequency and number of repeats for access repeats →
<Frequency unit="DAILY|MONTHLY|YEARLY" value="" repeats="" />
<Data-filter>
<-- Data access filter, any encoded query string as per data provider API needs →
</Data-filter>
</Data>
</Data-Items>
<!-- Purpose attributes -->
<Purpose code="" defUri="" refUri="">
<!-- purpose text goes here -->
</Purpose>
<!-- (OPTIONAL) User Signature block -->
<Signature />
<!-- Consent collector Signature block -->
<Signature />
</Consent>
Techno-Legal Framework
The techno-legal framework enshrined in the Act creates a digital framework that allows users to share their data through Consent Managers. The technological architecture of consent managers (CM) fulfills the legal principles enshrined in the legislation. Understanding the combination of technological and legal principles is crucial, as it empowers users to safeguard their data and use it to access improved products and services.
| Principle | Clause | Description |
| Collection Limitation | Section 6 (1) | “… shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.” |
| Purpose Limitation | ||
| Usage Limitation | ||
| Revocation | Section 6 (4) | “Where consent given by the Data Principal is the basis of the processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given.” |
| Granularity of Data Access (Notice) | Section 5 (1) |
“(i) the personal data and the purpose for which the same is proposed to be processed; (ii) the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; (iii) the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed.” |
| Consent Delegation | Section 9 (1) | “The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian, obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed.” |
| Grievance Redressal | Section 13 (1) | “A Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder.” |
| Nominee | Section 14 (1) | “A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder.” |
Global Relevance
In a tech-driven global landscape, ensuring data privacy has become crucial. Countries worldwide have developed legal tools to protect data owners’ rights and outline data controllers’ responsibilities. EU General Data Protection Regulation (GDPR) is a leading framework that has served as a model for numerous nations as they draft their own data privacy laws, including Thailand’s Personal Data Protection Act (PDPA) and Brazil’s General Personal Data Protection Law (LGPD).
The Indian data governance regime under the strategic Data Empowerment and Protection Architecture (DEPA) approach towards data governance and protection is underpinned by principles heralded globally. But the peculiar characteristic of the Indian techno-legal framework is the technological element of consent managers that empower users to control and own data, operationalize data protection and governance, and consent-based data-sharing.
Due to high discretionary spending, personal data has been used for targeted advertising in developed countries. In developing countries, users have become data-rich before their incomes increase. Thus, the model for leveraging digital personal data focuses on access to better services such as credit and insurance, medical services and treatments, etc. which have a socio-economic impact on its consumers. Therefore, the techno-legal framework enables consumers to own, control, and share data for their benefit.
Impact?
The Digital Personal Data Protection Act of 2023 is a pivotal advancement in India’s digital landscape. It addresses the imperative need for safeguarding sensitive digital information amid widespread digitalization. Similar to how the Unified Payments Interface (UPI) had a profound impact on payment transactions in the country, the Digital Personal Data Protection (DPDP) Act 2023 is poised to transform data transactions in the Indian digital economy.
The Act harmonizes seamlessly with the innovative Account Aggregator (AA) network introduced in 2021 by prioritizing consent-based data sharing. The DPDP Act and AA framework alignment epitomize user-centric data control and secure sharing. This Act will strengthen the governance of financial information users (FIUs) in the AA ecosystem. At the same time, the proactive role to be played by the AA ecosystem is poised to expedite the adoption of similar mechanisms across various industries, catalyzing a broader transformation towards responsible data usage predicated on user consent.
The significance of comprehensive data protection laws in driving successful data-sharing initiatives is highlighted in the ‘Nurturing a User-Driven Governance Entity (N.U.D.G.E.) for the Account Aggregator Ecosystem’ report by the Vidhi Centre for Legal Policy. The report underscores the pivotal role of regulatory frameworks in facilitating open banking and open finance through an analysis of global approaches to open banking and data sharing, such as the United Kingdom, the Philippines, Australia, and Estonia.
The key takeaway is that a robust personal data protection law is a fundamental prerequisite for any effective data-sharing endeavor. Consequently, the report strongly recommends the establishment of such laws within the Account Aggregator ecosystem, ensuring holistic governance of data exchange in India and upholding individuals’ right to privacy. This comprehensive techno-legal framework sets a global precedent for responsible data governance and protection, underpinning India’s journey through the evolving digital era.
Check out the original bill tabled in the 2023 monsoon session of the Parliament here → Digital Personal Data Protection Bill 2023
For more policy resources relevant to the AA ecosystem, check out this link →
Account Aggregator Key Resources AA Sandboxes, APIs, Schemas
