Hi Friends,

Even as I launch this today ( my 80th Birthday ), I realize that there is yet so much to say and do. There is just no time to look back, no time to wonder,"Will anyone read these pages?"

With regards,
Hemen Parekh
27 June 2013

Now as I approach my 90th birthday ( 27 June 2023 ) , I invite you to visit my Digital Avatar ( www.hemenparekh.ai ) – and continue chatting with me , even when I am no more here physically

Friday, 18 August 2023

Orderly Transition ? A Distant Dream

 


 

Context :

Government will ensure orderly transition to new data rules: MoS IT Rajeev Chandrasekhar

[  ET  /  18 Aug 2023 ]


Extract :


Question :

You had previously mentioned that the day the law comes into force, all data

 fiduciaries will be required to send notices to data principals and take

 their consent on using their personal data.


Do you think this will lead to CONSENT FATIGUE among users on DAY ZERO , as

 they will be flooded with notices ?

 

Rajeev Chandrasekhar :

This is as per law

Our principle is that “ consent must be taken from a data principal “

We have enacted the law after consultations on certain principles. The principle

 here is that :

There should be consent of the citizen BEFORE his or her data is processed for

ANY purpose by the data platform

 

Question :

The Act provides for the data principal to “ give, manage, review, or withdraw her

 consent “ to the data fiduciary through CONSENT MANAGER.


Will users be able to choose from multiple CONSENT  MANAGEMENT  APPS to

 control the permission given ?

 

Rajeev Chandrasekhar :

That’s the idea, that users will be able to choose from multiple CONSENT

 MANAGERS they trust


We will give them multiplicity of options and the data principal will be able to

 choose his or her consent manager from among the options he or she has

 

Dear Chandrasekharji ,

 

It is entirely likely that , over the past 20 years ( since websites started appearing in a big way ), I might have “ registered “ on ( say ) 234 sites


Each of these sites may have asked me to fill-in a different FORM , for submitting my data ( without doubt, a few fields must be common across these sites )


Each of these 234 sites , also made me click on >” I agree / accept the Terms & Conditions “


I never read those 3 pages of fine print terms , before clicking


By now, I :


Ø  Neither remember names ( URLs ) of those 234 sites

 

Ø  Nor remember what Personal Data I submitted to which site – and for WHAT purpose

 

 

Irrespective of that , each of my “ submission “ , constitutes a CONTRACT

between me and those sites


I have no idea , what does that CONTRACT , “ binds “ me to – nor any idea it is

 subject to which jurisdiction !


Now , for sake of simplicity, let us assume :


Ø  800 million Indians have signed such “ contracts “ , with 100 websites each


That adds up to > 80,000 million [ 80 billion ] contracts


Now, as per your clarification , those 100 websites ( Data Fiduciaries ) must send

 notices to 800 million users ( Data Principals )


That means, 80 BILLION notices should have been issued by NOW ( DPDP is 3 / 4

 days old )


I haven’t received any so far . Nor have I heard that anyone else has received


May be , this clause did not consider its implications .

 

May be , the Central Government will now issue Show Causenotices to

 THOUSANDS of “ Data Fiduciaries

 

But on whose behalf ?


Do Government have ANY INKLING as to WHO / HOW MANY , users have “

 registered “ on each of those websites ?


 

Next :

In the MOST UNLIKELY event of a User getting notices from those 100 websites (

 where she has registered over the past 20 years ), will it be required for each of

 those sites to write :

==================================================

Hey , Madam : 


#   You registered on our site on XYZ date

#   Submitted following data :  A – B – C – D

#   We “ process “ your data in H-J-K  manner

#   Deliver to you following service :  L – M – N

#   Store your data at :  O= P = Q  location

 

Now , as required by DPDP ,  click either YES  or  NO , against following statement :

 

Ø  I grant you my “ explicit / informed consent  for storing / processing my

    personal data for delivering the services ( which you have been delivering to me ,

    so far ) ….. YES  /  NO


Ø   

Ø  I do NOT want your services and ask you to DELETE all of my data from your

    servers AND confirm to me that you have done so

 

Ø  I want to make changes to my data . Show me the form where I can make

    those changes

 

 

Dear Chandrasekharji ,

 

I have tried to make this process ( sending of notices / seeking consent ), look

 SIMPLE



In reality , it is going to be SO COMPLICATED that it will become UN-

IMPLEMENTABLE !



I suppose , each CONSENT MANAGEMENT APP , will act as a CONSENT MANAGER

If yes, why do you propose SEVERAL apps , from which a User can choose one ?

 

Are these APPS different for :

 

#  Each type of  personal data “ ?

#  Each type of “ service to be delivered “ ?

 

#  Each type of “ data processing “ ?

 

#  Each type of “ Data storage location “ ?

 

Will multiple CONSENT  MANAGEMENT  APP , “ collect / compile / store “ user data

 , in identical manner ?

 

Dear Sir ,

 

I urge you once more to consider SIMPLIFICATION of entire process , as explained

 in my following e mail :

 

Ø  Stopping Data Leakage ?  .. ………………..07 Aug 2023

 

Extract :

      Is there a way , whereby , a data owner can “ get a service “ from a thousand

     websites WITHOUT providing to those 1,000 websites, her personal data ?

 

No need to give any CONSENT ( however informed / specific ) to each of those

THOUSAND sites, INDIVIDUALLY ( and painstakingly ) – even if those DATA

CONSENT FORMS are “ standardized and mandated “ by The Data Protection

Board , as defined in my following e-mails ?

 

    #        Consent Forms for Personal Data  ………….. 07 Aug 2023

 

            #         Dashboard for Data Owners  …………………… 04 Aug 2023

 

Yes , please consider my following 5 YEAR old suggestion :

 

Only Answer : a Statutory Warning  ……………. 10 Nov 2018


( to fully grasp the process suggested by me , please read the entire blog )

 

With regards,


Hemen Parekh

www.hemenparekh.ai  /  19  Aug  2023

 

Related Readings :

Only Answer : a Statutory Warning ………………………………………. 10 Nov 2018

      Erasing Personal Data ? …………………………………………………………..  21  Apr  2023

     SARAL ( Single  Authentic  Registration for Anywhere  Login )…. 10 Feb 2019 

     Digital Dividend from Demographic Data [ 4 D ]………… ……………. 14 Feb 2019 

     Who watches the Watchmen ?  ………………………………………………….  12 Jan 2019

     Monetizing User Data ………………………………………………………………….. 08 July 2023

     Finland adopts “ SARAL “ ?  ………………………………………………………..  31 May 2023

    If DEPA = Foundation , then SARAL = Superstructure ……………… 08 May 2022

 

Following is BARD’s opinion about my suggestion :

 

Sure, I can help you with that. Here is a table comparing the DPDP clauses with your suggestions:

DPDP Clause

Your Suggestion

Data fiduciaries must take consent from data principals before processing their personal data.

Data fiduciaries should not need to take consent from data principals for processing their personal data.

Data principals can give, manage, review, or withdraw their consent to data fiduciaries through a consent manager.

Data principals should be able to give, manage, review, or withdraw their consent to data fiduciaries directly, without the need for a consent manager.

The government will provide a list of approved consent managers.

The government should not provide a list of approved consent managers.

Data fiduciaries must comply with the data protection principles, including the principle of transparency.

Data fiduciaries should be required to provide more transparency about how they collect, use, and share personal data.

The Data Protection Authority (DPA) will be responsible for enforcing the DPDP.

The DPA should be given more resources and powers to enforce the DPDP.

 

Here are some additional thoughts on your suggestions:

·        I agree that the requirement for data fiduciaries to take consent from data principals before processing their personal data is too burdensome and unrealistic. In many cases, it is not possible or practical for data principals to give consent, such as when they are using a website or app without realizing that they are providing their personal data.

·        I also agree that the requirement for data principals to use a consent manager is unnecessary and adds an extra layer of complexity. Data principals should be able to give, manage, review, or withdraw their consent directly to data fiduciaries.

·        I think the government should play a more limited role in regulating the use of personal data. The government should focus on setting clear data protection principles and then allow businesses to develop their own compliance frameworks.

I hope that the DPDP will be revised to address these concerns.

 

And following are comments of ChatGPT :

 

Here's a tabulated comparison of the key clauses from the DPDP (Digital Personal Data Protection) law and your suggested process, along with some analysis of each point:

Clause from DPDP Law

Your Suggested Process

Analysis

Data fiduciaries send notices and seek consent.

Data fiduciaries send explicit notices and options.

DPDP emphasizes explicit consent from users.

Consent manager for managing consent.

No need for a consent manager.

Your process removes the complexity of apps.

Users can choose consent managers from options.

No consent managers, simplifying the process.

Your process eliminates user choice complexity.

User grants explicit consent for data processing.

User retains control without complex consent.

Your process keeps consent straightforward.

Users confirm their choices for data processing.

No need for users to confirm individually.

Your process streamlines user interactions.

Users can request data changes via forms.

Data changes handled in a more efficient manner.

Your process simplifies data modification.

Suggested process aims to make it simpler.

Simplifies process by avoiding consent apps.

Your process aligns with the goal of simplicity.

Analysis of potential consent fatigue.

Considers user's historical data agreements.

Your analysis highlights potential issues.

 

 

 

Your suggested process aims to simplify the data consent and management process, addressing potential issues such as consent fatigue and the complexities of managing consent through multiple apps.

Your proposal focuses on an aggregated approach where users retain control without needing to manage each consent individually.

While your approach attempts to alleviate the implementation challenges you see in the DPDP law, it's important to note that both approaches have their pros and cons.

DPDP emphasizes granular user control, explicit consent, and standardized processes.

On the other hand, your approach seeks to achieve simplicity by centralizing control and streamlining the consent process.

Ultimately, the effectiveness and feasibility of each approach would depend on the specific goals of the data protection law and the broader context of its implementation.

 

No comments:

Post a Comment