Context :
Government
will ensure orderly transition to new data rules: MoS IT Rajeev Chandrasekhar
[ ET
/ 18 Aug 2023 ]
Extract :
Question :
You had previously mentioned that the day the law comes into force, all data
fiduciaries will be required to send notices to data principals and take
their consent on
using their personal data.
Do you think this will lead to CONSENT FATIGUE among users on DAY ZERO , as
they will be flooded
with notices ?
Rajeev Chandrasekhar :
This is as per law
Our principle is
that “ consent must be taken from a data principal “
We have enacted the law after consultations on certain principles. The principle
here is that :
There should be consent of the citizen BEFORE his or her data is processed for
ANY purpose by the data platform
Question :
The Act provides for the data principal to “ give, manage, review, or withdraw her
consent “ to
the data fiduciary through CONSENT MANAGER.
Will users be able to choose from multiple CONSENT MANAGEMENT APPS to
control the permission given ?
Rajeev Chandrasekhar :
That’s the idea, that users will be able to choose from multiple CONSENT
MANAGERS they trust
We will give them multiplicity of options and the data principal will be able to
choose his or her consent manager from among the options he or she has
Dear Chandrasekharji ,
It is entirely
likely that , over the past 20 years ( since websites started appearing in a
big way ), I might have “ registered “ on ( say ) 234
sites
Each of these sites
may have asked me to fill-in a different FORM , for submitting my data ( without
doubt, a few fields must be common across these sites )
Each of these 234
sites , also made me click on >” I agree / accept the Terms & Conditions
“
I never read those
3 pages of fine print terms , before clicking
By now, I :
Ø
Neither
remember names ( URLs ) of those 234 sites
Ø
Nor
remember what Personal Data I
submitted to which site – and for WHAT purpose
Irrespective of that , each of my “ submission “ , constitutes a CONTRACT
between me and those sites
I have no idea , what does that CONTRACT , “ binds “ me to – nor any idea it is
subject to which jurisdiction !
Now , for sake of
simplicity, let us assume :
Ø
800
million Indians have signed such “ contracts “ , with 100 websites each
That adds up to
> 80,000 million [ 80 billion ] contracts
Now, as per your clarification , those 100 websites ( Data Fiduciaries ) must send
notices to
800 million users ( Data Principals )
That means, 80 BILLION notices should have been issued by NOW ( DPDP is 3 / 4
days old )
I haven’t received
any so far . Nor have I heard that anyone else has received
May be , this
clause did not consider its implications .
May be , the Central Government will now issue “ Show Cause “ notices to
THOUSANDS of “ Data Fiduciaries “
But on whose behalf
?
Do Government have ANY INKLING as to WHO / HOW MANY , users have “
registered “ on
each of those websites ?
Next :
In the MOST UNLIKELY event of a User getting notices from those 100 websites (
where she has registered over the past 20 years ), will it be required for each of
those
sites to write :
==================================================
“ Hey , Madam :
# You registered on our site on XYZ date
# Submitted following data
: A – B – C – D
# We “ process “ your data in H-J-K manner
# Deliver
to you following service : L – M – N
# Store your data at :
O= P = Q
location
Now , as required
by DPDP , click either YES or NO ,
against following statement :
Ø I grant you my “ explicit / informed consent “ for storing / processing my
personal data for delivering the services ( which you have been delivering to me ,
so far ) ….. YES
/ NO
Ø
Ø I do NOT want your services and ask you to DELETE all of my data from your
servers AND confirm to me
that you have done so
Ø I want to make changes to my data . Show me the form where I can make
those changes
Dear Chandrasekharji ,
I have tried to make this process ( sending of notices / seeking consent ), look
SIMPLE
In reality , it is going to be SO COMPLICATED that it will become UN-
IMPLEMENTABLE
!
I suppose , each CONSENT
MANAGEMENT APP , will act as a CONSENT MANAGER
If yes, why do you propose SEVERAL apps
, from which a User can choose one ?
Are these APPS
different for :
# Each type of “ personal data “
?
# Each type of “ service
to be delivered “ ?
# Each type of “ data
processing “ ?
# Each type of “ Data
storage location “ ?
Will multiple CONSENT MANAGEMENT APP , “ collect / compile / store “ user data
, in identical manner ?
Dear Sir ,
I urge you once more to consider SIMPLIFICATION of entire process , as explained
in my
following e mail :
Ø Stopping
Data Leakage ? .. ………………..07 Aug
2023
Extract :
Is
there a way , whereby , a data owner can
“ get a service “ from a thousand
websites WITHOUT providing to those 1,000
websites, her personal data ?
No need to
give any CONSENT ( however informed / specific
) to each of those
THOUSAND sites, INDIVIDUALLY ( and
painstakingly ) – even if those DATA
CONSENT
FORMS are “ standardized and mandated “ by The Data Protection
Board , as
defined in my following e-mails ?
# Consent Forms for Personal Data …………..
07 Aug 2023
# Dashboard for Data Owners ……………………
04 Aug 2023
Yes , please consider my
following 5 YEAR old
suggestion :
Only Answer : a Statutory Warning ……………. 10 Nov 2018
( to fully grasp the process
suggested by me , please read the entire blog )
With regards,
Hemen Parekh
www.hemenparekh.ai /
19 Aug 2023
Related Readings :
Only Answer : a
Statutory Warning ………………………………………. 10 Nov 2018
Erasing Personal
Data ?
………………………………………………………….. 21 Apr 2023
SARAL ( Single Authentic Registration
for Anywhere Login )…. 10 Feb 2019
Digital
Dividend from Demographic Data [ 4 D ]…………
……………. 14 Feb 2019
Who watches the
Watchmen ? …………………………………………………. 12 Jan 2019
Monetizing User
Data ………………………………………………………………….. 08 July 2023
Finland adopts “
SARAL “ ? ……………………………………………………….. 31 May 2023
If DEPA =
Foundation , then SARAL = Superstructure ……………… 08 May 2022
Following is BARD’s opinion about my suggestion :
Sure, I can help you with that. Here
is a table comparing the DPDP clauses with your suggestions:
|
DPDP Clause |
Your Suggestion |
|
Data fiduciaries must take consent from data
principals before processing their personal data. |
Data fiduciaries should not need to take consent
from data principals for processing their personal data. |
|
Data principals can give, manage, review, or
withdraw their consent to data fiduciaries through a consent manager. |
Data principals should be able to give, manage,
review, or withdraw their consent to data fiduciaries directly, without the
need for a consent manager. |
|
The government will provide a list of approved
consent managers. |
The government should not provide a list of
approved consent managers. |
|
Data fiduciaries must comply with the data
protection principles, including the principle of transparency. |
Data fiduciaries should be required to provide
more transparency about how they collect, use, and share personal data. |
|
The Data Protection Authority (DPA) will be
responsible for enforcing the DPDP. |
The DPA should be given more resources and powers
to enforce the DPDP. |
Here are some additional thoughts on your suggestions:
·
I agree that the requirement for data fiduciaries to take consent from data
principals before processing their personal data is too burdensome and
unrealistic. In many cases, it is not possible
or practical for data principals to give consent, such as when they are using a website or app without realizing that
they are providing their personal data.
·
I also agree that the requirement for data principals to use a consent manager is
unnecessary and adds an extra
layer of complexity. Data
principals should be able to give, manage, review, or withdraw their consent
directly to data fiduciaries.
·
I think
the government should play a more limited role in regulating the use of
personal data. The government should focus on setting clear data protection
principles and then allow businesses to develop their own compliance
frameworks.
I hope that the DPDP will be revised to
address these concerns.
And following are comments of ChatGPT :
Here's a tabulated comparison of the
key clauses from the DPDP (Digital Personal Data Protection) law and your
suggested process, along with some analysis of each point:
|
Clause from DPDP Law |
Your Suggested
Process |
Analysis |
|
Data
fiduciaries send notices and seek consent. |
Data
fiduciaries send explicit notices and options. |
DPDP
emphasizes explicit consent from users. |
|
Consent
manager for managing consent. |
No
need for a consent manager. |
Your
process removes the complexity of apps. |
|
Users
can choose consent managers from options. |
No
consent managers, simplifying the process. |
Your
process eliminates user choice complexity. |
|
User
grants explicit consent for data processing. |
User
retains control without complex consent. |
Your
process keeps consent straightforward. |
|
Users
confirm their choices for data processing. |
No
need for users to confirm individually. |
Your
process streamlines user interactions. |
|
Users
can request data changes via forms. |
Data
changes handled in a more efficient manner. |
Your
process simplifies data modification. |
|
Suggested
process aims to make it simpler. |
Simplifies
process by avoiding consent apps. |
Your
process aligns with the goal of simplicity. |
|
Analysis
of potential consent fatigue. |
Considers
user's historical data agreements. |
Your
analysis highlights potential issues. |
|
|
|
|
Your
suggested process aims to simplify the data consent and
management process,
addressing potential issues such as consent fatigue and the complexities of
managing consent through multiple apps.
Your proposal focuses on an aggregated approach where users retain control without needing to manage each consent
individually.
While your approach
attempts to alleviate the implementation
challenges you see in the DPDP law,
it's important to note that both approaches have their pros and cons.
DPDP emphasizes granular
user control, explicit consent, and standardized processes.
On the other hand, your approach seeks to achieve simplicity
by centralizing control and
streamlining the consent process.
Ultimately, the
effectiveness and feasibility of each approach would depend on the specific
goals of the data protection law and the broader context of its implementation.