Data Protection Act: Who Will The New Consent Managers Serve - Users Or Data Collectors?

By Meghna Bal and Mohit Chawdhry

TL;DR
The Digital Personal Data Protection Act recognises consent managers, which are intermediaries expected to facilitate the management of personal data between users (data principals) and entities that collect and process this data (data fiduciaries). This system aims to empower users by allowing them to have greater control over their personal data through a centralized platform for managing consent.

However, concerns arise regarding the effectiveness of consent managers due to potential conflicts of interest, where consent managers may depend financially on data fiduciaries, thereby undermining their primary role of serving users' interests. Additionally, there are worries about the lack of direct obligations on consent managers regarding the treatment of data, which could lead to security risks and a decrease in consumer trust.

The practice of privacy self-management, essential for the consent manager framework, is challenged by the unrealistic expectation for average users to manage the complexities of data processing activities. Despite the theoretical benefits, the practical implementation of consent managers raises questions about their effectiveness and highlights the potential need for future policy adjustments.

The enactment of the Digital Personal Data Protection Act last year saw many lauding it as it empowers users by giving them autonomy over their own personal data.

However, there are still alarming issues in the legislation, particularly with the introduction of Consent Managers in the data processing ecosystem. 

Before dwelling on the shortcomings of the new stakeholder in the data processing ecosystem, it is important to understand what consent managers are. They act as intermediaries between data principals (users) and data fiduciaries (private or public bodies responsible for collecting, processing, and storing personal data as well as managing consent that governs the said processing or sharing). 

The Possibility Of Misuse 

The centralisation of control vis-a-vis data collection and consent management has a flip side - it can, theoretically, give rise to a situation where the data fiduciary may well misuse the data. 

The Digital Personal Data Protection Act 2023 has consequently brought in a potential remedy to this vulnerability by creating consent managers. These consent managers are a single point of contact for data principals to give, manage, review, or withdraw consent for data processing through an accessible and interoperable platform. 

By streamlining the consent management process, they potentially allow data principals to meaningfully exercise control over their data. However, a closer inspection of the eco-system in which consent managers function under the Act raises questions about how effective they can be at both serving data principals and benefitting the digital ecosystem. 

Conflict Of Interest 

The first point of concern stems from the consent manager’s business model. According to the Act, consent managers are expected to act on behalf of and be accountable towards data principals. 

However, given that users currently do not pay any fees for data processing by fiduciaries, it is unlikely that consent managers will be able to rely on them for revenue. 

It is likely that consent managers will look to data fiduciaries to pay for services, creating a conflict of interest as they would be statutorily beholden to serve the data principal’s interests, while financially relying on them at the same time. 

Second, data fiduciaries may lack the necessary incentives to work with consent managers, minimising their impact on the data value chain. Indeed, companies will be averse to participating in a framework that makes it easier for other competitors to access the personal data they collect and process. 

Moreover, participating in the framework could potentially expose a data fiduciary’s users to cyber-security vulnerabilities at the consent manager’s end. 

A corollary here is that consent managers may attempt to make compliance with the Act more complex than it needs to be to justify their necessity in the value chain. Such an outcome would worsen consumer experiences and may lead to customer losses for firms that take them on. 

In addition, it also creates a situation where prospective consent managers may be encouraged to file complaints against data fiduciaries, in a bid to compel the latter to take them on. 

Data Treatment: No Obligations On Consent Managers 

Another problem with the consent manager role is that there are no direct obligations placed on such an entity regarding its treatment of data. While the Act permits an end user to file a complaint against a consent manager for breach of its obligations, none are spelled out in the Act. 

Presuming these will come in the rules, it is still unclear to what extent a principal can control data shared with a consent manager. 

The concept of consent managers is not new. The RBI’s Account Aggregator framework, launched in 2016 and operationalised in 2021, provides for establishing non-banking financial companies (NBFCs) to retrieve, share, and transmit financial user data between different entities, such as banks and insurance providers, subject to explicit user consent. 

Similarly, the Ayushman Bharat Digital Mission leverages health information exchange-consent managers (HIE-CMs) to facilitate the consensual sharing of medical data between patients and medical institutions. However, there have been questions about the effectiveness and practicality of these frameworks. 

Though they provide a scaffold for better transparency and control over personal data, they fundamentally rely on the concept of privacy self-management. 

Unrealistic To Expect Individuals To Manage Data Privacy 

It is important to note that privacy self-management requires users to actively manage and understand the implications of how their data is processed. Under this system, a user makes informed decisions about who gets access to their data and for what purposes. 

However, it is somewhat unrealistic to expect the average user to grapple with the complexity of data processing activities as well as have the specialised knowledge required to comprehend the potential risks and implications of data sharing. 

As such, privacy self-management is largely ineffective as a tool for empowering users in the context of their data particularly in countries where a majority of the populace lacks basic digital literacy. 

The consent manager framework is laudable in principle, as it seeks to give users greater agency over their data. However, when the concept is put into practice, the benefits of introducing such a system remain unclear. 

Future Policy Changes May Be Required 

Policymakers may consider introducing rules to mitigate conflicts of interest and security risks about consent managers. 

They must also make provisions to ensure that such entities do not exploit either data fiduciaries or principals in a bid to establish themselves commercially. Such measures towards mitigation will go a long way towards preserving the integrity of the Indian digital ecosystem.

[ This article was first published on thesecretariat.in website here.]