Personal data protection Bill may bring new usage consent managers: Experts

If the Personal Data Protection Bill gets passed in its present form, a new class of companies and entities could emerge.  

The sole job of these new entities would be to manage the consent for data usage of a user.

The concept of a consent manager, proposed in the Personal Data Protection Bill, takes a leaf out of the existing account aggregator framework regulated under the Reserve Bank of India (RBI). However, the Bill, in its current form, has left industry experts with more questions than answers.

The Personal Data Protection Bill, which was referred to a Select Joint Committee of Parliament on Wednesday, defines consent manager as “a data fiduciary which enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform.”

A consent framework called Data Protection & Empowerment Architecture (DEPA) has been developed and conceptualised by policy think-tank iSpirt, which was formalised in July with the launch of Sahamati. Sahamati is a non-profit organisation and works towards accelerating the adoption of DEPA, with the aim of maintaining privacy and using the data for good.

A similar kind of consent mechanism has been proposed by iSpirt for giving permission to health data and telecom data. 

Industry experts fear massive implementation hurdles, going forward. “We expect implementation challenges since this concept is new to India’s digital economy. The Bill mandates that consent managers be standardised and interoperable, and they are subject to regulatory approval. We hope there is healthy competition and no gatekeeping,” said Vivan Sharan, partner, Koan Advisory Group.

The other issue is how the mechanism of consent managers will work. Sahamati is regulated under the RBI, but will there be different regulators for each sector’s consent manager?

“Consent managers are supposed to enable consent management through accessible, transparent and interoperable platforms. What are they going to look like? How will data flows be architected? What this means for global organisations remains to be determined,” said Nehaa Chaudhari, policy director at Ikigai Law.

For Sahamati, Reserve Bank of India (RBI), Securities and Exchanges Board of India (Sebi), Insurance Regulatory and Development Agency (IRDAI) and Provident Fund Regulatory and Development Agency (PFRDA) came together to allow regulated entities under their control to share data with user consent.

Banks, healthcare firms and fintech companies, among others, fear that sharing non-personal data with the government may hurt business interests.

Banks also fear the threat of data misuse. “Banks are envisaging that the new Bill will give them additional burden to ensure full compliance. The entities consuming data will have to classify between what is sensitive and non-sensitive data, and then further segregate between personal and non-personal data. The threat of data misuse will remain a key issue,” said Bharat Panchal, chief risk officer – India, Middle-East & Africa, FIS.  Sharan also added that no safeguards have been envisioned yet.