Draft Data Protection Bill Introduces Consent Managers
Entities solely meant for managing user consent would be a fresh addition to India's tech sector.
The latest draft of the Digital Personal Data Protection Bill welcomes a new genus of entities into the data protection sphere—consent managers. Although not alien to the global privacy industry, entities solely meant for managing the consent of users would be a fresh addition to the technology industry in India.
The concept has been introduced in light of the proliferation of the digital economy, which has increased the number of organisations with which we interact in an exponential manner.
"An ecosystem of consent managers would help us keep track of instances where consent was given," the explanatory note to the bill read.
A consent manager platform enables an individual to have a comprehensive view of her interactions with data fiduciaries and the consent given to them. The Bill has recognised consent managers.Explanatory note on Personal Data Protection Bill.
Consent managers are entities registered with the Data Protection Board. They are equipped with the task of managing, withdrawing, and reviewing individuals' consent with data fiduciaries entities that determine the means and purpose of personal data along with the user, according to the bill.
They are expected to fulfill the same through an accessible, transparent, and interoperable platform.
This is not the first draft bill to recognise consent managers. Unlike the earlier bill, which allowed users to interact directly with the data fiduciary, the present bill wants individuals to give consent solely through a consent manager.
However, these might not be helpful, says Rajesh Vellakkat, partner at Fox Mandal, Solicitors and Advocates.
Consent management is a huge industry globally, especially in the EU, and could be helpful for a country like India going through the infancy of data protection legislation. However, they become irrelevant when the whole focus of the draft bill is on automated personal data. Do we really need consent managers to manage your cookies and pop-ups when a major chunk of information is still processed manually?Rajesh Vellakkat, Partner, Fox Mandal, Solicitors and Advocates.
Questions are also being raised on the functioning and independence of consent managers. The provisions are vague, says Namrata Maheshwari, Asia Pacific Policy Counsel, Access Now.
As per the draft bill, they are supposed to be registered with the Data Protection Board, which in turn would be appointed by the central government, bringing us to the question of the independence of these entities. The functions, mode of appointment, etc. are kept vague. They don’t really inspire trust.Namrata Maheshwari, Asia Pacific Policy Counsel, Access Now
There seems to be an overlap between the functions of the data protection officer and the consent manager, Maheshwari said.
Unless a clear segregation is made between their functions, conflict is expected. For instance, one could function at the compliance stage while the other functions at the stage of dispute.
Both experts concurred on the view that the bill leaves a lot unexplained, essentially bringing us back to where we started.