Most assumed that the manager who consists of the consent provided by the data principal (for whom to person is related to individual data) in the ways in which data can be used.
Also read: Mint Interpreters: Digital Personal Data Protection Act, its rules and obstacles
With great laws like Europe’s general data protection regulation in force, institutions around the world have helped data fedus (institutions determining the objectives and institutions determining the objectives of personal data processing) to manage that consent) , Which they need to operate. Most international websites rely on these institutions to not only record your agreement with their privacy policy terms, but also provide you dashboard to manage cookies and enable information.
In January this, India’s draft DPDP rules were issued for public consultation, finally clarifying what the government had. It has now become clear that under the DPDP Act, consent managers have much more than only to give consent in ways in which personal data can be used.
They will also have to install a digital architecture to facilitate data transfer between data fedusis, while ensuring that the inherent information is protected in a way to suit the design of India’s digital public infrastructure.
Also read: India’s drive to make digital public infrastructure global: Time to take stock
Under Rule 4 of DPDP Rules, a consent manager must set an interopeable platform, on which the data principal can consent, manage, review, review it in accordance with the prescribed data safety standards.
This platform must facilitate data portability, either directly from the data principal (or you user) to the unit requesting or from the data fiducker who maintains personal data for you for that unit. Some images are provided in the rules to explain how all this will work.
The first refers to a situation where a given data seeks access to fidal individual data that the data principal has stored in the digital locker system (eg, says, India’s Digilokar Wallet). In this case, the role of the consenting manager will be to forward data-access request for you, and, with your consent, enable the access to the data feduries up to personal data in your digital locker.
The second depiction refers to personal data that is currently under the control of a data fiducker (a bank) that wants to use another data fiducker (a new lender). In this example, the lender sends a request to the consent manager for the data that then forwards you the data principal. If the data principal agrees to give the new lender access to his personal data, the consent manager tells the data-holding bank to the consent, instructing that he provides access to personal data to the other lender.
Also read: India’s Digital Data Protection Rules: A Story of Hits and Mrs.
From these illustrations (and Rule 4), it is clear that consent managers will have to keep in digital data portability infrastructure that will unlock the sharing of personal data from one digital store to another, so that it is used for a wide range of use Can go Case. Described in this way, consent managers under the DPDP Act are expected to perform separate data portability services from those introduced by account agangers in the financial sector.
To underline this point, the rules determine that all data sharing facilitated by a consent manager should be in such a way that this manager should not see the content of the data package being transferred.
For data transfer, this data-blind approach is one of the primary features of the account agetger system and is introduced in a direct context of that architecture. All of which suggest that the government will only allow institutions such as account aggregators to register as consent managers under the new privacy law.
Also read: India’s drive to make digital public infrastructure global: Time to take stock
India’s data empowerment and conservation architecture (DPA), on which account aggregator system is often referred to as a digital consent management structure. I have long opposed the characteristics on the basis that Depp does much more than managing consent. Even if it uses a digital consent artifact to obtain consent for data transfer, DEPA enables data portability. Calling it just a digital consent management structure reduces all that stands for it.
This is the context of colloquial this of Depa that has somehow found its way in the DPDP Act.
In an attempt to provide legal validity to the DEPA framework, the government put a reference to the consent managers in the Act, realizing that in the world of data security, the term has a very different meaning.
When the data businesses saw the word in the DPDP Act, many of them came to fully accompany the new business Prasad to qualify for registration under the Act. The illusion is now kept to relax from the rules that clarify that the word ‘consent manager’ is a reference to and how the government intends to regulate these managers.
I am glad that the DPDP Act values technical-legal solutions that have been made possible by India’s digital public infrastructure. With the service of new law as a regulatory structure for our digital data portability architecture, data sharing can be not only within the financial sector of the economy, but in all areas that have implemented DEPA.
The author is a partner in Tillgal and the author of ‘The Third Way: India’s Revolutionary Approach to Data Governance’. His X handle is @matthan.