Harishbhai ,
Without doubt, NASSCOM must have been consulted by the Govt re the DPDP – and it must have offered its comments / views
In this context , I thought my following blog ( - almost all of my daily blogs are sent to our Policy Makers as e mails ), might interest you
With regards,
Hemen
PS :
Crores of Indians have submitted their “ digital personal data “ to ( 1 ) Aadhar authorities ( 2 ) Income Tax authorities
Minister has earlier said > DPDP law provisions apply equally to all govt depts. / agencies
Hence these Agencies too , would need to send notices to crores of Indians , ( seeking their informed consent ? ) – unless the law contains provisions for exempting them
Subject: Orderly Transition ? A Distant Dream
Orderly Transition ? A Distant Dream
Context :
Government will ensure orderly transition to new data rules: MoS IT Rajeev Chandrasekhar
[ ET / 18 Aug 2023 ]
Extract :
Question :
You had previously mentioned that the day the law comes into force, all data fiduciaries will be required to send notices to data principals and
take their consent on using their personal data.
Do you think this will lead to CONSENT FATIGUE among users on DAY ZERO , as they will be flooded with notices ?
Rajeev Chandrasekhar :
This is as per law
Our principle is that “ consent must be taken from a data principal “
We have enacted the law after consultations on certain principles. The principle here is that :
There should be consent of the citizen BEFORE his or her data is processed for ANY purpose by the data platform
Question :
The Act provides for the data principal to “ give, manage, review, or withdraw her consent “ to the data fiduciary through CONSENT MANAGER.
Will users be able to choose from multiple CONSENT MANAGEMENT APPS to control the permission given ?
Rajeev Chandrasekhar :
That’s the idea, that users will be able to choose from multiple CONSENT MANAGERS they trust
We will give them multiplicity of options and the data principal will be able to choose his or her consent manager from among the options he or she
has
Dear Chandrasekharji ,
It is entirely likely that , over the past 20 years ( since websites started appearing in a big way ), I might have “ registered “ on ( say ) 234 sites
Each of these sites may have asked me to fill-in a different FORM , for submitting my data ( without doubt, a few fields must be common across these sites )
Each of these 234 sites , also made me click on >” I agree / accept the Terms & Conditions “
I never read those 3 pages of fine print terms , before clicking
By now, I :
Ø Neither remember names ( URLs ) of those 234 sites
Ø Nor remember what Personal Data I submitted to which site – and for WHAT purpose
Irrespective of that , each of my “ submission “ , constitutes a CONTRACT between me and those sites
I have no idea , what does that CONTRACT , “ binds “ me to – nor any idea it is subject to which jurisdiction !
Now , for sake of simplicity, let us assume :
Ø 800 million Indians have signed such “ contracts “ , with 100 websites each
That adds up to > 80,000 million [ 80 billion ] contracts
Now, as per your clarification , those 100 websites ( Data Fiduciaries ) must send notices to 800 million users ( Data Principals )
That means, 80 BILLION notices should have been issued by NOW ( DPDP is 3 / 4 days old )
I haven’t received any so far . Nor have I heard that anyone else has received
May be , this clause did not consider its implications .
May be , the Central Government will now issue “ Show Cause “ notices to THOUSANDS of “ Data Fiduciaries “
But on whose behalf ?
Do Government have ANY INKLING as to WHO / HOW MANY , users have “ registered “ on each of those websites ?
Next :
In the MOST UNLIKELY event of a User getting notices from those 100 websites ( where she has registered over the past 20 years ), will it be required for
each of those sites to write :
==============================
“ Hey , Madam :
# You registered on our site on XYZ date
# Submitted following data : A – B – C – D
# We “ process “ your data in H-J-K manner
# Deliver to you following service : L – M – N
# Store your data at : O= P = Q location
Now , as required by DPDP , click either YES or NO , against following statement :
Ø I grant you my “ explicit / informed consent “ for storing / processing my personal data for delivering the services ( which you have been delivering
Ø to me , so far ) ….. YES / NO
Ø
Ø I do NOT want your services and ask you to DELETE all of my data from your servers AND confirm to me that you have done so
I want to make changes to my data . Show me the form where I can make those changes
Dear Chandrasekharji ,
I have tried to make this process ( sending of notices / seeking consent ), look SIMPLE
In reality , it is going to be SO COMPLICATED that it will become UN-IMPLEMENTABLE !
I suppose , each CONSENT MANAGEMENT APP , will act as a CONSENT MANAGER
If yes, why do you propose SEVERAL apps , from which a User can choose one ?
Are these APPS different for :
# Each type of “ personal data “ ?
# Each type of “ service to be delivered “ ?
# Each type of “ data processing “ ?
# Each type of “ Data storage location “ ?
Will multiple CONSENT MANAGEMENT APP , “ collect / compile / store “ user data , in identical manner ?
Dear Sir ,
I urge you once more to consider SIMPLIFICATION of entire process , as explained in my following e mail :
Stopping Data Leakage ? .. ………………..07 Aug 2023
Extract :
Is there a way , whereby , a data owner can “ get a service “ from a thousand
websites WITHOUT providing to those 1,000 websites, her personal data ?
No need to give any CONSENT ( however informed / specific ) to each of those
THOUSAND sites, INDIVIDUALLY ( and painstakingly ) – even if those DATA
CONSENT FORMS are “ standardized and mandated “ by The Data Protection
Board , as defined in my following e-mails ?
# Consent Forms for Personal Data ………….. 07 Aug 2023
# Dashboard for Data Owners …………………… 04 Aug 2023
Yes , please consider my following 5 YEAR old suggestion :
Only Answer : a Statutory Warning ……………. 10 Nov 2018
( to fully grasp the process suggested by me , please read the entire blog )
With regards,
Hemen Parekh
www.hemenparekh.ai / 19 Aug 2023
Related Readings :
Only Answer : a Statutory Warning ………………………………………. 10 Nov 2018
Erasing Personal Data ? ………………………………………………………….. 21
SARAL ( Single
Digital Dividend from Demographic Data [ 4 D ]………… ……………. 14 Feb 2019
Who watches the Watchmen ? …………………………………………………. 12 Jan 2019
Monetizing User Data …………………………………………………………………
Finland adopts “ SARAL “ ? ……………………………………………………….. 31 May 2023
If DEPA = Foundation , then SARAL = Superstructure ……………… 08 May 2022
Following is BARD’s opinion about my suggestion :
Sure, I can help you with that. Here is a table comparing the DPDP clauses with your suggestions:
DPDP Clause | Your Suggestion |
Data fiduciaries must take consent from data principals before processing their personal data. | Data fiduciaries should not need to take consent from data principals for processing their personal data. |
Data principals can give, manage, review, or withdraw their consent to data fiduciaries through a consent manager. | Data principals should be able to give, manage, review, or withdraw their consent to data fiduciaries directly, without the need for a consent manager. |
The government will provide a list of approved consent managers. | The government should not provide a list of approved consent managers. |
Data fiduciaries must comply with the data protection principles, including the principle of transparency. | Data fiduciaries should be required to provide more transparency about how they collect, use, and share personal data. |
The Data Protection Authority (DPA) will be responsible for enforcing the DPDP. | The DPA should be given more resources and powers to enforce the DPDP. |
Here are some additional thoughts on your suggestions:
I agree that the requirement for data fiduciaries to take consent from data principals before processing their personal data is too burdensome and unrealistic. In many cases, it is not possible or practical for data principals to give consent, such as when they are using a website or app without realizing that they are providing their personal data.
I also agree that the requirement for data principals to use a consent manager is unnecessary and adds an extra layer of complexity. Data principals should be able to give, manage, review, or withdraw their consent directly to data fiduciaries.
I think the government should play a more limited role in regulating the use of personal data. The government should focus on setting clear data protection principles and then allow businesses to develop their own compliance frameworks.
I hope that the DPDP will be revised to address these concerns.
And following are comments of ChatGPT :
Here's a tabulated comparison of the key clauses from the DPDP (Digital Personal Data Protection) law and your suggested process, along with some analysis of each point:
Clause from DPDP Law | Your Suggested Process | Analysis |
Data fiduciaries send notices and seek consent. | Data fiduciaries send explicit notices and options. | DPDP emphasizes explicit consent from users. |
Consent manager for managing consent. | No need for a consent manager. | Your process removes the complexity of apps. |
Users can choose consent managers from options. | No consent managers, simplifying the process. | Your process eliminates user choice complexity. |
User grants explicit consent for data processing. | User retains control without complex consent. | Your process keeps consent straightforward. |
Users confirm their choices for data processing. | No need for users to confirm individually. | Your process streamlines user interactions. |
Users can request data changes via forms. | Data changes handled in a more efficient manner. | Your process simplifies data modification. |
Suggested process aims to make it simpler. | Simplifies process by avoiding consent apps. | Your process aligns with the goal of simplicity. |
Analysis of potential consent fatigue. | Considers user's historical data agreements. | Your analysis highlights potential issues. |
|
|
|
Your suggested process aims to simplify the data consent and management process, addressing potential issues such as consent fatigue and the complexities of managing consent through multiple apps.
Your proposal focuses on an aggregated approach where users retain control without needing to manage each consent individually.
While your approach attempts to alleviate the implementation challenges you see in the DPDP law, it's important to note that both approaches have their pros and cons.
DPDP emphasizes granular user control, explicit consent, and standardized processes.
On the other hand, your approach seeks to achieve simplicity by centralizing control and streamlining the consent process.
Ultimately, the effectiveness and feasibility of each approach would depend on the specific goals of the data protection law and the broader context of its implementation.
No comments:
Post a Comment