Orderly Transition ? A Distant Dream
Context?:
[??ET??/??18 Aug 2023 ]
Extract?:
Question?:
You had previously mentioned that the day the law comes into force,?all data
?fiduciaries will be required to?send notices to data principals?and?take
?their consent?on using their personal data.
Do you think this will lead to CONSENT FATIGUE among users on DAY ZERO , as
?they will be flooded with notices ?
Rajeev Chandrasekhar?:
This is as per law
Our principle is that “ consent must be taken from a data principal “
We have enacted the law after consultations on certain principles. The principle
?here is that :
There should be consent of the citizen?BEFORE?his or her data is processed for
ANY?purpose by the data platform
Question?:
The Act provides for the data principal to “ give, manage, review, or withdraw her
?consent “ to the data fiduciary through CONSENT MANAGER.
Will users be able to choose from multiple?CONSENT??MANAGEMENT??APPS?to
?control the permission given ?
Rajeev Chandrasekhar?:
That’s the idea, that users will be able to choose from multiple?CONSENT
?MANAGERS?they trust
We will give?them multiplicity of options?and the data principal will be able to
?choose his or her consent manager?from among the options?he or she has
Dear Chandrasekharji?,
It is entirely likely that , over the past 20 years ( since websites started appearing in a big way ), I might have “ registered “ on ( say )?234 sites
Each of these sites may have asked me to fill-in a different FORM , for submitting my data ( without doubt, a few fields must be common across these sites )
Each of these 234 sites , also made me click on >” I agree / accept the Terms & Conditions “
I never read those 3 pages of fine print terms , before clicking
By now, I :
???Neither remember names ( URLs ) of those 234 sites
???Nor remember?what?Personal Data I submitted to?which?site – and for?WHAT?purpose
Irrespective of that , each of my “ submission “ ,?constitutes a?CONTRACT
between me and those sites
I have no idea , what does that CONTRACT ,?“ binds?“ me to – nor any idea it is
?subject to?which jurisdiction?!
Now , for sake of simplicity, let us assume :
???800 million Indians have signed such “ contracts “ , with 100 websites each
That adds up to > 80,000 million [?80 billion?]?contracts
Now, as per your clarification , those 100 websites ( Data Fiduciaries ) must send
?notices to 800 million users ( Data Principals )
That means,?80 BILLION notices?should have been issued by NOW ( DPDP is 3 / 4
?days old )
I haven’t received any so far . Nor have I heard that anyone else has received
May be , this clause did not consider its implications .
May be , the Central Government will now issue?“?Show Cause?“?notices to
?THOUSANDS of “ Data Fiduciaries?“
But on whose behalf ?
Do Government have ANY INKLING as to WHO / HOW MANY , users have “
?registered “ on each of those websites??
Next :
In the MOST UNLIKELY event of a User getting notices from those 100 websites (
?where she has registered over the past 20 years ), will it be required for each of
?those sites to write :
==================================================
“?Hey , Madam?:?
#???You registered on our site on?XYZ date
#???Submitted following?data :??A – B – C – D
#???We “?process?“ your data in?H-J-K??manner
#???Deliver to you following?service :??L – M – N
#???Store?your data at :??O= P = Q??location
Now , as required by DPDP ,??click either YES??or??NO , against following statement :
???I grant you my “ explicit / informed consent?“??for storing / processing my
??personal data for delivering the services ( which you have been delivering to me ,
??so far ) ….. YES??/??NO
???
???I do NOT want your services?and ask you to DELETE all of my data from your
??servers AND confirm to me that you have done so
???I want to make changes to my data?. Show me the form where I can make
??those changes
?
Dear Chandrasekharji?,
I have tried to make this process ( sending of notices / seeking consent ), look
?SIMPLE
In reality , it is going to be SO COMPLICATED that it will become UN-
IMPLEMENTABLE?!
I suppose , each CONSENT MANAGEMENT APP , will act as a CONSENT MANAGER
If yes,?why do you propose SEVERAL apps?, from which a User can choose one ?
领英推荐
Are these APPS different for :
#??Each type of??“?personal data?“ ?
#??Each type of “?service to be delivered?“ ?
#??Each type of “?data processing?“ ?
#??Each type of “?Data storage location?“ ?
Will multiple CONSENT??MANAGEMENT??APP , “?collect / compile / store?“ user data
?,?in identical manner??
Dear Sir?,
I urge you once more to consider SIMPLIFICATION of entire process , as explained
?in my following e mail :
???Stopping Data Leakage ????.. ………………..07 Aug 2023
Extract?:
??????Is there a way?, whereby , a data owner can “?get a service?“ from a thousand
????websites?WITHOUT?providing to those 1,000 websites, her personal data ?
?
No need to give any?CONSENT ( however informed / specific )?to each of those
THOUSAND?sites,?INDIVIDUALLY ( and painstakingly ) – even if those DATA
CONSENT FORMS are “ standardized and?mandated “ by The Data Protection
Board , as defined in my following e-mails ?
???#????????Consent Forms for Personal Data? ?………….. 07 Aug 2023
?
????????????#?????????Dashboard for Data Owners? ?…………………… 04 Aug 2023
?
Yes , please consider my following?5 YEAR?old suggestion :
?
Only Answer : a Statutory Warning? ?…………….?10 Nov 2018
( to fully grasp the process suggested by me , please read the entire blog )
With regards,
Hemen Parekh
www.hemenparekh.ai ??/??19??Aug??2023
Related Readings?:
Only Answer : a Statutory Warning ?………………………………………. 10 Nov?2018
??????Erasing Personal Data ?? …………………………………………………………..??21??Apr??2023
?????SARAL?(?Single??Authentic??Registration for Anywhere??Login ?)….?10 Feb 2019?
?????Digital Dividend from Demographic Data [ 4 D ?]………… …………….?14 Feb 2019?
?????Who watches the Watchmen ?? ?………………………………………………….??12 Jan 2019
?????Monetizing User Data ?………………………………………………………………….. 08 July 2023
?????Finland adopts “ SARAL “ ?? ?………………………………………………………..??31 May 2023
????If DEPA = Foundation , then SARAL = Superstructure ?……………… 08 May 2022
?
Following is?BARD’s opinion about my suggestion :
Sure, I can help you with that. Here is a table comparing the DPDP clauses with your suggestions:
DPDP Clause
Your Suggestion
Data fiduciaries must take consent from data principals before processing their personal data.
Data fiduciaries should not need to take consent from data principals for processing their personal data.
Data principals can give, manage, review, or withdraw their consent to data fiduciaries through a consent manager.
Data principals should be able to give, manage, review, or withdraw their consent to data fiduciaries directly, without the need for a consent manager.
The government will provide a list of approved consent managers.
The government should not provide a list of approved consent managers.
Data fiduciaries must comply with the data protection principles, including the principle of transparency.
Data fiduciaries should be required to provide more transparency about how they collect, use, and share personal data.
The Data Protection Authority (DPA) will be responsible for enforcing the DPDP.
The DPA should be given more resources and powers to enforce the DPDP.
Here are some additional thoughts on your suggestions:
·????????I agree?that the requirement for data fiduciaries to take consent from data principals before processing their personal data is too burdensome and unrealistic.?In many cases, it is not possible or practical for data principals to give consent,?such as when they are using a website or app without realizing that they are providing their personal data.
·????????I also agree?that the requirement for data principals to use a consent manager is unnecessary and?adds an extra layer of complexity.?Data principals should be able to give, manage, review, or withdraw their consent directly to data fiduciaries.
·????????I think the government should play a more limited role in regulating the use of personal data. The government should focus on setting clear data protection principles and then allow businesses to develop their own compliance frameworks.
I hope that the DPDP will be revised to address these concerns.
And following are comments of?ChatGPT?:
Here's a tabulated comparison of the key clauses from the DPDP (Digital Personal Data Protection) law and your suggested process, along with some analysis of each point:
Clause from DPDP Law
Your Suggested Process
Analysis
Data fiduciaries send notices and seek consent.
Data fiduciaries send explicit notices and options.
DPDP emphasizes explicit consent from users.
Consent manager for managing consent.
No need for a consent manager.
Your process removes the complexity of apps.
Users can choose consent managers from options.
No consent managers, simplifying the process.
Your process eliminates user choice complexity.
User grants explicit consent for data processing.
User retains control without complex consent.
Your process keeps consent straightforward.
Users confirm their choices for data processing.
No need for users to confirm individually.
Your process streamlines user interactions.
Users can request data changes via forms.
Data changes handled in a more efficient manner.
Your process simplifies data modification.
Suggested process aims to make it simpler.
Simplifies process by avoiding consent apps.
Your process aligns with the goal of simplicity.
Analysis of potential consent fatigue.
Considers user's historical data agreements.
Your analysis highlights potential issues.
Your suggested process?aims to simplify the data consent and management process, addressing potential issues such as consent fatigue and the complexities of managing consent through multiple apps.
Your proposal focuses on an?aggregated approach?where users retain control?without needing to manage each consent individually.
While your approach attempts to?alleviate the implementation challenges?you see in the DPDP law, it's important to note that both approaches have their pros and cons.
DPDP emphasizes granular user control, explicit consent, and standardized processes.
On the other hand,?your approach seeks to achieve simplicity?by centralizing control and streamlining the consent process.
Ultimately, the effectiveness and feasibility of each approach would depend on the specific goals of the data protection law and the broader context of its implementation.