Naavi.org

Today I received a query on DPDPA 2023 on Linked In. Since this could be interesting for others as well, I thought of answering this here in detail.

The query was ..

“I want your insight on how relationship between data fiduciary, consent manager and data principal would prevail (how is consent manager approached and by whom) under DPDP Act, 2023?“

The short answer to the above is that the Consent Manager is also a data fiduciary and provides certain services related to “Giving”, “Managing”, “Reviewing” and “withdrawing” of consent on behalf of the data principal to the principal data fiduciary. We may consider him as a “Joint Data Fiduciary”. To the data principal he is an agent. Ideally he is approached by the data principal for the services. The data fiduciary is only the user of the services rendered by the consent manager in behalf of a data principal. Consent Manager is not an agent of the Principal Data Fiduciary nor an employee.

However, in view of the confusion that prevails in the community and my own disagreement with the interpretation of the MeitY itself on this aspect, I would like to expand my answer and invite a debate. I also invite the MeitY to consider these views and make necessary corrections in the rules to justify their current interpretation.

P.S: I think this is a moment similar to my Jurisprudential interpretation related to Section 65B of Indian Evidence Act when ITA 2000 was introduced where for 14 years I held and justified a contrarian opinion to the community until it was validated by the Supreme Court judgement in the case of P V Anvar Vs P K Basheer case. My views expressed here as well as earlier on the status of Consent Manager may be validated some time in the future or DPDPA 2023 may be amended to prove my interpretation wrong.

Roles of different entities

DPDPA 2023 has indicated the roles of Data Fiduciary (including Significant Data Fiduciary), Data Processor and Consent Manager for entities besides “Data Principal”.

Data Principal is always an individual whose personally identifiable digital data is the subject matter of collection, processing, transmission, disclosure and destruction in India or in connection with offer of services to individuals in India. Out of such data, data publicly made available by the Data Principal or caused to be made publicly available by authorities under law as well as data used by an individual for personal and domestic purposes are outside the scope of the other regulatory restrictions. In many other contexts, personal data is selectively exempted from some or all the provisions of the Act.

Data Fiduciary is the entity (includes an individual processing personal data for business purpose) who determines the purpose and means of processing of personal data. He may act individually or in conjunction with another (who we refer as Joint Data Fiduciary). Naavi also uses the term “Super Data Fiduciary” when a data fiduciary lends his name for collection and processing of personal data but permits an agent to determine the purpose and means of processing as in the case of “Brands”.

Data Processor is the entity who does not determine the purpose and means of processing but processes the DPDPA protected data (DPD) on behalf of another data fiduciary who undertakes the responsibility for compliance.

Processing may happen in India or outside India. When personal data belongs to non Indians and is processed in India under a contract with an entity outside India, DPDPA exempts such data from the operation of DPDPA to some extent.

Consent Manager is a special kind of data fiduciary who determines the purpose and means of processing of data as a representative of a data principal in transactions with the other data fiduciaries who use the personal data of the data principal.

The data principal needs to maintain an account with the consent Manager and provide him the authority to give, manage, review or withdraw consent.

A Consent Manager to be pre-registered with Data Protection Board and will be accredited based on certain eligibility criteria and accepted obligations duly audited and certified. This means that the Consent Manager is approached by the data principal for an account even before he approaches a data fiduciary for a service for which he may use the services of the Consent manager to “give” his personal information. It is possible that a data principal might have already opened a service account with a data fiduciary and later becomes a customer of a consent manager in which case prospective aspects of “Giving further consent”, “Managing, monitoring or reviewing or withdrawing” of further consent may be routed by the data principal through the consent manager.

The above is a jurisprudential interpretation of DPDPA 2023 as it exists today and may be interpreted (or should be interpreted) by Courts in future.

Under our interpretation of the law, Consent Manager is an entity which is empowered like a Power of Attorney holder by the Data Principal to not only “Give” consent for data requested by a data fiduciary but also “Review” and “Monitor” the data given. Review and Monitoring may include withdrawing consent if required. Whether the Consent Manager is expected to only observe and inform the Data Principal for seeking further instructions or can act on his own is a matter of conjecture.

Visibility of Data

Our interpretation is that he should be considered as a “Data Fiduciary” since he determines the purpose and means of use of personal data under his authority to give, monitor, review and withdraw consent. As a Data Fiduciary he is obliged to ensure compliance of DPDPA 2023 which includes section 4(1) and 8(1) under which he is obligated to ensure that personal data is processed only for lawful purposes and in accordance with the provisions of DPDPA 2023.

To fulfil this duty, Consent manager requires “Visibility” to the data that is processed by a data fiduciary to whom consent is passed on by the Consent Manager.

The Data Fiduciary requires to enable his “consent acceptance mechanism” to accept instructions from a Consent Manager on behalf of a data principal. This means that the consent form should have an option to select provision of the details through the consent manager (similar to but not equivalent to completing the form through Google or Facebook). When the data principal choses this option, the requested data elements would be populated by the query processed by the Consent Manager so that when the form is submitted, it carries the validation from the data principal.

Alternatively the data may be consumed without being displayed on the form in which case there will be no validation by the data principal to the data fiduciary and he needs to depend on the deemed validation from the consent manager who himself is blind to the data.

Currently Meity has implied in its draft rules that this obligation of a consent manager can be fulfilled without visibility of the data elements similar to the status of “Account Aggregators” under DEPA architecture. Many technology firms think that they have products to support this “Data Blind” consent provision.

In our considered view, this interpretation is incorrect since the responsibilities of a Consent Manager includes “Review”, “Monitoring” and “Withdrawal of consent”. These responsibilities require visibility of data by the Consent Manager.

It is agreed that in the “Data Blind” architecture, each decision is conveyed by the Consent Manager to the data principal and his concurrence obtained, this means that the data principal while seeking the service and sitting in front of the consent form presented by the data fiduciary has to provide consent on pop ups that may come concurrently from the cosnent Manager who will be scouting for authorised sources from which different data elements can be sourced.

If the Consent Manager does not have the reference data resources previously approved by the data principal or if the data principal has approved more than one data resources where the data do not synchronize or is incorrect, he will have to admit that some data elements are to be separately collected by the data fiduciary directly from the data principal.

The law envisaged the Consent Manager as an expert who can act as an advisor to the data principal to manage the processing of personal data by a data fiduciary and prevent misuse of data either by collecting/processing it with a misrepresentation. He could understand the privacy notice better and compare it with the needs of the processing and contest of the data fiduciary exceeds his authority.

In our view, MeitY has diluted this provision and rendered the Consent Manager to be a worthless burden on the system who only acts under the instructions of the data principal and every time acts as a post office sending and receiving instructions from him without the ability to assist him. Unless the MeitY changes its view while notifying the rules, there is no useful role for a “Consent Manager” in the system.

Consent Manager under this system will be giving a deemed confirmation of data elements about which he himself is blind. It is like a blind man directing a person with normal vision to cross the road.

Some Data Fiduciaries loosely use the word “Consent Manager” even to their own employees or data processors who handle the responsibility of issuing notice, collecting and preserving the consent”. This is not a “Consent Manager” under the Act. Even the Google verification etc is not a Consent Manager since they are not registered with the DPB for this purpose and have their own vested interest in the data.

There is however a caveat to the above.

The law was framed by MeitY which is also taking on the responsibility for publishing rules from time to time through gazette notifications. They need to be placed before the Parliament and are also subject to scrutiny of the Court. What MeitY or any of its authorized officers publish as a notification therefore acquires a quasi legal status though they may be held incorrect later when questioned in a Court of law.

At present, there is an indication that MeitY has a view of the role of a Consent Manager which is not correct and which may not be in tune with the legislative intent that can be inferred from the law. (It is open to a Court to read down the law and give an alternate view of the role of a consent manager as expressed here in).

The draft rules published for public comments prescribe stringent conditions for accreditation of a Consent Manager all of which is redundant if a Consent Manager is not having visibility of data and acts only as a post office. It would be relevant only if the Consent Manager had visibility to the data. Hence Meity is itself in- consistent in its approach and exhibit confusion.

If Meity believes that a Consent Manager can function in a “Data Blind” manner, then there is no need to impose conditions equivalent to “Fit and Proper” criteria adopted for Financial regulated entities. The personal data in the custody of the Consent Manager would be only the name, email address and perhaps the phone of the data principal. Whenever other details are to be transmitted, he is expected to instruct one or more other data suppliers authorized by the data principal. In fact those data fiduciaries will be having access to what data has been requested by the data principal for a new service he is likely to avail. These reference sources are designated by the data principal and the data with them itself may be unreliable.

When the data fiduciary receives the data through the consent Manager, if the form is populated in front of the eyes of the data principal, for validation, then the same data is visible to the consent manager also. The consent Manager may however avoid visibility if he triggers the transfer of data and immediately disconnects himself so that he does not “View” the completed form. The system can also have the API call for data elements of the data fiduciary executed below the visible internet environment like a transmission of a https message. This however leaves the data principal to the mercy of vagaries of technical errors or even man in the middle attacks since the consent manager does not validate the data.

Hence the “are not readable” clause in the DPDPA Rules is impractical. (Refer Annexure IB, para 2)

While we have advocated and continue to advocate the Meity to change this rule related to Consent Manager, we are not confident that it would be modified. On the other hand, it is likely that the rule related to consent Manager may be deferred indefinitely. In the case of Section 65B, it took 14 years for the community to accept my view, in this issue of the role of a consent manager, I anticipate that the law itself may be amended to justify the current stand of MeitY.

I invite detailed debate on this aspect from professionals.

Naavi

Today a friend of mine pointed out to an article on peabea.substack.com indicating how apps installed on our mobile phones spy on what other apps are running on the mobile. He specially pointed out how the “AndoriodManifest.xml” file which he extracted for Swiggy APK indicated the presence of the following 154 package names allowing the Swiggy app to query those apps on the phone.

I have not personally checked the APK file on my mobile. I invite professionals to check the AndroidManisfest.xml files of different apps and try to establish the need why Swiggy should need to know if naukri app or dacthalon app is on my mobile.

If the above observation is correct, then there is a need for us to keep such apps on privacy watch so that we can raise the issue with DPB when it is in place.

I also want any of the apps present in the list above have permitted Swiggy to extract any information about the activities of their apps. Also if Swiggy or other apps like Zepto quoted the article have any counter view, we request them to respond.

The article also points out that one of the Loan apps namely Kreditbee watches 860 apps on a mobile.

It is obvious that the apps are developed with no concern on “Purpose Based Information Collection” and each of these companies can face the penalty of Rs 250 crore plus from DPB and the consolidated fund of India would be enriched.

I invite the attention of Mrs Nirmala Seetharaman to take this revenue potential into consideration and push MeitY to establish DPB without further delay so that they can start sending our inquiry notices to all these apps.

I welcome your views.

Naavi

The AI Chair of FDPPI has already announced one project on studying the “Impact of AI on the mental health of Children” . We are in the process of creating a planning committee with representations from different segments such as AI specialists, Neuro Science Specialists, Child Psychologists and Privacy Specialists etc to take the plan ahead.

A second project which is more related to Technology is also being planned for the development of a DPDPDA compliance solution based on DGPSI.

We shall constitute a separate Project committee for this project based on volunteers.

Naavi

It is reported that the Press club of India has called for a meeting of like minded organizations in Delhi on April 21 to express their concern on DPDPA 2023.

It appears that the objective of the meeting is to raise objections on DPDPA 2023 and seek deferment of its implementation on some ground or the other. Probably they would cite Section 44(3), the amendment proposed to RTI act providing that “Disclosure of information is subject to the protection of the Right to Privacy” of an individual.

Not withstanding the interpretations provided by the journalists it appears that the meeting appears to have been inspired by the George Soros club of paid journalists interested in delaying the implementation of DPDPA 2023.

The meeting is organized as a physical meeting in Delhi and hence the participation would be limited to the Delhi group of journalists.

Let us watch and see what this meeting proposes. It would be better if they webcast the meeting live so that all of us can at least view the proceedings.

Naavi

The Society is discussing the impact of AI on the professional front such as whether it will replace jobs, if so what kind of jobs and how should we brace for the impact. Organizations have already realized that the days of having software developers who have software coding skills only is over.

Today software coding has been entirely taken over by AI and the surviving software engineers are only those who have demonstrated their ability to use AI to develop codes automatically. At the ground level the number of employees will dwindle and soon will become negligible. The days AI will take over many tasks in the Advertising and Marketing are not far behind.

In the filed of Finance the operations are already automated to the extent that we are totally dependent on software for every aspect of finance. AI can only worsen the things. We are already seeing this in the Banks where we have “Zombies” as counter clerks who know nothing but pushing keys on the key board and know little of Banking.

Legal Research is the domain of AI and lawyers feel comfortable in using AI to draft petitions and prepare argumentative notes. Teachers will soon have to shift to teaching AI as everything else will be taken over by AI.

While these developments are easy to recognize, what has not yet caught the attention is the psychological impact of AI development on humans particularly in the development of human brains.

We have discussed the concept of “AI Cult Syndrome” , “Cyber hypnotism” , “Impact of Binaural Beats”, need for “neuro rights protection “ at different points of time on this website. (Please check with Vishy for more information). Now it is time to also discuss the impact of AI on human brains and more particularly on “Developing Brains” of children.

As humans make AI more and more intelligent, will AI make humans more and more zombies with no independent thinking ability. We are aware that our memory power has been adversely affected with the increased use of computing devices with search assistance. (Eg; We cannot remember phone numbers as we used to do a few years back and want our phones to remember them. We cannot remember street maps mentally and want Google maps). Now as we start using AI to think for ourselves, there is a real danger of us as humans using less and less of our core abilities of the brain and gradually degrade them to the status of “Let me ask my AI Assistant”. Where to draw the boundaries for the “Assistant” and retain our own native intelligence will be a challenge.

To this, I am adding a new dimension on “Im[act of AI learning on children’s mental development”. As we start teaching mobile and computer to children we have seen the growth of “Addiction”. We have seen the behaviour of Children of today who cannot eat without watching cartoons on the mobile. Experts recognize that this is due to Chemical changes induced in the brain as a result of their experiences on the screen. This is leading to a mental health issue which we today club under a single category of “Addiction”.

Psychologists observe the following:

1.The dopamine feedback loop created by screen use is a key neural mechanism underlying this addiction-like behavior

2.Excessive screen time during critical periods of brain development can alter the structure, function, and connectivity of neural circuits, especially those involved in reward processing and impulse control

3.There is emerging evidence that screen dependency disorders (SDDs) in children are associated with changes in neural tissue and function, and may even influence gene expression related to brain development

4.Children’s brains are more plastic and vulnerable than adults’, making them more susceptible to these changes

5.Some children may have genetic predispositions (such as certain dopamine receptor variants) that make them more vulnerable to developing screen dependency and related behavioral issues

6.Dopamine release from screen use mimics the reward pathways activated by addictive substances, reinforcing screen-seeking behaviors

7.Structural and functional brain changes can occur with excessive screen use, particularly in developing brains, potentially leading to long-term issues with impulse control, attention, and emotional regulation

8.Behavioral patterns such as needing screens to eat are reinforced by habit and the strong association between digital content and pleasurable experiences

9.Physical and mental health consequences include disrupted sleep, increased sedentary behavior, unhealthy eating habits, and higher risk of anxiety and depression

10. Limiting screen time and encouraging screen-free mealtimes are important steps to protect children’s neurological and overall health.

In this context when we start teaching AI skills to Children either through gamification or otherwise, it is not clear what would be the impact on the human brain development at an early age.

The AI-Chair of FDPPI would like take this up as a project and start gathering information on this critical subject. We also invite large corporations to sponsor research activity in this aspect and some academic institution can take it up as their project. FDPPI’s AI Chair would like to assist in such a project.

We look forward to receiving public comments on this proposition.

Naavi

Naavi.org is pleased to announce that it has proposed setting up of an academic chair in association with FDPPI on AI. The activities will involve effective application of AI in the field of Privacy and Data Protection.

A note on the proposal is available here: Note on proposed FDPPI Chair. A research report on the status of AI in India as gathered from public resources is also enclosed for information.

In the light of these developments, Ujvala Consultants Pvt Ltd which is already a patron member of FDPPI and Naavi has proposed setting up of an Academic Chair in FDPPI to focus on the activities related to AI in Privacy inparticular.

The Chair will undertake Research and analysis, create awareness and Education, besides engaging in Policy advocacy. It will also establish collaboration with other academic organizations,, NGOs and like minded individuals and business entities.

The Chair may involve in activities such as webinars, workshops, training sessions and publication of reports as may be required.

The “AI Chair” will be led by Naavi who will be paid an honorarium from Ujvala Consultants Pvt Ltd. The Chair will also welcome further funding support from other organizations as may be required on case to case basis.

You may watch out for more information on this project and volunteer to contribute to this project.

As a part of this project, Naavi.org has introduced an AI Assistant “Vishy” to assist Naavi as we go forward. Since the entire activities of the Chair at present will be virtual, Vishy will also be a “Virtual Assistant to Naavi”. Vishy is today a supporting assistant to Naavi and may eventually grow into a sophisticated independent AI agent by himself. Apart of Vishy is available in the “Perplexity site search” facility already available at www.naavi.org. I look forward to the support of AI start ups particularly those in Bengaluru to support me in this endeavour.

Naavi