Event Recap: FPF X nasscom Webinar Series – Breaking Down Consent Requirements under India’s DPDPA

Following the enactment of India’s Digital Personal Data Protection Act 2023 (DPDPA), the Future of Privacy Forum (FPF) and nasscom (National Association of Software and Service Companies), India’s largest industry association for the information technology sector, co-hosted a 2-part webinar series focused on the consent-centric regime under the DPDP Act. Spread across two days (November 9, 2023 and January 29, 2024), the webinar series comprised four panels that brought together experts from industry, governments, civil society, and the global data privacy community to share their perspectives on operationalizing consent under the DPDPA. This blog post provides an overview of these discussions. 

Panel 1 – Designing notices and requests for meaningful consent 

The first panel was co-moderated by Bianca Marcu (Policy Manager for Global Privacy, FPF) and Ashish Aggarwal (Vice President for Public Policy, nasscom) They were joined by the following panelists: 

1. Paul Breitbarth, Data Protection Lead, Catawiki & Member of the Data Protection Authority, Jersey.
2. Eduardo Ustaran, Partner, Global Co-Head of Privacy & Cybersecurity, Hogan Lovells.
3. Eunjung Han, Consultant, Rouse, Vietnam.
4. Swati Sinha, APAC, Japan and China Privacy Officer & Senior Counsel, Cisco.

The panel began with a short presentation by Priyanshi Dixit (Senior Policy Associate, nasscom) that introduced the concepts of notice and consent under the DPDPA. During the discussion, panelists emphasized the importance of clear, understandable written notices and discussed other design choices to ensure that consent is “free, specific, informed, unconditional, and unambiguous”. To this end, Swati Sinha highlighted consent notices for different categories of cookies under the EU General Data Protection Regulation (GDPR), and granular notices with separate tick boxes in South Korea and China as examples of how data fiduciaries under the DPDPA could design notices to enable individuals to make informed decisions. However, Swati also stressed that consent forms should not bundle different purposes or come with pre-ticked boxes. Eduardo Ustaran observed that the introduction of strict consent requirements in many new data protection laws internationally has transformed the act of giving consent from a passive action into a more active and affirmative one. Eduardo also stressed the importance of ensuring that consent was clearly and freely given and maintaining clear records. 

Adding to this, Paul Breitbarth suggested that visuals such as videos and images could help make the information in notices more accessible, particularly given that long text-based notices might not be convenient for individuals using mobile devices. Paul used the example of airline safety videos as an effective method for presenting notices, with voiceovers and subtitles to ensure accessibility for a broader audience. However, Paul cautioned that it is always advisable to include written notices alongside such visual representations. 

The panelists also highlighted challenges to relying on consent as a basis for processing personal data, such as varying levels of digital literacy, the risk of “consent fatigue,” and the use of deceptive design choices (such as pre-ticked consent boxes). The discussions therefore considered alternatives to consent under different data protection laws. The panelists highlighted that in Europe, consent is not always the most popular legal basis for processing personal data as under the GDPR consent is one of several equal bases for processing personal data. The panelists also considered that in jurisdictions whose data protection laws emphasize consent over other legal bases, organizations may face difficulties in ensuring that consent is meaningful. Eunjung Han cited Vietnam’s recent Personal Data Protection Decree as an example of a framework that emphasizes consent and could potentially limit businesses’ ability to process personal data for their operations. She also noted that industry stakeholders in Vietnam are engaging in conversations with the government to share global practices where business necessity serves as a legal basis for processing.

Regarding regulatory actions, the panelists noted that regulators initially offer guidance and support to industry but over time, may transition to initiating enforcement actions. As final takeaways, panelists stressed the importance of accountability and emphasized the need to clearly identify usage of personal data, only collect personal data that is necessary for a specific purpose, and adhere to data protection principles. 

Panel 2 – Examining consent and its alternatives

The second panel was co-moderated by Gabriela Zanfir-Fortuna (Vice President for Global Privacy, FPF) and Ashish Aggarwal (Vice President for Public Policy, nasscom). They were joined by the following panelists:

1. Francis Zhang, Deputy Director, Data Policy, PDPC Singapore.
2. Leandro Y. Aguirre, Deputy Privacy Commissioner, Philippines National Privacy Commission.
3. Kazimierz Ujazdowski, Member of Cabinet, European Data Protection Supervisor.

Varun Sen Bahl (Manager, nasscom) set the context for the panel discussion through a brief presentation, outlining various alternatives to consent under the DPDP Act: legitimate uses (section 7) and exemptions (sections 17(1) and 17(2)).

Throughout the discussion, the panelists drew from their experiences with their respective data protection laws: Singapore’s Personal Data Protection Act (PDPA), the Philippines’ Data Privacy Act (DPA), and the EU’s GDPR. In particular, a common experience shared by the three panelists was that they had all faced questions on the interpretation of alternative bases to consent in their respective jurisdictions. They noted that this was an evolving trend and suggested that it would likely extend to India as well. 

Panelists noted that some data protection authorities were proactively promoting alternative legal bases to consent. This need arose because organizations in their jurisdictions were over-relying on consent as the de facto default legal basis for processing personal data, leading to “consent fatigue” for data subjects. For instance, Francis Zhang explained that Singapore amended its PDPA in 2020 to include new alternatives to consent that aim to strike a balance between individual and business interests. 

Gabriela highlighted the similarities between section 15(1) of Singapore’s PDPA and section 7(a) of the DPDP Act. Both provisions allow for consent to be deemed where an individual voluntarily shares their personal data within an organization. In this context, Francis Zhang shared Singapore’s experience with this provision and explained that it was intended to apply in scenarios where consent can be inferred from the individual’s conduct, such as sharing payment details in a transaction or health information during a health check-up.

Reflecting on his experience in Europe, Kazimierz Ujazdowski observed that data protection authorities tend to be reactive as they are constrained by the resources at their disposal. He suggested that Indian regulators could be better prepared than the ones in Europe at the time of the enactment of the GDPR by proactively identifying practices that are likely to adversely affect users. He also highlighted the importance of taking a strategic approach to map areas of risk requiring regulatory attention. Deputy Commissioner Aguirre emphasized the need for India’s Data Protection Board to establish effective mechanisms to offer guidance regarding the interpretation of key legal provisions and how to comply with them. He highlighted that effective communication between regulators and industries was crucial for anticipating lapses and promoting compliance. He also explained that complaints and awareness efforts during the transition period before the Philippines’ DPA took effect helped to refine the Philippines’ data protection legal frameworks.

Panel 3 – Realizing the ‘consent manager’ model

The third panel was focused on the novel concept of consent managers introduced under the DPDPA and was moderated by Malavika Raghavan (Senior Fellow, FPF) and Varun Sen Bahl (nasscom). They were joined by the following panelists:

1. Vikram Pagaria, Joint Director, National Health Authority of India. 
2. Bertram D’Souza, CEO, Protean AA and Convener, AA Steering Committee, Sahamati Foundation. 
3. Malte Beyer-Katzenberger, Policy Officer, European Commission. 
4. Rahul Matthan, Partner – TMT, Trilegal.
5. Ashish Aggarwal, Head of Public Policy, nasscom.

To kick off the discussions, Varun Sen Bahl provided a quick overview of the provisions on “consent managers” under the DPDPA.The law defines a “consent manager” as a legal entity or individual who acts as a single point of contact for data principals (i.e., data subjects) to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform. Consent managers must be registered with the Data Protection Board of India (once established) and will be subject to obligations under forthcoming subordinate legislation to the DPDPA.

As the concept of a consent manager is not found in other legislation in India or internationally, there has been a great deal of speculation as to what form consent managers will take, and what role they will play in India’s technology ecosystem, once the DPDPA and its subordinate legislation are fully implemented. 

The discussion among panelists touched upon the evolving role of consent managers and their potential impact under the DPDPA. 

Rahul Matthan highlighted two concepts from existing consent management frameworks in India: the “account aggregator” framework in the financial sector, and the National Health Authority’s Ayushman Bharat Digital Mission (ABDM) in the health sector that could serve as potential operational models for consent managers under the DPDPA. He also suggested that these initiatives could facilitate data portability, even though the DPDPA does not expressly recognize such a right. He also anticipated that forthcoming subordinate legislation would clarify how these existing initiatives will interface with consent managers under the DPDPA.

Bertram D’Souza and Vikram Pagaria provided background on how these two sectoral initiatives function in India.

Bertram noted that in India’s financial sector, account aggregators currently enable users to manage their consent with over 100 financial institutions, including banks, mutual funds, and pension funds and enable users to manage their consent. Several different account aggregators exist on the market today, but must register with the Reserve Bank of India to obtain an operational license. 

Vikram highlighted how ABDM enables users in the health sector to access their health records and consent to requests from various different entities (such as hospitals, laboratories, clinics, or pharmacies) to access that data. Users can also control the type of health record to be shared and the duration for which the data needs to be shared. Vikram also noted that approximately 500 million individuals have consented to create their Health IDs (Ayushman Bharat Health Account), with around 300 million health records linked to these IDs.

Malte Beyer-Katzenberger drew parallels between these existing sectoral initiatives in India and the EU’s Data Governance Act (DGA), a regulation that establishes a framework to facilitate data-sharing across sectors and between EU countries. He explained how the DGA evolved from business models trying to solve problems around personal data management and consent management. In this context, he noted that EU regulators are keen to collaborate with India on the shared objectives of empowering users with their data and enabling data portability.  

Ashish highlighted that the value of consent managers lies in providing users a technological means to seamlessly give and withdraw consent. He also saw scope for data fiduciaries to rely on consent managers as a tool to safeguard against liability and regulatory action. When asked about what business model consent managers would adopt, Bertram noted that it is an evolving space and the market in which consent managers will operate is extremely fragmented. While he anticipated that based on his experience with account aggregators, consent managers would initially be funded by India’s technology ecosystem system, they may eventually shift to a user-paid model. The panelists also highlighted the need to obtain “buy-in” from data fiduciaries and ensure that they are accountable towards users towards users). Malte also pondered how consent managers could achieve scale in the absence of a legislative mandate requiring their use.

Rahul Matthan highlighted the immense potential of the market for consent managers in India, noting that as of January 2024, account aggregators have processed 40 million consent requests, twice the number from August of the previous year. Though account aggregators are not mandatory for users, Rahul noted that the convenience and efficiency that they offer is likely to encourage people to opt into using these services, whether they are within the formal financial system or outside it. Agreeing with this, Bertram highlighted the need for consent managers to focus on enhancing user experience and foster cross-sectoral collaborations. 

In his concluding remarks, Ashish underscored the importance of striking a balance by allowing the industry to develop the existing account aggregators framework while ensuring that use of this framework is optional for consumers. He agreed that the account aggregator framework is likely to influence the development of consent managers under the DPDPA, and suggested that there may also be use cases for similar frameworks in other areas and sectors, such as in e-commerce, to address deceptive design patterns.

Panel 4 – Operationalizing ‘verifiable parental consent’ in India

The final panel in the webinar series was focused on examining the requirements for verifiable consent for processing the personal data of children under the DPDPA. The panel was co-moderated by Christina Michelakaki (Policy Counsel for Global Privacy, FPF) and Varun Sen Bahl and they were joined by the following panelists:

1. Kieran Donovan, Founder, k-ID. 
2. Rakesh Maheshwari, Former Head of the Cyber Laws and Data Governance Division, Ministry of Electronics and Information Technology.
3. Iqsan Sirie, Partner, TMT, Assegaf Hamzah & Partners, Indonesia. 
4. Vrinda Bhandari, Advocate – Supreme Court of India. 
5. Bailey Sanchez, Senior Counsel, Youth & Education Privacy, Future of Privacy Forum. 

Varun Sen Bahl presented a brief overview of verifiable parental consent under the DPDPA. Specifically, the legislation requires data fiduciaries to seek verifiable consent from the parent or lawful guardian when processing the personal data of minors aged eighteen years or below or persons with disabilities. However, the Act empowers India’s Central Government to: 

• exempt specific classes of data fiduciaries from this requirement for certain purposes; and /or 
• reduce the age of consent for data fiduciaries that can prove they process children’s personal data in a ‘verifiably safe’ manner.

The forthcoming subordinate legislation under the DPDPA is expected to provide further detail on how these provisions will be implemented.

Building on the presentation, the panelists shed light on the complexities surrounding parental consent requirements under different data protection laws. Iqsan Sirie drew parallels between India’s DPDPA and Indonesia’s recently enacted Personal Data Protection Law, which also introduced parental consent requirements for processing children’s data that will only be clarified through enactment of secondary regulation. Iqsan cited guidelines issued by Indonesia’s Child Protection Commission as “soft law” which businesses could refer to when developing online services. 

Rakesh Maheshwari explained that the Indian Government’s intent in introducing these measures in the DPDPA was to address concerns regarding children’s safety, albeit while providing the Central Government flexibility in implementing these measures. 

Vrinda Bhandari focused on the forthcoming subordinate legislation to the DPDPA and stressed that any method for verifying parental consent must be risk-based and proportionate. Specifically, she highlighted privacy risks and low digital literacy as challenges in introducing such tech-based solutions. First, she pointed out that biometric-based verification methods, such as India’s national resident ID number (Aadhaar) or any other government-issued ID that captures sensitive personal data, could pose security risks, depending on who can access this information. Second, she noted that the majority of Indians belong to a mobile-first generation, where parents may not be digitally literate. Although Vrinda cited tokenization as a good alternative, she questioned whether it would be feasible to implement it in India, given the costs and technical complexity of deploying this solution.

Drawing from his expertise at K-ID, which aids developers in safely authenticating and safeguarding children’s online privacy, Kieran Donovan highlighted the array of methods for implementing age-gating, ranging from simple email verifications to advanced third-party services aimed at privacy preservation. He discussed the use of payment transactions, SMS 2-factor authentication, electronic signatures, and question-based approaches designed to gauge user maturity. He also pointed out that only 4 of the 103 countries requiring parental consent specify the exact method for verifying parental consent. He also spoke about the challenges faced by businesses in implementing age-gating measures, including the cost per transaction and resistance from users to sophisticated verification methods. 

Comparing India’s DPDPA with the Children’s Online Privacy Protection Act (COPPA) Bailey Sanchez noted that the age for consent in this context is 13 years in the US and is applicable only for services directed at children. Bailey also observed that it is not straightforward to demonstrate compliance under the COPPA. However, the Federal Trade Commission proactively updates the approved methods for parental verification and also works with industry to review new methods that reflect technological advancements. Christina spoke about the legal position on children’s consent in the EU under GDPR, and the challenges in relying on other legal bases for processing children’s data. 

As final takeaways, the discussion touched on the importance of regulatory guidance and risk-based intervention that incentivizes stakeholders to participate actively. Overall, panelists noted that a nuanced approach balancing privacy protection and practical considerations is essential for effective implementation of parental consent requirements globally.

To conclude the webinar series, Josh Lee Kok Thong (Managing Director for APAC, FPF) expressed his gratitude to all the panelists, viewers, and hosts (from FPF and nasscom) for their active participation, extending a special note of thanks for their contributions.

Conclusion

In the run up to the notification of the subordinate legislation which will enforce key provisions of the DPDPA, the FPF x nasscom webinar series aimed to foster an active discussion that captured the insights of regulators, industry, academia, and civil society from within India and beyond. Going forward, FPF will play an active role in building on these conversations.