Dhriti Rohatgi is a 4th year student of School of Law, Christ (Deemed to be University), Bangalore
Introduction
Digital Public goods are defined as open source software, open data, open artificial intelligence models, open standards, and open content that adhere to privacy and other applicable international and domestic laws, standards and best practices and do not harm. DPGs have become indispensable for building public digital infrastructure in critical socio-economic sectors. It was set up in India through the Indian Software Product Industry Roundtable (iSPIRT). It is open-source, unrestricted and interoperable. It addresses monopolisation concerns and can also be used to set up a financial inclusion solution such as the Unified Payments Interface (UPI). They are a part of India Stack, an Application Programming Interface (API) under the Data Empowerment and Protection Architecture Framework (DEPA). It creates a digital framework that allows users to share their data through a third-party entity called consent managers. This framework is now being used in the Financial sector through a consent dashboard called Account Aggregators (AA). NBFCs act as a digital platform where the Data Principal can access and see their financial data. It is also where they can consent to share the data with a Financial Information User (FIU). A non-government, private limited company, Sahamati, has created an account aggregator ecosystem to improve this system. These Digital Public goods have led to the creation of the Digital Public Infrastructure (DPI) that integrates various digital services for public delivery systems. The Digital Public Infrastructure includes but is not limited to Aadhar, eKYC, DigiLocker, and DigiYatra and is expanding into other sectors like Healthcare and education. This raises some issues. First, Could the Account Aggregator model be adopted in different sectors? Second, Will introducing a consent manager be a protective measure under the broad State exemptions of the DPDP Act, and how effectively will it safeguard individual rights? This article examines these issues after briefly discussing the consent and security measures of the (AA) framework, Pay or consent Model, State exemption and Consent under the DPDP Act 2023.
Consent Managers and Account Aggregators: A Techno-Legal Solution
Consent forms as the basis for lawful processing of data. There is a duty imposed upon every Data Fiduciary that for a lawful purpose, the Data Principal must consent to data processing. The consent shall be free, specific, informed, unconditional, and unambiguous, with explicit affirmative action and limited to such specified purpose. However, it does not mandate granular consent, either; there could be one privacy notice that requires bundled consent, or there could be separate notices for each purpose, otherwise by legitimate use or manifestly made public. The mechanism of AA addresses these concerns through the consent artifact and the DEPA architecture allows for data portability from various firms at the same time. It shows all the consents given, the revoked consents, and a log of all data requests made by the FIU. The consent can even be withdrawn through the app. The (AA) cannot identify the data, store the data and is not a Data Fiduciary. It uses Privacy Enhancement Technology ensuring that Data Principles can monitor their consents with various fiduciaries. These standardized APIs are essential for ensuring the smooth flow of data but in sector-specific sectors they cannot be solely relied on as Industry Standard Setting organizations including market leaders can hinder standardisation to maintain their position in the market. Regulators like the RBI have the capacity to enforce norms on the Consent Managers, this capacity may be lacking amongst regulators such as health and agriculture requiring the need for an independent regulator. Measures need to be taken to ensure interoperability and prevent monopolization by large tech firms across sectors. There will also be access to inferred data, behavioral data that could be used by financial institutions to grant access to credit or insurance and such profiling, data scraping should be controlled. Under the DPDP Act Consent managers are required to be registered with the board and act as a Data Fiduciary but the (AA) are not subject to the responsibilities of the Fiduciary, this could alter the responsibility to the Data Principal. It is important to also understand that the use of such models is also dependent on access to the internet and smartphones. This does not make this approach inclusive to all people from all socio-economic backgrounds who might need these frameworks the most.
Navigating Consent and Legitimacy: Exploring the DPDP Act’s Implications for Data Use and Public Services
Under the DPDP Act defines Legitimate purpose and reading it with Section 7(c) it allows the state to collect and process data in the interest of Sovereignty, integrity and security of the state, maintenance of public order or preventing incitement to any cognizable offences. While considering the access to Digital Public Goods and cases where usage of these services becomes essential for access to basic services or under the pretense of Public Health Management then these uses could be covered under the definition of legitimate use. There is a lack of bargaining power of the Data Principal. The BN Srikrishna report also states that government processing should also abide by the prerequisites of consent. Section 17(2)(a) of the DPDP Act also exempts the provisions of the Act in respect of personal data by such Instrumentality of the State as the Central Government for certain interests and necessary for research, archiving or statistical purposes. There is no mandatory deletion of data and purpose limitation after the purpose has been served by the state. On applying the AA model in such Public and Private Sectors could address some of the issues of legitimate use and its ambiguities in Interpretation. However it assumes that consent is a sufficient condition and assumes the user is aware about the consequences of the consent that they have provided. Especially in cases where consent is needed to access public services. The DPDP Act does not restrict profiling and exempts data that is made available in the public, the data fiduciary can use such inferred data as per their profitable interests. These exemptions could raise concerns about surveillance and should be proportionate to the need for such interference and the requirement of narrow framing of the law as per the K.S. Puttaswamy v. Union of India.
Conclusion
The integration of Digital Public Goods (DPGs) into India’s socio-economic framework, particularly under the DPDP Act, offers significant potential for advancing public digital infrastructure. However, this potential is accompanied by complex challenges related to consent, security, and state exemptions. The consent-based framework exemplified by Account Aggregators (AAs) represents a promising approach for managing data sharing while safeguarding individual privacy. Nevertheless, extending this model across various sectors requires careful consideration of regulatory capacities, potential monopolization by major tech firms, and ensuring inclusivity for all socio-economic backgrounds. The DPDP Act emphasises lawful data processing and introduces consent managers, yet its broad state exemptions and the lack of mandatory data deletion raise substantial concerns. These exemptions could undermine individual rights and lead to misuse of data under the pretext of public interest. For the effective and ethical implementation of DPGs, it is crucial to enforce stringent data protection measures, ensure interoperability across sectors, and establish independent regulators where necessary. Furthermore, addressing the digital divide and ensuring that all citizens, regardless of their socio-economic status, can access and benefit from these digital services is essential for an inclusive approach. While the DPDP Act and the AA framework mark significant advancements in India’s digital landscape, continuous oversight and adaptation are required to balance innovation with privacy and security, ensuring that the benefits of DPGs are equitably distributed and individual rights are protected.