A new framework for consent to ensure data privacy

The effectiveness of consent in protecting privacy is diminishing in our data-rich world. A study found that companies’ privacy policies and actual data sharing practices are inconsistent, with technically sophisticated firms sharing less data. A digital consent framework, exemplified by India’s account aggregator system, could enhance privacy protection by allowing dynamic, informed consent, but it currently lacks features to fully ensure privacy, such as purpose limitation and data deletion upon consent revocation. Enhancements to this framework could restore faith in consent as a tool for privacy protection.

This article was first published in The Mint. You can read the original at this link.


Regular readers of this column know that I have pretty much lost faith in consent. As much as it has served us well for decades, it no longer effectively protects personal privacy in our present data-rich world.

In a recent paper, titled The Market For Data Privacy, Tarun Ramadorai and his co-authors describe an interesting study they carried out on a large sample of privacy policies to evaluate the extent to which the content of these policies affected the manner in which personal data was transferred. They discovered that even though large firms with only an intermediate level of knowledge capital intensity had longer, more legally watertight policies, they were more likely to share the browsing history of their users with third parties. On the other hand, firms with the very highest level of knowledge capital intensity usually had shorter, less legally watertight policies, and tended to share less user data with third parties. Whether or not personal data will be shared seems to have less to do with the privacy policies of the companies collecting them, and more to do with their technical sophistication and ability to process data internally.

The reason companies get away with doing what they do with our data, despite what is contained in their privacy policies, is probably because of how these policies are designed. Consent is cumbersome to obtain and so privacy policies are drafted in the widest possible language to give companies considerable leeway in third-party data transfers so much so that there is no need for them to ever seek our consent again.

If consent can be made truly digital, it should be possible for companies to conveniently obtain consent as close to the time the transfer actually takes place as possible. Users will be able to decide for themselves each time whether or not to permit a particular type of transfer and will be able to revoke consent previously provided dynamically at any time. If designed properly, this sort of consent framework could be integrated into the commercial workflow with minimal impairment to the velocity of transactions. Once companies have to obtain consent each time through a digital consent framework like this, they will be forced to engage more seriously with the finer nuances of data protection—eventually resulting in a higher standard of privacy protection all around.

A couple of weeks ago, I attended the launch of the account aggregator framework in Mumbai and witnessed, first-hand, a demonstration of this brand new service. Account aggregators are third-party consent brokers who interpose themselves between financial information users (FIU) and financial information providers (FIPs) for the purpose of facilitating the movement of financial data between these entities. When fully implemented, this framework will allow a distributor of financial products (FIU) to request financial information from any FIP. The FIP will then extract the required information, digitally sign it, and send it to the FIU through the account aggregator. Once integrated into the financial services industry, this framework will result in the development of a whole host of new financial products aimed at those currently underserved by the financial markets, including products that range from flow-based lending to robo-advisory services.

Central to all of this is the ministry of electronics and information technology’s digital consent artefact, a machine-readable electronic document that records the parameters and scope of every data share that a user consents to, digitally signing it to establish the identity of the person providing consent, as well as the nature of the permission granted. This is the mechanism by which FIUs and FIPs exchange data among themselves, relying on the consent provided by the user to pass data to each other through the account aggregator.

At first glance, this digital consent artefact seems to be the solution we have been looking for. It records the exact nature of the consent, time-stamping it with the digital signature of the consenting party, thereby creating an irrefutable record of what was agreed upon and by whom. Since it has been designed to be universal, the consent artefact could form the basis for passing consent between multiple entities, each of whom can rely on the digital signature of the user as the irrefutable basis for processing.

That said, all this consent artefact does is register consent. In order to be a full-blown tool for privacy protection, it will need to do much more. For instance, where consent is provided for a particular purpose, the consent artefact should ensure that the recipient cannot use the data for anything else. Once the purpose for which the consent was provided has been fulfilled, it should digitally ensure that the transferred data is expired, or otherwise prevented from being stored by the transferee. When consent is revoked, it should make it possible for all data that has been transferred before such revocation to be digitally deleted.

At present, the digital consent framework does not address any of these issues. However, it can’t be hard to build these features. If it is possible for us to incorporate these features into the digital consent artefact by creating a consent markup language that incorporates key privacy principles into the design, we will be able to create a framework for consent that directly incorporates privacy into its core architecture. And, then perhaps, I can start believing in consent again.