The personal data protection passed by the president on August 11 has placed designers, developers, architects and managers squarely in the driving seat. If it is to be, it is up to us. Find out how.
Reasons to love the bill:
❤️ – the pronouns “her” and “she” have been used for an individual, irrespective of gender.
❤️ – the illustrations or examples are thoughtfully chosen. If you only read the illustrations you will know the important provisions. I’ve brought in some relevant ones into this post.
First a short relevant glossary. For the main glossary or to read the draft bill click here
“Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data
“Data Principal” means the individual to whom the personal data relates, and where such individual is—
(i) achild,includestheparentsor lawful guardian of such a child; and
(ii) a person with disability, includes their lawful guardian, acting on behalf of such individual;
“Data Processor” means any person who processes personal data on behalf of a Data Fiduciary
“personal data” means any data about an individual who is identifiable by or in relation to such data;
“processing” in relation to personal data means a wholly or partly automated operation or set of operations performed on digital personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;
“Data Protection Officer” A Data Fiduciary shall publish, in such manner as may be prescribed, the business contact information of a Data Protection Officer, if applicable, or a person who is able to answer on behalf of the Data Fiduciary, the questions, if any, raised by the Data Principal about the processing of her personal data.
The provisions of this Act shall apply to processing within the territory of India of:
(i) personal data collected in digital form;
(ii) personal data collected in non- digital form subsequently; and and digitised
(b) of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.
As a Data Principle the bill raises many questions which are being discussed on Linked In & Twitter. If you’d like to find out how it affects you as a data owner or principle click here
The following recommendations are for Data Fiduciaries – people who decide to process personal data for users, I guess that makes most of us in the IT industry. Although the legal entity for a data fiduciary is indeed the company for whom data is being processed, but the responsibility falls on the shoulders of Data Processors – Designers, Data Architects, Developers, Product & Project Managers, Leaders and so forth. We who design and operate products with new and exciting ways of using data.
“The provisions of this Act shall apply to processing within the territory of India of:
(i) personal data collected in digital form;
(ii) personal data collected in non- digital form subsequently; and and digitised
(b) of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India.“
So when we design a flow within which data is being asked from a Data Principle or owner like a form or a login screen or a password hint for instance. Or a Bank loan application form, a job application or even a form where the mobile number of an individual is being demanded to complete an operation. When we decide on the input of data, that’s when we come under the act.
But wait does that mean legal liability? No it doesn’t. If you design it right, the laws will be followed, your company will benefit in terms of compliance and avoid penalties which can go as high as 250 Crores! It’s not difficult to do it ethically in the first place. There, I got your attention, its about ethics, about having the interests of your users at heart. It’s also good business.
5. A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose—
(a) for which the Data Principal has given her consent; or
(b) in respect of which the Data Principal is deemed to have given her consent.
Consent! What a beautiful word. It implies agreement with what both parties are doing, sharing of data and the receiving of data for a purpose. Respecting the boundaries of consent means keeping in line with the law in any activity. “We have a consent box in the design library!” You think. Keeping at least one item in the design library for a consent box is a best practice indeed and it will be your starting point in compliance. You will need to build multiple consent boxes to comply to what’s coming ahead. Here’s where it gets exciting.
6. (1) Every request to a Data Principal for consent shall be accompanied or preceded by an itemised notice given by the Data Fiduciary to the Data Principal, in clear and plain language, containing a description of personal data sought to be collected by the Data Fiduciary and the purpose of processing of such personal data.
Illustration: X, an individual, opens a bank account using the mobile app or website of Y, a bank. To complete the know-your-customer (KYC) requirements under law for opening of bank account, X opts for processing of her personal data by Y in a live, video-based customer identification process. Y shall accompany or precede the request for the personal data with an itemised notice to X, describing the personal data and the purpose of its processing.
Illustration in the Data Protection Bill Draft 2023
I love the illustration. Contemporary and clear. In our designs, there are many instances in which we collect personal data, remember even a video or a picture is also personal data, so is name, address, phone number, organization, Bank Account number, Aadhar Number, Passport Number and so on. Remember any data that can identify your user has been classified as personal data. The phrase in relation to such data gives a very wide berth to the definition of personal data. It also means medical data, financial data, educational data and other kinds of data which the personal data owner may deem private and violable. Now think about your application, product or design.
How many times in your design do you collect personal data ?
The consent dialogue needs to be a clear and concise, itemised list that in very plain, understandable language makes it clear what data you are collecting, what you are collecting it for and what you will do or not do with it. It needs to have a clear call to action which keeps her informed of what is happening.
*’What you will not do’ is for the comfort of the user, its good design but may also be regulation soon. This is in response to the data sensitivity that is prevalent now. How many people do we know who don’t talk in front of Alexa? Know someone who doesn’t use online banking for the fear of their money being lost? This is also a light pattern, already being used by many platforms and apps that care about their users.
The consent dialogue also needs to publish the name of the Data Fiduciary and the ‘Data Protection Officer‘ appointed by the fiduciary. This Data Protection officer has to be ready to answer any queries posted by the data owner or any regulatory authorities. She also has to address any grievances that may be presented by owners to her.
How would you design your consent dialogue?
(2) Where a Data Principal has given her consent to the processing of her personal data before the commencement of this Act, the Data Fiduciary shall, as soon as it is reasonably practicable, give to the Data Principal an itemised notice in clear and plain language containing a description of personal data of the Data Principal collected by the Data Fiduciary and the purpose for which such personal data has been processed.
“notice” can be a separate document, or an electronic form, or a part of the same document in or through which personal data is sought to be collected, or in such other form as may be prescribed
(3) The Data Fiduciary shall give the Data Principal the option to access the information referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution.
Illustration: X, an individual, gave her consent to the processing of her personal data for an online shopping app or website operated by Y, an e- commerce entity, before the commencement of this Act. Upon commencement of the Act, Y shall, as soon as practicable, give through email, in-app notification or other effective method an itemised notice to X, describing the personal data and the purpose of its processing.
Illustration in the Data Protection Bill Draft 2023
If you are as a system processing already collected personal data of your users, you will soon have to give a notice, again itemised in a clear and plain language on the data that you have and the purpose for which you are keeping said data.
This is indeed a huge responsibility for those who are storing data in data lakes. If best practices have been followed and the data is segregated, then your job is easier. Getting additional consent is a compliance burden that can disrupt the flow of your user through any task. It is important where and when this ‘Notice’ is given to your user. Giving the notice is enough if the user has consented to share the data earlier, if your flows have indeed been ‘compliant’ from earlier with ‘Terms & Conditions’ that have been agreed to.
7. (1) Consent of the Data Principal means any freely given, specific, informed and unambiguous indication of her wishes by which she, by a clear affirmative action, signifies agreement to the processing of her personal data, for the specified purpose and limited to such personal data as is necessary for the specified purpose.
X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (a) the processing of her personal data for making available telemedicine services, and (b) accessing her mobile phone contact list, and X signifies her consent to both. Since phone contact details are not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for making available telemedicine services.
Illustration in the Data Protection Bill Draft 2023
Illustration: X, a telecom service provider, enters into a contract with Y, a Data Processor, for emailing telephone bills to the customers of X. Z, a customer of X, who had earlier given her consent to X for the processing of her personal data for emailing of bills, downloads the mobile app of X and opts to receive bills only on the app. X shall itself cease, and shall cause Y to cease, the processing of the personal data of Z for emailing bills.
Illustration in the Data Protection Bill Draft 2023
The above is very important for the design of both the form and the underlying machinations of using this data, so data architects and developers and designers need to work together to understand WHAT they will be using the personal data for. The use of the data should be within the means of providing the service that the user has agreed to. Companies are now liable for any extraneous data they collect and use and not complying with the rules can spark litigation. So we need to be extra careful now in asking for information. Only collect what is needed within the lawful bounds of the service you are about to provide to the customer.
Consent once given is not a blanket covering all data transactions between the user and you. This is different in the following cases where it may be considered ‘deemed consent’
- for employers where consent can be deemed more applicable and they have a lesser burden of consent responsibilities.
- Also applicable to the government for distribution of benefits, license and certifications & for use in law enforcement and matters of national security.
- Can also be considered deemed for disaster & epidemic management and for health emergencies.
- The instances where the data owner offers or voluntarily discloses their data to you for a purpose to which you both are agreeable is also deemed as consent. The keyword is offers. Any time when a demand is made such as a labelled mandatory form it does not fall into this category.
(3) Every request for consent under the provisions of this Act shall be presented to the Data Principal in a clear and plain language, along with the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purposes of exercise of her rights under the provisions of this Act.
(4) Where consent given by the Data Principal is the basis of processing of personal data, she shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given.
(5) The consequences of the withdrawal referred to in sub-section (4) shall be borne by the Data Principal, and such withdrawal shall not affect the lawfulness of processing of the personal data based on consent before its withdrawal.
This gives new meaning to the word consent management. Now the design of consent management systems both at the backend and the frontend is important. What the user has agreed to, what you can use, what you need to delete, or update should be clear to the user and to the data admin as well as the law, should it be required in an audit or investigation. This job can early on be done by an individual but the ease of use needs to be comparable to taking the consent in the first place. A system or a feature matches that description as well. A threshold value of users, complaints or number of data points may help you make that decision optimally.
(7) The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.
(8) The Consent Manager referred to in sub- section (7) shall be an entity that is accountable to and acts on behalf of the Data Principal.
(9) Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.
(10) Where consent of the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that it gave notice to the Data Principal and received her consent.
All users are legally entitled to a ways and means to both delete this data or to withdraw their consent for its use. The responsibility for doing this is on the user, but she needs a way to do so.
The word ‘entity’ can be interpreted to mean a ‘Consent Management’ section in your application where this operation can take place. A system to back it up. Chat bots for easy interaction? The decision is yours as a designer.
How would you design a contemporary consent management system?
(7) A Data Fiduciary shall—(a) erase personal data, upon the Data Principal withdrawing her consent or as soon as it is reasonable to assume that the purpose for which such personal data was collected is no longer being served by its retention and retention is no longer necessary for compliance with any law for the time being in force; and (b) cause its Data Processor to erase any personal data that was made available by the Data Fiduciary for processing to such Data Processor, upon completion of such processing.
Consent once withdrawn affects those parties as well with whom you would have shared said personal data. So a bank which has shared data with a investigation officer who works with a vendor will have to instruct the vendor to delete the data, although by law banks themselves are allowed to retain customer data for a period of ten years for any further processing required.
10. (1) The Data Fiduciary shall, before processing any personal data of a child, obtain verifiable parental consent in such manner as may be prescribed.
Explanation.—For the purposes of this sub- section, the term “parental consent” includes the consent of lawful guardian, where applicable.
(2) A Data Fiduciary shall not undertake such processing of personal data as is likely to cause harm to a child.
As a mother I love this clause, since it makes it illegal to harm a child through any kind of data processing or breach. If there is a law, it may spark the design of better child protection features like the ones snapchat uses today for all digital products and services.
What will you design better on your platform so that children are protected?
The burden of parental consent is a big challenge for sure. This erodes the rights of children and marginal communities like LGBTQI+ who may want to use the internet for their own growth autonomously. But at the same time it does keep kids safe to a certain degree if it is used in a nuanced way. How would you solve this huge challenge?
Revenue is inversely proportional to barriers to entry. How will you integrate parental consent with your flow if you are creating an education platform?
12. (1) The Data Principal shall have the right to obtain from the Data Fiduciary to whom she has previously given consent, or is deemed to have given consent under clause (a) of section 8, for processing of personal data, upon making to it a request in such manner as may be prescribed,—
(a) a summary of the personal data of such Data Principal which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data;
(b) the identities of any other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and
(c) such other information, related to the personal data of such Data Principal and its processing, as may be prescribed.
13. (1) A Data Principal shall have the right to correction, completion and updating of her personal data for the processing of which she has previously given consent or is deemed to have given consent under clause (a) of section 8, in accordance with any requirement or procedure under any law for the time being in force.
This data should now be available to each user wether they have consented now or in the past. If they want to see it, modify or withdraw it, that is the right of a data owner. This gives the user the power to find what you are doing with his data whether you are processing or sharing it or using it for any other purposes.
I remember wondering what Alexa had on me that someone could use against me, now I can just ask Alexa and it is legally bound to tell all. Hallelujah!
A note on Consent:
Consent, again a beautiful concept, is no longer a blanket terms and conditions or even a data privacy policy. The consent dialogue and the consent management system is now an integral part of any digital entity you build.
The Consent Dialogue: Consent can no longer be the security blanket of ‘I agree to all terms and conditions’ where all data collected was referred to. Special attention has been paid to the word ‘Itemised’. It appears 4 times in the draft with the terms clear and consise. Each item of course refers to each piece or category of data collected.
The consent dialogue has the legal responsibility of being clear and understood by the consenting user. Although English has been named as the preferred language but consent can and should be in the language that is easiest for the user to understand since the misunderstanding of the terms can spark litigation. For data fiduciaries the cost of non-compliance is high.
What languages would you make your consent dialogue in?
As a designer you have to walk the tightrope between too much consent and too less. Social Sign on does the job of consent taking while sharing data very nicely. When you agree to sign on to another website using Facebook or Linked In, it explains and allows you to pick the kinds of data you will share with the originating website in a clear, concise, yet actionable way. They could also have legally easily embedded it all into a terms and conditions the first time you used the service and be done with it. Can we learn from this best practice?
How will you divide the consent dialogue between forms so that the user can easily understand what they are giving consent for?
The Consent Manager: I can visualize a dashboard where the items of personal data, their periodicity, and controls are present. Any personal data or type of data, like location, health information etc that you are collecting should be available with the reason why you are collecting it. The processes for which it has indeed been used and the names of the parties with whom it has been shared. The user should be able to modify or delete this data or withdraw the consent to allow you or other parties with whom data has been shared to use this data. The design of this section needs to be exceptionally clean and clear. The above functionalities are legal responsibilities and great experiences to give your customer.
As a designer you need to understand the vendor, supplier, ancillary ecosystem to trace and visualize the data path to be able to design this well. There also needs to be a system to alert vendors when they need to delete this data. The law specifies that an entity cannot keep personal data beyond the reasonable usefulness period. The deletion also needs to happen when the user requests for it, preferably automatically.
These and more are all design decisions that you will have to take at some point. The bill is open to interpretation but how minimally or maximally you use these limitations & responsibilities is up to you as a designer and to your stakeholders – product owners, leaders and management. With rising data sensitivity, any activity that you may be doing to comply with data privacy standards is a token of trust for users. Parents for one will rest assured that their wards are safe if they have to consent. How unobtrusively can you make that happen? It’s a truly wicked problem to sink your teeth into. That’s why the ball is in our court. It is up to us.
This is where ethics meets design. Failure to protect the consent rights of your consumers is already on the list of dark patterns. How ethical a designer you are will depend on how well you design your consent dialogues and consent management system. For minimal disruption of business. For the comfort and trust of your users. The protection of children. Will you add to the darkness or will you create better ways of spreading light?
May the force be with you in your journey as a designer of safe, easy to use and compliant applications, interfaces & journeys for your end users.
Ekta Rohra Jafri 