Consent-to-Port: A New Mechanism to Protect our Data

Context:  Protection of personal data is a necessity in the current technological world.

Problems of using consent as a mean to protect personal privacy

• Companies design privacy policies as wide as possible: and are used as a get-out-of -jail-free card by technology companies.
• They accommodate new uses within the terms of consent that has been previously obtained in order to avoid frequently-revised privacy policy.

• Presence of Data Asymmetry: Large tech companies have disproportionate access to and control over our personal data that they often know more about the implications of our decisions.

• The data principal has no idea of the actual transaction to which the consent was applied. 

• Delegation of responsibility to decide which entity in appropriate : For E.g. While the Data Protection laws requires collectors of data to clearly specify the individuals and entities with whom and which it will be shared, due to inconvenience, they list the entities in broadest terms with vague categories like “advertisers”, “vendors” and “researchers”

Ways to ensure protection of personal data

• Need a level of  standardization and common technical infrastructure to enable data sharing: For E.g. 

• Data Empowerment and Protection Architecture (DEPA): released by NITI Aayog

• A unique technological and regulatory framework created to facilitate the transfer of data between various financial institutions using digital consent. 

• Provides a framework within which data principals can give just-in-time consent for requests to port their data, thus offers a more effective alternative to the upfront consent mechanism 

• The Open Credit Enablement Network (OCEN): A set of digital lending application program interfaces for borrowers and lenders.
• OCEN will offer unprecedented opportunities for financial technology companies and banks to offer products and services that would otherwise not have been possible.
• Provides a framework within which data principals can give just-in-time consent for requests to port their data. 

Conclusion: By separating consent to port from sign-on consent, we can significantly improve our effective control over our personal data.