x

Consent Managers under Digital Personal Data Protection Act – Bridging the gap between Data Principal and Data Fiduciary

30 January 2024

Over the last decade, India has become one of the most significant consumers of data in the world. Currently, the internet penetration rate in India stands at 48.7% (forty-eight point seven per cent) and this number is expected to exceed 61% (sixty one per cent) by the end of 2025. An average internet user in India consumes approximately 19.5 GB (nineteen point five giga bytes) of data every month. Much of this growth can be attributed to improved internet infrastructure, cheap smart phones, and availability of reasonable data packs across the country.

Another major effect of this increased access to cheap internet and smartphones is the uptick in e-commerce and online banking. The e-commerce market is projected to grow at 18% (eighteen per cent) annually through 2025 and is expected to touch $350 billion by 2030. Further, India accounts for nearly 40% (forty per cent) of global online banking transactions.

Digital Economy and Data Privacy

The exponential increase in e-commerce and the consequent (permanent) change in the way most people purchase goods and services has also caused a massive increase in the volume of online data transfers. This means that for e-commerce transactions to be commercially viable, businesses need to ensure efficient and smooth movement of large volumes of data.

A natural side-effect of this is a threat to the privacy of financial, medical, and other forms of personal data shared by individuals over multiple apps, social media, and e-commerce platforms.

In view of the above, data privacy in this changed landscape has become an even more significant issue. There are a wide range of concerns that need to be addressed – ranging from consent before collection, integrity of processing processes, legality of transfers (including cross border data transfers), proper and legitimate use, grievance redressal and deletion at the appropriate time (after use, or on request).

Relevance of Consent and the introduction of ‘Consent Managers’

Consent plays a critical role in securing the rights of individuals whose personal data is being processed (i.e., a data principal) and in this Article, we will briefly discuss the measures introduced under the Digital Personal Data Protection Act, 2023 (‘DPDP Act’) to address challenges around management of data principals’ consent.

The concept of ‘consent managers’ was first introduced in the Personal Data Protection Bill, 2019 (‘PDPB’). Under the PDPB, a ‘consent manager’ was defined as a "data fiduciary which enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform." Separately, the Reserve Bank of India (RBI) also provided for the concept of ‘account aggregators’ in the ‘Master Direction-Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016’. Under these master directions, the role of account aggregators (in relation to financial information) is similar to the role of a consent manager (in relation to personal data).

The role and responsibilities of a consent manager were further discussed in a publication issued by the NITI Aayog in 2020, titled ‘Data Empowerment And Protection Architecture’ (‘DEPA’). In the DEPA it was discussed that, under the PDPB, 'consent managers' were posited to manage a data principal’s consent through an accessible, transparent, and interoperable platform. It was further noted that consent managers would be ‘data blind’ and will not see or use personal data themselves.

The role of a consent manager in the data flow cycle would be as follows:

  • Step 1: an information user (for example, any app) raises a request for data
  • Step 2: consent manager forwards this request to the data principal
  • Step 3: data principal provides consent
  • Step 4: consent manager communicates this consent to entities which store the data
  • Step 5: the data flows from entities which store the data to the information user, via the consent manager (through an encrypted data flow).

‘Consent Managers’ under the DPDP Act

The DPDP Act defines a ‘Consent Manager’ as “a person registered with the Board who acts as a single point of contact to enable a data principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform.

Under the DPDP Act, Consent Managers will: (a) be required to obtain registration from the Data Protection Board; (b) shall be subject to technical, operational, financial, and other conditions (as may be prescribed); and (c) shall be accountable to data principals. The obligations of a consent manager will be prescribed in rules to be issued under the DPDA.

Consent under the DPDP Act needs to be “specific, free, informed, unconditional, unambiguous with a clear affirmative action” and introduction of the mechanism of Consent Managers enables a fast and efficient means of achieving this, by bridging the gap between the Data Fiduciary and the Data Principal.

The use of Consent Managers benefits both Data Fiduciaries (by enabling easier compliance with consent-related statutory requirements) as well as Data Principals (by providing an efficient mechanism to grant and manage their consent). This improved efficiency of consent management also improves the overall speed, security, and efficiency of personal data flows.

Another benefit of the use of Consent Managers is that this will assist Data Principals in exercising their right of grievance redressal with more ease and efficiency.

Way forward

The relevance of Consent Managers is likely to increase significantly over the next few years as they act as conduits for more and more online transactions and e-commerce. Digilocker is a prime example of the possibilities for quick adoption of this facility.

As we await the enforcement of the DPDP Act, industry players are already establishing compliance protocols and procedures as per the new law. Given the introduction of Consent Managers under the DPDP Act and the benefits that this new mechanism offers as a compliance bridge between the Data Principals and Data Fiduciaries, it is likely to gain significant leverage as a new tech-enabled service offered by Indian startups and entrepreneurs. However, it is important for entities offering consent management services to ensure that their activities do not fall within the ambit of data processing under the DPDP Act, as this would expose them to more stringent compliance requirements and significantly higher penalties.

[Prashant Phillips and Abhishek Singh are Executive Partner and Associate, respectively, in Data Protection and TMT practice, while Paritosh Chauhan is an Associate Partner in Corporate and M&A practice, of Lakshmikumaran & Sridharan Attorneys, New Delhi]

Browse articles