INTRODUCTION
The Digital Personal Data Protection Act, 2023 ( “DPDPA”) is a pathbreaking legislation in the quest by India to regulate the use of personal data. Right at the heart of this law is an institution called the Consent Manager, under whose mandate falls the management of the consent of people over the processing of their personal data. This, is not entirely a new idea but draws inspiration from the Data Empowerment and Protection Architecture (“DEPA“) by NITI Aayog and the Account Aggregator (“AA“) framework in place by the Reserve Bank of India released on August, 2020.
Notably, in both the landmark data protection laws, namely, General Data Protection Regulation (“GDPR”) and California Consumer Privacy Act (“CCPA”) frameworks, the role of a Consent Manager is not explicitly defined. Under the GDPR, DPOs handle consent management, while the CCPA assigns this responsibility to businesses, which may enlist Privacy Compliance Officers (“PCOs“) or similar roles.
FRAMEWORK OF CONSENT MANAGERS
A “Consent Manager” under the DPDPA is defined in Section 2(g) as an individual or entity registered with the Board who facilitates the process for Data Principals to give, manage, review, and withdraw their consent through a user-friendly, transparent, and interoperable platform.
The Sri Krishna Committee’s recommendation in July 2017 introduced the role of the Consent Manager to advance the concept of “data democracy.” This framework aims to dismantle data silos and promote data portability, giving individuals more control over their personal data. Data democracy envisions a system where users can make decisions about how their data is owned, shared, and used, thereby reducing the dominance of large data-centric entities.
Currently, without effective legislation, Data Fiduciaries are not obligated to share personal data with other entities, resulting in isolated data silos and significant barriers to innovation. The introduction of the Consent Manager is intended to address these issues by enabling new entrants to access data in a fair manner, thereby fostering innovation and enhancing consumer welfare.
Under this framework, Data Principals have the option to provide their data either through a Consent Manager or directly to a Data Fiduciary. The Consent Manager acts as an intermediary between the Data Principal and Data Fiduciary. This role is analogous to the AA Framework, which includes a FIP and a FIU.
Data Protection Officers are responsible for ensuring that consent is effectively managed throughout this process. The DPDPA mandates that Significant Data Fiduciaries appoint a DPO, as defined in Section 2(l).
Both DPOs and Consent Managers share accountability and transparency obligations, but their roles differ in scope. DPOs are focused on overall data protection compliance, handling data processing queries, overseeing data protection practices, and managing grievance redressal, as described in Section 10 of the DPDPA. In contrast, Consent Managers are specifically tasked with managing consent from Data Principals and maintaining consent records, as per Section 6 of the DPDPA.
In 2020, the NITI Aayog’s ‘Data Empowerment and Protection Architecture’ formalized the role of consent managers, defining them as entities that facilitate Data Principals’ consent through an accessible, transparent, and interoperable platform.
The Consent Manager serves as a central hub where Data Principals can manage their data consent more efficiently. This platform eliminates the need to navigate multiple systems, allowing Data Principals to give, manage, review, and withdraw their consent for data collection and processing. It is crucial that this platform is accessible to all users, regardless of their technical proficiency or physical abilities, ensuring that consent is communicated and enforced effectively across various data processors and controllers.
In the data flow cycle, the role of the Consent Manager involves several steps: first, an information user requests data. The Consent Manager then forwards this request to the Data Principal, who provides consent. The Consent Manager communicates this consent to the entities storing the data. Finally, data flows from these entities to the information user via the Consent Manager, through an encrypted data flow.
COMPLIANCE REQUIREMENTS
The DPDPA outlines the role and registration requirements for Consent Managers in Section 21. This section stipulates that Consent Managers must be registered with the Data Protection Board of India (“the Board”).
Registration Requirement: Consent Managers must be registered with the Board to operate legally.
Role and Functions: Consent Managers would be data intermediaries who facilitate obtaining, managing, and withdrawing consent from Data Principals.
Compliance Obligations: Consent Managers must comply with the provisions of the DPDPA and any regulations or guidelines issued by the Board. Further, the Consent Managers shall also be accountable to the Data Principal.
AMLEGALS REMARKS
Consent Managers offer benefits to both Data Fiduciaries and Data Principals. For Data Fiduciaries, they simplify compliance with consent-related statutory requirements. For Data Principals, they provide an efficient mechanism to grant and manage consent. This enhanced efficiency in consent management improves the overall speed, security, and flow of personal data.
Moreover, Consent Managers assist Data Principals in exercising their right to grievance redressal more easily and efficiently. Importantly, they make consent management a straightforward and comprehensive process.
The Consent Manager framework has been a gigantic step in the direction of empowering the individuals in the digital age. Drawing from the principles laid down under DEPA and the AA framework, the Consent Manager model under DPDPA could guarantee that the individual has control over his/her personal data, much like the way the AA system works with financial data. This will not only bolster privacy and security but engender trust in digital services through assurance that user data is handled according to consent given.
– Team AMLEGALS assisted by Ms. Roshni Naskar (Intern)
For any queries of feedback, feel free to reach out to mridusha.guha@amlegals.com or liza.vanjani@amlegals.com