The Role of a Consent Manager Under the DPDP Act
Background
A significant step towards ensuring the privacy and security of individuals’ personal data has been taken with the introduction of India’s Digital Personal Data Protection Act, 2023 (the “DPDP Act”). The legislation centres around a crucial proposition – the Consent Manager Framework, which has the potential to revolutionise the collection, processing, and management of personal data. This innovative mechanism aims to serve as a balancing measure between empowering individuals to have greater control over their personal information and equipping organisations with the necessary guidance and tools to navigate the complex landscape of data protection and privacy.
Consent Managers: Why do we need them?
The notice and consent framework to secure an individual’s consent is the bulwark on which data processing practises in the digital economy are founded. It is based on the philosophically significant act of an individual providing consent for certain actions pertaining to their data.[1] The B.N. Srikrishna Committee recognised the importance of this concept and recommended a fiduciary approach to data protection, leading to the emergence of Consent Managers within the present Indian data protection framework.
Who is a Consent Manager?
Section 2(g)[2] of the DPDP Act states that a Consent Manager is a person[3] registered with the Data Protection Board (the “Board”) who acts as a single point of contact to enable a Data Principal[4] to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform. The position of Consent Manager may be handled by a person in-house as well as outsourced to any legal entity to facilitate digital consent management within the said organisation.
Defining the Role of Consent Managers
The DPDPA proposes a process where a Data Fiduciary[5] engages a Consent Manager to manage consent and act on behalf of the Data Principal.
Consent Managers serve a variety of goals, such as acquiring informed consent for specific purposes, recognising consent withdrawal, and proving that consent was received prior to data processing. To ensure record-keeping of verifiable consent, the Consent Manager is entrusted with developing a notification and consent logging process. By streamlining this entire process, Consent Managers ensure the elimination of data scraping and unauthorised collection of public information.
Transparency, customer confidence, and personal data control are all priorities for Consent Managers. Therefore, Consent Managers operate as trusted intermediaries in all data-related interactions between Data Principals and Data Fiduciaries.
Differences Between Consent Managers under Other Provisions of Law
A current point of contention is the function of a Consent Manager under DPDPA against the “Consent Manager” in the National Digital Health Mission and the RBI’s Account Aggregator project (“AAF”).
As per Section 6(9) of the DPDP Act, every Consent Manager must be registered with the Board and follow the prescribed technical, operational, financial, and other conditions. This indicates that the Consent Manager functions as a Data Fiduciary under the DPDP Act rather than solely being a Technology Platform. Although the Consent Manager under the DPDP Act can use a technology platform, it is a distinct entity that is visible to the public. On the other hand, the Consent Manager in the AAF is a pure technology platform, similar to an Internet Service Provider who has no such responsibility to the public.
The Consent Manager under AAF is legally an intermediary, while the Consent Manager under DPDPA is a Data Fiduciary with specific obligations as outlined in the DPDPA. The question of whether there is any visible disclosure from the data principal to the Consent Manager arises since the Consent Manager platform under AAF can be set up such that no person can access the Consent Manager’s identity. Therefore, such a platform could not be subject to the DPDPA responsibilities for a data fiduciary.
Conclusion
In conclusion, Consent Managers serve as intermediaries, streamlining consent processes and promoting transparency. They facilitate informed consent, consent withdrawal, and verifiable consent records, reducing data scraping and unauthorized data collection. They play a pivotal role in ensuring transparency, customer confidence, and personal data control.
However, differences exist between Consent Managers in the DPDP Act and those under other laws. In the DPDP Act, Consent Managers are considered Data Fiduciaries, with defined obligations and visibility over personal data, whereas in other contexts, they may function primarily as technology platforms.
FAQs
Will consent managers be regulated in any way?
Yes, these Consent Managers will be subjected to regulatory oversight by the Data Protection Board. Section 27 (c) of the Act provides that the Board shall exercise and perform their powers and functions “on receipt of an intimation of breach of any condition of registration of a Consent Manager, to inquire into such breach and impose penalty as provided in this Act.”
u003cstrongu003eAre there any set standards for electronic consent?u003c/strongu003e
Yes, it can be referred to here: u003ca href=u0022https://dla.gov.in/sites/default/files/pdf/MeitY-Consent-Tech-Framework%20v1.1.pdfu0022u003ehttps://dla.gov.in/sites/default/files/pdf/MeitY-Consent-Tech-Framework%20v1.1.pdfu003c/au003e
u003cstrongu003eWho is a data fiduciary?u003c/strongu003e
Section 2(i) of the Act states that “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
[1] Per Sanjay Kishan Kaul, J., in Puttaswamy, (2017) 10 SCALE 1 at p. 30 referring to the Second Circuit‘s decision in Haelan Laboratories v. Topps Chewing Gum. 202 F.2d 866 (2d Cir. 1953) penned by Judge Jerome Frank.
[2] As per Section 2 (g) “Consent Manager” means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
[3] As per Section 2 (s) “person” includes— (i) an individual; (ii) a Hindu undivided family; (iii) a company; (iv) a firm; (v) an association of persons or a body of individuals, whether incorporated or not; (vi) the State; and (vii) every artificial juristic person, not falling within any of the preceding sub-clauses.
[4] As per Section 2 (j) “Data Principal” means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.
[5] As per Section 2 (i) “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
King Stubb & Kasiva,
Advocates & Attorneys
New Delhi | Mumbai | Bangalore | Chennai | Hyderabad | Mangalore | Pune | Kochi
Tel: +91 11 41032969 | Email: info@ksandk.com
By entering the email address you agree to our Privacy Policy.