Understanding India’s DPDPA Consent Manager

1. Introduction

​​The India Digital Personal Data Protection Act (DPDPA) is a comprehensive data privacy law enacted to regulate the processing of digital personal data in India. It aims to grant individuals control over their personal data and seeks to balance the needs of businesses with the privacy rights of individuals. A unique feature of the DPDPA is the role of the consent manager. It is designed to streamline and simplify how data principals manage their consent related to their personal data processing activities.

This article examines the role and origin of consent managers. It explores their operational framework by taking inspiration from the Data Empowerment and Protection Architecture document and similar consent management models implemented in India's financial and health sectors. It also evaluates the accountability of consent managers under the DPDPA and discusses whether entities performing this role can be discharged from potential legal liability.

2. Consent Manager

Under the DPDPA, a consent manager is a person or entity that is officially registered with the Data Protection Board of India (Board). It provides an accessible, transparent, and interoperable platform to enable data principals to give, manage, review, and withdraw their consent. It serves as the primary point of contact between the data principals and businesses and ensures that the consent preferences of data principals are respected across various data processing activities.

The idea of a consent manager can be traced back to the Srikrishna Committee Report of 2017, a document guiding the formulation of the DPDPA. It envisioned a consent manager as a trusted intermediary who would operate a "dashboard" between users and businesses and facilitate users to select their consent preferences from a range of options.

3. Operational Framework of Consent Manager

The DPDPA lacks detailed guidance regarding the operational framework of a consent manager. However, the Data Empowerment and Protection Architecture (DEPA) document, published by NITI Aayog, guides the technical aspects of consent dashboards. Additionally, inspiration can be drawn from the centralized consent management dashboard implemented in India’s financial and health sectors.

a. DEPA Document

The DEPA document explains that the consent manager would only collect "consent artefacts," meaning it would track the consent preferences of the data principal regarding their personal data and not have access to any of the actual personal data.

Under this framework, a consent manager acts as a liaison among three different entities:

1. Data principal (user): The individual whose data is being managed. For example, a customer who shops online and has their purchase history managed.
2. Data provider: An organization like an e-commerce platform that holds the customer's/user’s order history.
3. Data requester: An entity like a marketing firm that seeks to access the customer’s shopping behavior for targeted advertising.

The consent manager serves as the intermediary between these entities. It maintains and oversees the customer's data-sharing preferences. When the marketing firm wants to access information about the customer’s shopping habits, the consent manager ensures that only the data for which the customer has given consent is shared. This process is handled securely through APIs, and the consent manager does not store any of the actual data. The consent manager will deny the request if the customer has not approved access to certain information.

It can be ascertained that a consent manager takes action on behalf of data principals as their representative when granting, managing, reviewing, and withdrawing consent. This system reduces the burden of repeatedly giving consent (often referred to as consent fatigue), replacing outdated data-sharing practices. Additionally, it provides users with a more consistent and controlled approach to how their data is shared across various platforms.

b. Consent Management Dashboards In Financial and Health Sectors

In India, models similar to the DPDPA’s consent manager have already been implemented in the financial and health sectors. These models may provide a useful reference point for how consent managers might operate under the DPDPA.

1. Financial Sector: The Reserve Bank of India (RBI) has approved a consent management model called ‘Account Aggregator Directions’(Aggregator) under its Non-Banking Financial Company. In this setup, a dashboard collects 'consent artefacts', i.e., records of user consents to various financial institutions. The Aggregator doesn’t own the actual data but facilitates its sharing between the user and the institutions.
2. Health Sector: The National Health Authority’s Ayushman Bharat Digital Mission (ABDM) offers another operational model. This initiative provides a seamless online platform for users to manage their health data and consent for its use, potentially guiding how consent managers could operate under the DPDPA.

Ensuring interoperability under the DPDPA may present significant challenges compared to the financial sector. In the finance sector, both Aggregators and financial institutions are regulated by the Reserve Bank of India (RBI), which sets stringent technical standards, ensuring that all participants develop interoperable systems. However, under the DPDPA, the board only has authority over consent managers and other involved entities do not fall under its scope. This could complicate achieving seamless integration across the ecosystem.

With regulatory oversight, interoperability within the DPDPA framework may be easier to achieve. The Central Government is expected to establish specific technical, operational, financial, and other registration requirements to ensure effective and secure consent management.

4. Legal Accountability of Consent Manager

Under the DPDPA, if the processing of personal data is challenged in a legal proceeding, the data fiduciary must demonstrate that they properly notified the data principal and obtained their consent in compliance with the DPDPA’s requirements. The notice must contain:

1. A description of the personal data that will be collected and the purpose for which it is being collected.
2.  Information on how the data principal can exercise their right to withdraw consent at any time and the right to seek redressal for grievances.
3. Instructions on how the data principal can file a complaint with the Board, including details of the procedures that will be specified for this purpose.

Additionally, consent must be free, specific, informed, unconditional, and unambiguous, with clear affirmative action.

Under the DPDPA, a consent manager becomes accountable to data principals and must act as their representative. While the extent of this accountability is yet to be clarified, the DPDPA allows data principals to seek grievance redressal from consent managers if something goes wrong. This means consent managers may potentially face legal liability under the DPDPA for any breaches. For instance, if a data principal withdraws consent, the consent manager must not approve access to their data; otherwise, it will face penalties for breach of DPDPA. This represents a shift from traditional privacy laws, where such liability typically rests with data fiduciaries.

5. Supporting Consent Manager Role Without Registration

Given that appointing a consent manager is not mandatory under the DPDPA, businesses might choose to manage specific consent processes on behalf of data fiduciaries without formally registering as a consent manager. These processes may include:

1. Providing details related to the personal data collected and its purpose.
2. Offering an easy-to-use dashboard for managing consent and withdrawing it.
3. Instituting a grievance redressal mechanism.
4. Using clear affirmative actions to ensure explicit consent collection.
5. Keeping detailed records of consent and related communications to demonstrate compliance if needed.

Such processes will help data fiduciaries comply with the consent requirements under DPDPA. Additionally, in the absence of a registered consent manager, the legal accountability for compliance will remain with the data fiduciary.