Understanding India’s DPDPA Consent Manager

1. Introduction

​​The India Digital Personal Data Protection Act (DPDPA) is a comprehensive data privacy law enacted to regulate the processing of digital personal data in India. It aims to grant individuals control over their personal data and seeks to balance the needs of businesses with the privacy rights of individuals. A unique feature of the DPDPA is the role of the consent manager. It is designed to streamline and simplify how data principals manage their consent related to their personal data processing activities.

This article examines the role and origin of consent managers. It explores their operational framework by taking inspiration from the Data Empowerment and Protection Architecture document and similar consent management models implemented in India's financial and health sectors. It also evaluates the accountability of consent managers under the DPDPA and discusses whether entities performing this role can be discharged from potential legal liability.

2. Consent Manager

Under the DPDPA, a consent manager is a person or entity that is officially registered with the Data Protection Board of India (Board). It provides an accessible, transparent, and interoperable platform to enable data principals to give, manage, review, and withdraw their consent. It serves as the primary point of contact between the data principals and businesses and ensures that the consent preferences of data principals are respected across various data processing activities.

The idea of a consent manager can be traced back to the Srikrishna Committee Report of 2017, a document guiding the formulation of the DPDPA. It envisioned a consent manager as a trusted intermediary who would operate a "dashboard" between users and businesses and facilitate users to select their consent preferences from a range of options.

3. Operational Framework of Consent Manager

The DPDPA lacks detailed guidance regarding the operational framework of a consent manager. However, the Data Empowerment and Protection Architecture (DEPA) document, published by NITI Aayog, guides the technical aspects of consent dashboards. Additionally, inspiration can be drawn from the centralized consent management dashboard implemented in India’s financial and health sectors.

a. DEPA Document

The DEPA document explains that the consent manager would only collect "consent artefacts," meaning it would track the consent preferences of the data principal regarding their personal data and not have access to any of the actual personal data.

Under this framework, a consent manager acts as a liaison among three different entities:

1. Data principal (user): The individual whose data is being managed. For example, a customer who shops online and has their purchase history managed.
2. Data provider: An organization like an e-commerce platform that holds the customer's/user’s order history.
3. Data requester: An entity like a marketing firm that seeks to access the customer’s shopping behavior for targeted advertising.

The consent manager serves as the intermediary between these entities. It maintains and oversees the customer's data-sharing preferences. When the marketing firm wants to access information about the customer’s shopping habits, the consent manager ensures that only the data for which the customer has given consent is shared. This process is handled securely through APIs, and the consent manager does not store any of the actual data. The consent manager will deny the request if the customer has not approved access to certain information.

It can be ascertained that a consent manager takes action on behalf of data principals as their representative when granting, managing, reviewing, and withdrawing consent. This system reduces the burden of repeatedly giving consent (often referred to as consent fatigue), replacing outdated data-sharing practices. Additionally, it provides users with a more consistent and controlled approach to how their data is shared across various platforms.

b. Consent Management Dashboards In Financial and Health Sectors

In India, models similar to the DPDPA’s consent manager have already been implemented in the financial and health sectors. These models may provide a useful reference point for how consent managers might operate under the DPDPA.

1. Financial Sector: The Reserve Bank of India (RBI) has approved a consent management model called ‘Account Aggregator Directions’(Aggregator) under its Non-Banking Financial Company. In this setup, a dashboard collects 'consent artefacts', i.e., records of user consents to various financial institutions. The Aggregator doesn’t own the actual data but facilitates its sharing between the user and the institutions.
2. Health Sector: The National Health Authority’s Ayushman Bharat Digital Mission (ABDM) offers another operational model. This initiative provides a seamless online platform for users to manage their health data and consent for its use, potentially guiding how consent managers could operate under the DPDPA.

Ensuring interoperability under the DPDPA may present significant challenges compared to the financial sector. In the finance sector, both Aggregators and financial institutions are regulated by the Reserve Bank of India (RBI), which sets stringent technical standards, ensuring that all participants develop interoperable systems. However, under the DPDPA, the board only has authority over consent managers and other involved entities do not fall under its scope. This could complicate achieving seamless integration across the ecosystem.

With regulatory oversight, interoperability within the DPDPA framework may be easier to achieve. The Central Government is expected to establish specific technical, operational, financial, and other registration requirements to ensure effective and secure consent management.