Like many contemporary data protection legislations across jurisdictions, the Act recognizes consent-based processing as one of the grounds for processing (the other being legitimate purposes). Therefore, data fiduciaries (i.e., companies or individuals who determine the purpose of processing personal data) are required to obtain the consent of the data principal (i.e., the individual to whom the personal data relates) at the time of collection of personal data, along with providing a detailed notice. Interestingly, the Act introduces the concept of 'consent managers', who are entrusted to manage the data subjects' consent and are intended to be independent entities distinct from data fiduciaries and data processors.

The concept of a consent manager has been recurring since the first draft of the data law in 2019. In 2021, the Joint Parliamentary Committee report reinforced the function of consent managers and also recommended the insertion of a specific definition.

What is a consent manager under the Act?

Under the Act, a consent manager is defined as a person registered with the Data Protection Board of India and acts as a single point of contact to enable a data principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform. A data principal may give, manage, review, or withdraw their consent to the data fiduciary through a consent manager. The consent manager is accountable to the data principal and acts on their behalf. The extent of this accountability will be subsequently prescribed by the Government in the rules. Further, the data principal may also exercise their rights under the Act and seek grievance redressal from the consent manager. The Act does not prescribe specific penalties for breach of the above-specified responsibilities by consent managers.

It is also important to note that it is not mandatory to appoint a consent manager. A data principal may elect to use a consent manager to give, manage, and withdraw their consent. Currently, the Act does not provide further clarity on the obligations of consent managers, however, it provides that the rules and regulations will be issued by the Government under the Act and will further elaborate on the manner of registration, conditions of registration, accountability, and obligations of the consent manager.

How will the consent manager be deployed?

For now, the practicalities and the implementation of consent managers are speculative. Some of the key questions to think through include whether data fiduciaries are mandatorily required to onboard consent managers, and if a consent manager is only required in special circumstances, such as when the data principal is disabled.

Reportedly, the Government is looking at consent managers as user-facing entities, with data principals being able to choose from multiple consent managers to manage their consent on platforms/applications. Building upon this view, one of the ways to envisage the operational aspect of consent managers under the Act is to draw a parallel to account aggregators as introduced by the Reserve Bank of India (RBI) for financial services.

Account aggregators act as intermediaries that collect and share financial data of individuals within the financial ecosystem, such as between a lender and a bank, after obtaining the consent of the individual. Typically, the account aggregator interacts with the individual through a web-based or mobile application to facilitate this process. In this procedure, the consent of the individual must be obtained in an electronic format detailing the identity of the individual and optional contact information, the nature of the financial information requested, the purpose of collecting such information, the identity of the recipients of the information, if any, the URL or other address to which notification needs to be sent every time the consent artifact is used to access information, the consent creation date, expiry date, identity, and signature/digital signature of the account aggregator, among other things. The account aggregator is also required to provide the individual an option to withdraw and grievance redressal.

Similarly, it is likely that consent managers under the Act will act as consent intermediaries, required to obtain the consent of data principals in a standardized format and deliver it to the data fiduciary from whom the former wishes to avail services. However, there is no clarity on whether consent managers are also required to perform the function of collecting personal data (in addition to obtaining consent) from individuals and sharing it with the data fiduciaries.

Furthermore, assuming that consent managers would not be required to store or transmit any personal data, it is unclear, under the provisions of the Act, whether consent managers would be considered data fiduciaries merely for the collection of consent from an individual. Nonetheless, if a consent manager is collecting any personal data in an independent capacity for the purpose of providing consent management services to a data principal (such as collection of email IDs and names for consent manager platform onboarding), then to this extent, the consent manager may be considered as a data fiduciary.

Separately, it must also be noted that the Ministry of Electronics and Information Technology (MeitY) has released the Electronic Consent Framework, which details the technology specifications and the consent interface for obtaining electronic consent. However, at present, it is unclear whether consent managers, as envisaged under the Act, will be required to conform to these guidelines.

How can businesses prepare themselves for consent managers?

Once enforced and operational, consent managers will play an integral role in the digital data ecosystem. They may act as a one-stop solution for data principals to provide, manage, and withdraw consent. This may create a standardized and accuracy-driven ecosystem for consent-based processing in India.

While much clarity and information is awaited on the implementation of the consent managers framework, companies can prepare themselves to collaborate and participate with consent managers by:

• categorizing each item of personal data collected based on the purpose of collection. If consent is provided through a consent manager, as a data fiduciary, the business may be required to provide detailed information to the consent manager regarding the personal data items and the purposes for which consent is being sought;
• determining the retention periods for the personal data collected or in possession, which will enable the consent manager to determine when re-consent may be required; and
• instituting a grievance redressal mechanism and organizational systems for attending to data principals' requests for access, rectification, and deletion of their personal data. This will allow data fiduciaries and consent managers to delineate their responsibilities towards data principals and avoid overlapping functions.  

Way forward

As the Act becomes effective and the rules are introduced, there is reportedly a six-month window to be provided for businesses to align with the Act and establish the required processes including onboarding consent managers. It is anticipated that the rules will delineate between the functions of the data fiduciary and the consent manager, as well as the statutory obligations related to the management of data principal consents. Additionally, further clarity may be provided regarding the applicability of penalties to consent managers.

It is also noteworthy that consent managers, being an uncommon practice at present, will pose a challenge for the industry to navigate and implement during the initial phase. As a first step, it would be interesting to observe the types of businesses and platforms that will register themselves as consent managers and the technology models that will be deployed to facilitate consent between individuals and other businesses.

Aparna Gaur Leader - Technology, Data Privacy and Cyber Security
[email protected]
Varsha Rajesh Member - Digital Health, Lifesciences and Data Privacy
[email protected]
Nishith Desai Associates, India