The Role of Consent Managers under the DPDP Bill

Article by Tsaaro

July 7, 2023

7 min read

Introduction

The formulation of a strong data protection framework recently received a huge push, with several media reports stating that the Digital Personal Data Protection (DPDP) Bill has been approved by the Union Cabinet. This implies that the Bill is now ready to be placed in the next session of parliament, i.e., the monsoon session, where after deliberation, it may finally take shape of a law in force.

The first steps towards establishing a data protection regime on a strong legal cornerstone first started with the legal recognition being given to Right to Privacy in the Supreme Court’s 2017 Judgement of Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. Judgement (2017) 10 SCC 1. Further, a Committee was set up under Retired Justice B.N. Srikrishna, the head of the Committee that produced the first draft bill on data protection. After several iterations, it seems finally there seems to be widespread consensus on a bill that can cater to the needs of Indian Jurisdiction with the DPDP Bill, 2022.

The Digital Personal Data Protection Bill, 2022

The DPDP Bill 2022 has been brought in with the Government’s aim to put a strong data protection legal framework in place. Setting up a statutory framework that recognises the need for maintaining a balance between an individual’s need to protect their data as well an Organisation’s need to process data is crucial for this Data-Driven Economy. This Bill allows for procession of data for lawful purposes but puts in certain checks and balances which will restrain organisations from being too pervasive or processing user’s data without their informed consent.

Also, read, Understanding the developments in CoWIN portal Data leak Saga: From reports of the breach to the Government’s response.

The Bill will be applicable to handling digital personal data processed in India, whether the data is obtained online or offline and then converted to digital form. If the processing is being done to offer products or services or create profiles of people in India, it will also apply to processing done outside of India. Only legitimate uses of personal data may be carried out with the consent of the data subject. In some circumstances, consent may be assumed. Data fiduciaries will be required to keep data accurate, safe, and deleted after its purpose has been served. The Bill provides individuals with a number of rights, including the ability to request information, seek correction and erasure, and file a grievance.

Some new entities will also be introduced in the Indian Data Protection Sphere; these include the Data Protection Board of India, which will be established by the Union government to decide cases of non-compliance with the Bill’s requirements. And the other new entity in the Indian Data Protection sphere is the introduction of Consent managers.

Consent Manager Framework

The Introduction of Consent Mangers in the Indian Legal Sphere of Data Protection is a newer addition. The Consent managers are being brought into the fold due to the economy being data-driven and the rapid growth of the digital economy.

The Adoption of the consent Manager Framework stems from Recommendations made by the B.N Srikrishna Committee for India to have a fiduciary nature of the Data Protection Regime. In an effort to develop the idea of trust, the Bill gives data subjects—referred to as data principals in the DPDP—rights and requires corporations to preserve and protect those rights. In the framework for data privacy, “consent” serves as the cornerstone for both privacy protection and individual freedom. Due to India’s vast diversity, operationalizing meaningful consent would require more than just legal and regulatory regulations. According to the proposed legislation, consent managers are third-party entities that use an interoperable tech framework to enable consent regulation digitally. India will be the only nation to implement and formally adopt a tripartite model for data sharing.

Also, read, Concerns of Consent under the DPDPB: Compliance Requirements.

Duties of Consent Managers

The Data Protection Board of India, the regulatory body established by the DPDPB, envisions that a Data Fiduciary may use the services of a “consent manager” to manage the “consent” of the Data Principal. A consent manager represents the Data Principal and takes action on its behalf when granting, managing, reviewing, or revoking consent. A consent manager is likewise considered a Data Fiduciary under the DPDPB.

Consent managers play a crucial part in standardising consent. Businesses that use this framework to their advantage may find it easier to adhere to the data principles rights regulations and win over more customers. Companies are subject to several consent responsibilities under the Bill, including permission to share, obtaining informed consent for a specific objective, acknowledging withdrawal of consent, obtaining permission for collecting, Sharing or repurposing data and the ability to demonstrate that the consent was obtained before handling the data of data principals.

To meet these standards, businesses will establish their structures and procedures. A predictable answer is provided by a consent manager, a techno-legal automated approach. The consent manager framework should provide the following:

- Standardization: Companies who link their systems to this will, by default, operate in conformity with the law since consent managers will incorporate the technological and legal criteria defined by the Authority.

- Accuracy and Quality: After the data subject gives consent to sharing, personal information will flow directly from the information supplier to the information user. The needed person will receive the information from the original source. This will put an end to methods like data scraping, unauthorised public source collecting, aggregation websites, etc.

- Relationship of Trust: The Authority will approve consent managers, who will work under the guiding principles of openness, confidence, control, and data reduction. Thus consent managers will play a vital role in building trust with consumers, as data principals can only contact data fiduciaries through consent managers.

Conclusion

The Statutory Introduction of Consent Managers into the Indian Data Protection Sphere is a welcoming move. This structural push bases the principal-fiduciary relationship in an environment of openness and accountability. Even the EU’s GDPR does not account for a tripartite system of data protection and personal data sharing, such as one the DPDP bill proposes. It is expected that with the passing of this legislation and relevant governance guidelines, India will usher into an era of a digital economy with a statutory framework capable enough to tackle all the emerging challenges to the data protection and privacy of its citizens.

Simplify your organisation’s privacy compliance by connecting with Tsaaro. Connect with us to stay updated with the latest laws and regulations and the nuances or changes in compliance they entail. To get in touch with us, email us at: info@tsaaro.com.Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today.