The Digital Personal Data Protection Act, 2023 is being portrayed as the most revolutionary and awaited law for India. While it promises many protections, it also leaves many questions unanswered. One such issue pertains to the case of Consent Manager Framework introduced in DPDP Act, 2023. “Consent Manager Framework” was catalyzed by the recommendations of the report submitted to the Parliament visà-vis the Data Protection Bill, 2019. Consent Managers are third-party independent entities registered with the Data Protection Board They are responsible for managing, reviewing, and withdrawing the consent of the Data Principal by using a transparent platform. The Data Fiduciary is required to implement those processes to enable the Consent Managers to act on behalf of the Data Principal.

They will be operated within the paradigms of the electronic consent framework established by the Ministry of Electronics and Information Technology. The MeitY has released a set of technology standards for the purpose of electronic consent (wherein Consent Managers are referred as Consent Collectors). Section 2(g) specifies the definition of “Consent Manager” as a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform. A similar concept of Consent Managers was introduced by Reserve Bank of India in 2021.

They are called “Account Aggregators.” Like the Consent Manager, the prime job of AA is to obtain, submit and manage customer’s consent via a technical legal framework that emphasises on the legality of sharing of consent like the Consent Managers do. Additionally, AAs accelerate the consented transfer of financial data between financial institutions such as Banks, Insurance Companies, Pension Funds etc.

The only difference is that AAs are acting as the Consent Manager in the financial sector. The objective of the act is to reinstate the concept of trust by safeguarding the personal information of the data principal and by imposing various lawful obligations on the Data processors and Data Fiduciary. “Consent,” is the foundation of any privacy principle and data protection law. Given the diverse nature of the country, the operationalization of effective consent is required. Furthermore, the Consent Managers are thirdparty entities that use an interoperable tech framework to enable consent regulation digitally. A consent manager has the duty to act on the behalf of the Data Principal. They play a pivotal role in standardizing the consent. Organizations using this consent management framework find it quite feasible to adhere to the rights and regulations pertaining to the Data Principal and attract new clients and customers. The organizations are subject to numerous consent related responsibilities like permission to share, acknowledging the withdrawal of consent request, obtaining permission for the collection of data, obtaining informed consent for a specific objective and ability to showcase that the data was obtained before the handling of the data of Data Principals. To comply with the requirements for these standards, the organizations need to establish procedures and structures.

However, the correct practical answer will be provided by the Consent Manager who will follow a techno-legal approach. The Consent Management Framework will provide the following: As the consent manager will construct the technical and legal standards as enumerated by the concerned authorities, so the organizations or companies who interlink their companies’ systems with it will by default comply with the law. After the Data Principal gives consent for the sharing of data, the personal information shall flow directly from the original source to the one in need. This will assuredly avoid unauthorized collection of data from public sources, data scrapping etc. The trust of the user is at stake. However, once the authority approves the consent managers who will work under the set of guidelines such as openness, confidence, control and data reduction, this will surely be a win-win situation. Thus, the consent manager plays an important role in building the trust with clients as they are the only bridge between the Data Fiduciary and Data Principal. The role of a Consent Manager within the DPDP Act can be seen as both a boon and a potential challenge, depending on the context and implementation. As a boon The consent taken from the Data Principal shall be specific, informed and unambiguous in nature along with clear affirmative action. A thoughtful Consent Manager shall simplify and streamline the consent provision process, making it more accessible for them.

A Consent Manager empowers individuals by bestowing them with enhanced transparency and control over their personal data which aligns harmoniously with DPDP Act’s rights of the Data Principals. Consent Managers can serve as a mechanism for organizations to standardize their consent-related procedures, ensuring congruence with the Act. As a challenge In scenarios where Consent Managers are not appropriately implemented, there is a potential for organizations to misuse them as a means to manipulate or coerce users into granting consent without a full understanding of the implications. The incorporation of Consent Managers could potentially augment the compliance complexity, possibly creating challenges for organizations to seamlessly integrate, and for users to navigate.

Excessive consent requests without adequate information, or if consent becomes a mandatory prerequisite for availing services, may result in a situation where true, freely given consent is compromised. In conclusion, the Consent Manager Framework reflects that the DPDP Act, 2023 presents a transformative approach to data protection as it addresses the need for effective consent management in an evolving digital landscape. It is expected that the Consent Managers may act as intermediaries, facilitating transparent and controlled consent processes for Data Principals with the aim of restoring trust by safeguarding personal information and imposing legal obligations.

However, the role of Consent Managers is two-fold. On the one hand, they enhance consent management by offering clarity, empowerment, and standardization. On the other, there’s a risk of misuse and complexity if not implemented thoughtfully. While this framework symbolizes India’s readiness to embrace the digital era by promising to protect the personal data of the citizens, it lacks the foolproof mechanism in law vis-à-vis regulation of Consent Managers. One hopes that this issue will be expediently addressed for smooth implementation of the law.

(The writers are, respectively, Advisor & Data Privacy Counsel, World Cyber Security Forum, and Professor, National Law University, Bhopal.)