Naaavi.org has been debating the concept of “Consent Manager” under DPDPA 2023 and the possibility of making it animprovement over the concept of “Consent Manager under the DEPA Framework” which has been adopted under the Account Aggregator scheme.
Now going through the current version of DPDPA rules, the MeitY has chosen not to exercise its option to improve upon the DEPA Framework but retain the concept with which they are more familiar.
Every consent manager needs to be registered with the DPB and shall be an Indian company with its directors and senior management having reputation for record of fairness and integrity. Any conflict of interest with any data fiduciary either at the corporate level or the executive level needs to be avoided.
The Minimum networth of the company has to be not less than Rs 2 crores.
Under sub rule (3) of this Rule 5, it is stated that one of the obligations of the Consent Manager is …
“to establish an accessible, transparent and interoperatble platform that enables a data principal to give, manage, review and withdraw her consent to herslef obtain her personal data from a data fiduciary or to ensure that such personal datails shared with another data fiduciary of her choice, without the consent manager being in a position to access that personal data”
This clause highlights the “Intermediary” role of the Consent Manager under ITA 200o while the sub rule 1(c) states that the Consent Manager shall act in a “Fiduciary” capacity.
The “Fiduciary” capacity and “Intermediary” status are mutually exclusive. They are different and this has been ignored.
Further while the sub clause (1) states that the Consent Manager shall be a Company, sub clause (7) implies that it can be a firm or an association of persons. Further the rule at some place also refers to the “Consent Manager” as “her” indicating that it could even be an individual.
These are probably unintended and can be corrected in the next version.
The rule also prescribes a data retention period of 7 years or longer which could influence the due diligence of data fiduciaries in similar circumstances.
The question is that if the Consent Manager is required to keep the consent information for 7 years or more why not the Primary Data Fiduciary?
Also, is there a “Purpose” for the Consent Manager to collect and hold the consent. If so, is there an expiry period for the same differently? …
Also if according to sub rule (2)(b) the consent Manager needs to to maintain a digial record of and offer to a data principal digital access to
(i) every request for consent approved or rejected by her and
(ii) every data fiduciary who has shared her personal data in response to a reuest for consent approved by her.
how does the sub clause (3) stating that the Consent Manager shall not have access to the Consent can be fulfilled.
Probably a more detailed discussion is required in this regard…
Naavi