On January 03, 2025, MeitY (Ministry Of Electronics & Information Technology) published the Draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”) under the DPDPA for public comments/objections and suggestions until February 18, 2025, through the MyGov Portal here. The Draft Rules aim to safeguard personal data, ensure privacy in the digital ecosystem, and operationalize the Digital Personal Data Protection Act, 2023 (“DPDPA”). Notable provisions focus on notice and consent mechanisms, rights of the data principal, reasonable security safeguards, and data breaches. This article delves into ‘consent’, which shall permit readers to determine their content with such provisions.
Notice For Consent
The DPDPA, under Section 4 lays perquisites to process data, which includes consent of the Data Principal, which shall be free, explicit, informed, unconditional, and unambiguous. Section 5 of the DPDPA mandates a notice to be issued to the Data Principal to obtain such consent which shall outline the data being processed and its intended use. Rules 3 of the Draft Rules elaborate on the same as it elaborates on the requisite contents:
1. The information shall be presented independently of other information that is and may be made available by the Data Principal and shall be understood so. The same allows the Data Principal to understand the information to be actually provided, without the interlinkage as so often perplexes users.
2. A fair account of the details are necessitated to bee provided, in “clear and plain” language so as to enable a Data Principal from any strata to understand the data being provided, and provide specific and informed consent. Such account must, at the minimum, contain an itemized description of such data and the good/services, along with the specified purpose for the same. The same empowers the Data Principal to make an informed decision as if a Data Principal is to provide their residential address, the Data Fiduciary shall elaborate if the entire address is to be inserted, or the mere requirement of the City, State, and/or PIN Code, and the purpose of collection of the same.
3. The Data Fiduciary shall provide a ‘communication link’ and any other required description, which shall enable he Data Principal to:
a. withdraw their consent as provided above. The Draft Rules mandate such facility to be comparable to the procedure via which consent was obtained;
b. exercise their rights under the DPDPA, i.e., the right to access, correct, erase their data, the right to nominate, and the right to grievance redressal; and
c. make a complaint to the Data Protection Board (“Board”).
These requirements emphasize transparency and provide an umbrella to support Data Principals to fully pursue their rights with clarity and robustness.
Consent Managers
The DPDPA under Section 2(g) describes a “Consent Manager” to be an person who serves as a “single point of contact” and is registered with the Board to allow a Data Principal to grant, manage, review, and revoke their consent via an interoperable platform. The Draft Rules provide greater clarity on the role of such Managers under Rule 4 and Schedule I.
Criterion For Registration Of A Consent Manager
1. The applicant being a company incorporated in India. This vastly limits the scope of applicants, as the financial capabilities, as reflected in the forthcoming clauses, to set up such an entity is strenuous.
2. The company has financial, technical and operational ability, amongst others, which is considered sufficient. However, there are no guidelines for the company to demonstrate such sufficiency, thus leaving room for subjectivity.
3. The general character and the financial condition of the management, assumed to be the key managerial personnel as defined under the Companies Act, 2013, of the company are sound. The same, having no specific definition, leaves a room for interpretation yet leaves a vastly restrictive criteria to be adhered to.
4. The net worth of the company shall not be less than INR 2,00,00,000/- .
5. The likely volume of the business, the capital structure, and the earning prospects of the company are adequate. This clause centers on the business forecast and projections, which is unpredictable and ambiguous.
6. The KMP, the directors, and senior management of the company are required to be individuals with a “general reputation and record” of fairness and integrity. Whilst the requirement of a natural person limits the scope of corruption in a company, such perquisites require individuals of high-standing in society to be involved in the company, restricting the volume of applicants.
7. The MOA and AOA of the company shall contain provisions mentioning the avoidance of the conflict of interest with Data Fiduciaries and place measures to ensure the same via policies and procedures. Such documents may only be amended by the Data Protection Board, thus increasing the procedural requirements. Whilst the AOA documents the rules and regulations a company must adhere to, the intent of an MOA is to merely highlight the name, office, object, liability, directors and shareholding, as depicted in Schedule I of the Companies Act, 2013. The clause therefore renders redundancy.
8. The company must secure independent certification that it is an ‘interoperable’ platform, with the performance capabilities to be in line with the requisite standards and the framework as published by the Board and that it is in possession of the appropriate organizational and technical measures so as to perform its duties and obligations.
If the above-mentioned criteria are satisfied, a company may apply to be a Consent Manager. The appointment norms seem to be rigorous to say the least and greatly limits the scope of companies who sign up to be Consent Managers.
Obligations Of A a Consent Manager–
1. The platform of the Consent Manager shall enable a Data Principal to give consent to a Data Fiduciary onboarded to process their data or give consent to the Data Fiduciary through another Data Fiduciary onboarded onto the platform who maintains such personal data with the consent of the Data Principal.
2. The manner in which the personal data is shared/made available is not readable by the Consent Manager.
3. Maintenance of records on its platform of the notices/ requests to acquire consent, the consents given, withdrawn or denied by the Data Principal, and the sharing of the personal data with a transferee Data Fiduciary. Such records shall be maintained for a minimum period of 7 (seven) years or as required by law.
4. The aforementioned records shall be accessible to the Data Principal via the company’s platform. The Data Principal shall also be provided access to the information contained in the records in machine-readable form, subject to the conditions laid forth.
5. The provision of a website/ application/ both shall be developed and maintained by the company via which the Data Principal may access its services.
6. The Consent Manager shall not be entitled to sub-assign or sub-contract the obligations contained herein.
7. Reasonable security safeguards, as provided under Rule 6 of the Draft Rules shall be set in place to prevent personal data breach.
8. The actions of the Consent Manager shall be of ‘fiduciary capacity’.
9. The website/application/both as provided above, shall be easily accessible and shall contain the following information:
a. the promoters, KMP, directors and senior management registered as ‘consent manager’. There is a lack of clarity on the procedural requirements of registration and if other persons shall be entitled to partake in the endeavor;
b. the persons holding shares exceeding 2% (two percent) in the company registered as ‘consent manager’;
c. the body corporates in whose shareholding any promoter, KMP, director and senior management of the company holds shares exceeding 2% (two percent). The said disclosure is to be made on a monthly basis; and
d. Other information the Board directs the company to disclose to ensure transparency. The disclosures to be published by the company, it is more likely that a public company, whose information is already in the public domain, will take on the role.
10. Periodic audit mechanisms shall be set in place, or those as the Board may require.
11. The company shall not be entitled to transfer its control in any manner unless prior approval of the Board is acquired, amongst fulfillment of other conditions.
Consent Managers, assuming the responsibilities taken on, are expected to adhere to the rules as provided and act to the benefit of the Data Principal. In case the same is discovered otherwise, the Board may suo moto direct, after informing and providing the Consent Manager ‘audi alteram partem’, to take measures to ensure compliance. In order to protect the interests of the Data Principal, the Board may also suspend or cancel the registration of the Consent Manager, without any specifications of when the latter would take precedence over the former consequence. The Board may also require the Consent Manager to furnish any information as called for, in order to secure such interests under the said Rule. However, the Draft Rules stay silent on the intimation of such instances to the Data Principal, thereby leaving a gray area on the practice of the ‘rights’ as elaborated under Rule 3.
Authors: Malaika Karia & Dev Agarwal