Module 3 · Part 4 of 5

Consent Manager Framework

DPDPA Section 7: India's Innovative Intermediary Model for Data Principal Empowerment

⏱️ Reading Time: 30 minutes 📖 Covers: Section 7 ⚖️ Penalty: Up to ₹150 Crores

📋 Introduction: A Uniquely Indian Innovation

The Consent Manager framework under Section 7 of DPDPA 2023 represents one of India's most distinctive contributions to global data protection law. Neither GDPR, CCPA, nor any other major data protection regime has an equivalent mechanism.

"The Consent Manager is to personal data what a stockbroker is to securities—a trusted intermediary that helps individuals navigate complexity while maintaining their autonomy." — NITI Aayog, Data Empowerment and Protection Architecture

The concept emerged from India's pioneering Account Aggregator (AA) ecosystem under RBI, which has already demonstrated that consent-based data sharing can work at scale in the financial sector.

⚖️ The Statutory Framework

Section 7 - Consent Manager "(1) A Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.

(2) Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions, as may be prescribed.

(3) A Consent Manager shall be accountable to the Data Principal and shall act in the best interests of the Data Principal.

(4) A Consent Manager shall not process the personal data of a Data Principal for any purpose other than enabling the Data Principal to give, manage, review or withdraw her consent to the Data Fiduciary through such Consent Manager."

Four Pillars of Section 7

📌 §7(1): Optional Mechanism

Consent Managers are an option, not a mandate. Data Principals can:

Give consent directly to Fiduciary
Use a Consent Manager
Switch between methods

📌 §7(2): Regulated Entity

Consent Managers must:

Register with Data Protection Board
Meet technical standards
Satisfy operational requirements
Maintain financial viability

📌 §7(3): Fiduciary Duty

The Consent Manager owes accountability to the Data Principal, not to Data Fiduciaries. This creates a legally enforceable fiduciary relationship.

📌 §7(4): Data Blindness

The critical principle: Consent Managers handle consent artifacts only—they never see or process actual personal data.

🔄 How Consent Managers Work

The Four Functions

Section 7(1) grants Data Principals the ability to use Consent Managers for:

Give Consent

Manage Consent

Review Consent

Withdraw Consent

The Data Flow Architecture

Data Principal

⟷

Consent Manager

⟷

Data Fiduciary

⚡ Critical Architecture Point

The Consent Manager transmits consent signals, not data. When a Data Principal authorizes data sharing through a CM:

Data Principal grants consent via CM interface
CM generates consent artifact (cryptographic proof)
CM transmits consent artifact to Data Fiduciary
Data Fiduciary processes data based on consent artifact
Actual data flows directly from Fiduciary to recipient—not through CM

💡 The "Data Blind" Principle

Section 7(4) mandates that Consent Managers cannot process personal data except for consent management itself. This is the "data blind" principle:

CM knows that consent was given
CM knows to whom consent was given
CM knows for what purpose consent was given
CM does not know the actual data being shared

🏦 The Account Aggregator Parallel

To understand how Consent Managers will work under DPDPA, look to India's existing Account Aggregator (AA) framework—the world's largest consent-based data sharing ecosystem.

Account Aggregator: A Blueprint

Aspect	Account Aggregator (RBI)	Consent Manager (DPDPA)
Regulator	Reserve Bank of India	Data Protection Board
Sector	Financial services only	All sectors
Data Type	Financial data	All personal data
Data Blindness	Yes - encrypted data flow	Yes - consent artifacts only
User Base	50+ million linked accounts	To be developed

50M+

AA Linked Accounts

Licensed AAs

1Bn+

Data Requests Processed

2021

AA Framework Launch

🏦

Case Study: AA in Action

Scenario: Priya applies for a home loan at ABC Bank. Instead of submitting bank statements, income proofs, and tax returns manually:

Traditional Process (Pre-AA)

Download statements from 3 banks
Get IT returns from tax portal
Collect investment proofs
Submit physical/scanned documents
Bank verifies authenticity (days/weeks)

AA-Enabled Process

Priya opens her AA app
ABC Bank sends consent request via AA
Priya reviews: "Share 12 months bank statements, IT returns, investment data"
Priya approves with biometric authentication
Data flows directly from source institutions to ABC Bank
Cryptographically verified, tamper-proof
Completed in minutes, not days

Key Point: The AA never saw Priya's actual bank balances or salary—it only transmitted her consent to share that data.

📋 Registration Requirements for Consent Managers

Section 7(2) mandates DPB registration subject to prescribed conditions. While specific DPDPA Rules are awaited, we can anticipate requirements based on:

Technical Conditions

📌 Infrastructure Requirements

Secure API-based architecture
Encryption standards (end-to-end)
Consent artifact specifications
Audit logging capabilities
Data center localization

📌 Interoperability Standards

Standard consent request format
Common artifact structure
Cross-CM compatibility
Fiduciary integration protocols
Identity verification methods

Operational Conditions

24/7 availability and uptime requirements
Customer support mechanisms
Grievance redressal system
Data protection by design
Regular security audits
Business continuity planning

Financial Conditions

Minimum capital requirements
Insurance coverage for liability
Financial auditing requirements
Fee transparency for Data Principals

🌐 DEPA: The Broader Vision

Consent Managers are part of India's larger Data Empowerment and Protection Architecture (DEPA)—a framework that envisions consent-based data sharing as national digital infrastructure.

                ⚡ DEPA Components
                
                        Component
                        Function
                        Status
                    
                        Account Aggregator
                        Financial data consent
                        Live (RBI regulated)
                    
                        Health Data CM
                        Medical record consent
                        Under ABDM
                    
                        DPDPA Consent Manager
                        Universal personal data consent
                        Rules awaited

Component	Function	Status
Account Aggregator	Financial data consent	Live (RBI regulated)
Health Data CM	Medical record consent	Under ABDM
DPDPA Consent Manager	Universal personal data consent	Rules awaited

"DEPA transforms data from a liability to be protected into an asset to be deployed—under the individual's control." — India Stack Documentation

🎯 Practical Use Cases

🏥

Healthcare: Managing Medical Data Consent

Scenario: Ramesh has medical records spread across 5 hospitals, 3 diagnostic labs, and 2 insurance companies. He wants to share relevant data with a new specialist while controlling what each party sees.

Without Consent Manager

Physically visit each facility for records
Sign multiple release forms
No control over what's shared
No audit trail of access
Difficult to revoke later

With Consent Manager

Ramesh links all healthcare providers to his CM
New specialist sends consent request via CM
Ramesh sees: "Dr. Sharma requests: Cardiology reports (2020-2024), Blood tests (2023-2024)"
Ramesh can approve all, approve selectively, or deny
Data flows directly from labs/hospitals to Dr. Sharma
CM records: who accessed what, when, for what purpose
Ramesh can revoke access anytime via CM dashboard

🛒

E-Commerce: Privacy Dashboard

Scenario: Sunita has accounts with 20+ e-commerce platforms. Each has her purchase history, payment data, and browsing behavior. She wants to understand and control her data exposure.

With Consent Manager

Single dashboard showing all consents given
Review: "Amazon - purchase history, recommendations - Active"
Review: "Flipkart - payment data sharing with BNPL partner - Active"
One-click withdrawal of specific consents
Set consent expiry dates (auto-revoke after 6 months)
Get alerts when consent is about to expire

📊

Cross-Sector Data Sharing

Scenario: Vikram wants to apply for a premium insurance policy. The insurer wants his medical history, financial data, and fitness tracker data for accurate underwriting.

CM-Enabled Process

Insurer sends multi-source consent request via CM
Vikram reviews request showing all data sources:
- Medical records from Hospital A (last 5 years)
- Bank statements (income verification)
- Fitness data from wearable app
Vikram approves hospital + bank data, denies fitness data
Granular consent—not all-or-nothing
Insurer receives only approved data categories

⚖️ Liability Framework

Consent Manager Accountability

Section 7(3) makes CMs accountable to Data Principals. This creates liability exposure for:

📌 Consent Transmission Failures

Consent given but not transmitted to Fiduciary
Withdrawal request not processed
Incorrect consent artifact generated
Technical failures causing unauthorized processing

📌 Security Breaches

Unauthorized access to consent records
Manipulation of consent artifacts
Data leakage (even metadata)
Authentication failures

💰 Penalty: Up to ₹150 Crores

Under the DPDPA Schedule, breaches by Consent Managers can attract penalties up to ₹150 Crores—higher than the ₹50 Crore general penalty—reflecting the heightened responsibility of handling consent across multiple Fiduciaries.

Data Fiduciary's Continuing Responsibility

Even when consent comes through a CM, the Data Fiduciary remains responsible for:

Verifying consent artifact authenticity
Processing data only within consent scope
Honoring withdrawal requests promptly
Maintaining compliance records

🌍 Global Comparison: Why No CM Equivalent Elsewhere?

Jurisdiction	Consent Management	Equivalent to CM?
GDPR (EU)	Direct consent to controllers only	No - no intermediary model
CCPA/CPRA (California)	Direct opt-out mechanisms	No - focused on sale prohibition
PIPL (China)	Direct consent + separate consent rules	No - no third-party CM concept
LGPD (Brazil)	Consent management plans	No - no intermediary registration
DPDPA (India)	Registered Consent Managers	Yes - unique innovation

💡 Why India's Approach is Different

India's CM model reflects:

Scale Challenge: 1.4 billion people can't individually manage consent with thousands of Fiduciaries
Digital Infrastructure Philosophy: India Stack approach of regulated intermediaries
AA Success: Proven model working in financial sector
Privacy-by-Design: Data blindness principle ensures intermediary can't abuse position

✅ Key Takeaways

Consent Manager is India's unique innovation—no GDPR/CCPA equivalent exists
Four functions: Give, manage, review, and withdraw consent
Data blindness: CMs handle consent artifacts only, never actual data
Registration required: DPB registration with technical, operational, financial conditions
Fiduciary duty: CM is accountable to Data Principal, not Data Fiduciaries
Account Aggregator parallel: 50M+ users demonstrate consent-based sharing works at scale
DEPA vision: CM is part of larger data empowerment infrastructure
Higher penalty: Up to ₹150 Crores for CM breaches (vs. ₹50 Crore general)
Continuing DF responsibility: Data Fiduciaries remain liable for processing compliance

"The best way to predict the future is to design the infrastructure that makes it possible." — Adapted from Alan Kay