Section 2(g) of The Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘the act’) defined ‘Consent Manager’ (hereinafter referred to as ‘CM’) as any person who takes the consent of data principle regarding manage, review, or withdraws for the concerned data in a transparent manner.
It is obligatory on the part of the Data principle to give consent through the ‘CM’, provided that the consent obtained shall be free, specific, and unconditional and it should also be limited to personal data. The concept of ‘CM’ is new, and it is brought due to the increase in new technology which means that the economy is generally being driven by the data stored in digital format. ‘CM’ is a third-party body that uses an interoperable framework to obtain consent digitally.
Functions of Consent Manager
- A Data Principal shall have the right to grievance redressal that should be provided by the ‘CM’ for any act or omission done by the ‘CM’ in relation to personal data of the Data principle. The Data Principle should exhaust this opportunity of grievance redressal before approaching the Data Protection Board (hereinafter referred to as ‘the Board’) of India established by the Central Government under Section 18 of ‘the act’.
- The ‘CM’ shall respond to any grievances with respect to the Data of Data Principle.
- If the Data Principal approaches the court, then the Board shall impose the penalty on the ‘CM’ for its fault.
- The ‘CM’ shall be registered with ‘the Board’ in a manner with respect to technical, operational, financial, and other conditions as may be prescribed.
Regulations on CM
There is much need to regulate the ‘CM’ as the inherent delegation of authority can undermine the business. In a situation where a social media company established a subsidiary company that itself acts as ‘CM’, it can be assumed that such a company has a right to take and withdraw the consent on behalf of a number of individuals who have the Company’s social accounts.
So, it is necessary to regulate the ‘CM’ As of now there is no regulation to put on the ‘CM.’ A situation may arise where the personal data is used without the consent of the Data Principle even in a case where there is no purpose to use the personal data.
The regulation should reflect from ‘the act’ itself rather than delegate it to ‘the board’ as the power to create the entire regulations will result in excessive delegation of administrative power. The ‘CM’ should refrain from engaging in any other profession than that of ‘CM’. The Consent should be for the concerned matter, not the other unrelated matter.
To conclude it can be said that the role of ‘CM’ is a significant one as it will help the Data Principle to give and withdraw consent based on information provided by the ‘CM’. The Consent should not be against the provision of ‘the act’ and it is also prohibited under ‘the act’.
The ‘CM’ is a much-needed role to take the consent in a fair and transparent way and it is also important to have the ‘CM’ as with the growing digital economy and technology, and with the rapid growth of industries, there will be lot of repercussion with respect to policies framework of the companies or industries and to understand the policies or terms and conditions of those companies or industries the role of ‘CM’ is significant.
Disclaimer: The above article is based on the personal interpretation of the related orders and laws. The readers are expected to take expert opinions before relying upon the article. For more information, please contact us.