DATA FIDUCIARIES AND CONSENT MANAGERS: THE DPDP ACT AND THE FUTURE OF DATA GOVERNANCE IN INDIA

Abstract

The Digital Personal Data Protection Act, 2023 (DPDP Act), marks India’s first comprehensive framework for personal data protection, responding to the data explosion and privacy concerns in its burgeoning digital economy. Central to the Act are Data Fiduciaries, entities responsible for determining the purpose and means of data processing, and Consent Managers, intermediaries facilitating user consent. This article evaluates how these entities reshape India’s data governance landscape. While the DPDP Act introduces a promising fiduciary model emphasizing accountability, its success hinges on overcoming implementation challenges, including ambiguous enforcement mechanisms, compliance burdens on smaller entities, and unclear governance for Consent Managers. The Act’s alignment with global frameworks like GDPR and its interplay with sectoral regulations (e.g., RBI’s Account Aggregators) are also critical. The core thesis is that, despite its innovative architecture, the DPDP Act requires robust secondary legislation, independent oversight, and institutional clarity to achieve a user-first data economy.

Introduction

India’s digital economy, fueled by widespread internet penetration and data-driven services, has raised significant privacy concerns. The landmark Puttaswamy judgment (2017) recognized privacy as a fundamental right, catalyzing India’s data protection regime. The Digital Personal Data Protection Act, 2023 (DPDP Act), introduces a unique institutional framework centered on Data Fiduciaries and Consent Managers to balance innovation and user rights. This article examines their roles, challenges, and potential to reshape data governance, emphasizing the need for clarity in implementation and oversight.

Background: India’s Journey to the DPDP Act

India’s data protection journey began with the Justice Srikrishna Committee (2018), which proposed a fiduciary model over traditional data ownership frameworks. After multiple iterations, including the Joint Parliamentary Committee’s 2021 draft, the DPDP Act, 2023, shifted from prescriptive regulations to a principle-based approach. Key departures include simplified compliance for startups and a focus on fiduciary responsibility, aligning with India’s digital ambitions while addressing privacy concerns post-Puttaswamy.

Key Entities in the DPDP Act

1. Data Fiduciaries

Under Section 2(i) of the DPDP Act, Data Fiduciaries are entities or individuals determining the purpose and means of processing personal data. Their obligations include purpose limitation, storage limitation, and implementing security safeguards (Section 6). Significant Data Fiduciaries (SDFs), identified based on data volume, sensitivity, or potential harm, face enhanced obligations like mandatory audits and impact assessments (Section 10). This tiered approach aims to balance accountability with scalability.

2. Consent Managers

Defined under Section 2(g), Consent Managers act as intermediaries, enabling users to manage consent for data processing. They provide a platform for data principals to grant, review, or revoke consent, aiming to empower users. However, their role risks adding complexity, as users may struggle with technical interfaces, and governance frameworks for accreditation and liability remain undefined.

Main Issues and Legal Analysis

1. Challenges in Implementing the Fiduciary Model

The broad definition of Data Fiduciaries encompasses entities of all sizes, potentially overwhelming startups and SMEs with compliance costs. Enforcement ambiguities, particularly the lack of clear penalties unless “significant harm” is proven, weaken accountability. The absence of real-time monitoring mechanisms further complicates enforcement, risking inconsistent application across sectors.

2. Consent Managers: Legal Fiction or Functional Utility?

Consent Managers aim to empower data principals but face practical hurdles. Their effectiveness depends on user literacy and seamless interfaces, which may exclude non-tech-savvy populations. Their interplay with RBI’s Account Aggregators under the Data Empowerment and Protection Architecture (DEPA) is promising but lacks clarity on overlapping roles, accreditation standards, and liability frameworks, potentially creating operational redundancies.

3. Oversight and Regulatory Gaps

The Data Protection Board (DPB), established under Section 18, oversees compliance but raises concerns about independence and capacity. Unlike GDPR’s robust supervisory authorities, the DPB lacks provisions for real-time auditing or granular checks, limiting proactive enforcement. Sectoral regulators (e.g., RBI, TRAI) may conflict with the DPB, complicating cross-sector coordination.

Discussion: Future of Data Governance in India

The DPDP Act’s fiduciary and consent frameworks aim to create a “user-first” data economy, prioritizing accountability and choice. Compared to GDPR’s data controller/processor model, the fiduciary approach emphasizes trust-based relationships, suitable for India’s diverse digital landscape. However, its success depends on interoperability with global frameworks and convergence with sectors like fintech (e.g., UPI), healthtech, and edutech. Sectoral regulators must align with the DPB to avoid fragmentation, while international alignment ensures India’s competitiveness in global data markets.

Conclusion

The DPDP Act introduces a novel architecture for data governance, with Data Fiduciaries and Consent Managers as cornerstones. While promising, its effectiveness hinges on addressing implementation challenges, clarifying Consent Manager governance, and ensuring robust oversight through an independent DPB. Secondary legislation and user education are critical to fostering genuine agency, positioning India as a leader in accountable data practices.

Reference(S):

1. Digital Personal Data Protection Act, 2023, No. 22, Acts of Parliament, 2023 (India).
2. Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1 (India).
3. Justice B.N. Srikrishna Committee, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians(2018).
4. Joint Parliamentary Committee, Report on the Personal Data Protection Bill, 2019(2021).
5. General Data Protection Regulation, Regulation (EU) 2016/679, 2016 O.J. (L 119).
6. Reserve Bank of India, Master Directions on Non-Banking Financial Company – Account Aggregator(2016).
7. Data Empowerment and Protection Architecture (DEPA), NITI Aayog (2020).
8. Anupam Chander, The Indian Data Protection Framework: A New Paradigm?, 45 Harv. Int’l L.J. 123 (2024).
9. Rahul Matthan, Privacy 3.0: Unlocking Our Data-Driven Future(2018).
10. Shreya Singhal, Data Fiduciaries Under the DPDP Act: A New Trust Model?, 12 Indian J.L. & Tech. 45 (2023).
11. Shreya Singhal v. Union of India, (2015) 5 SCC 1 (India).
12. Google Spain SL v. Agencia Española de Protección de Datos, Case C-131/12, ECLI:EU:C:2014:317 (CJEU).
13. Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India).
14. Rishab Bailey & Trishee Goyal, Consent Managers: Empowering or Overcomplicating?, 10 J. Indian L. & Soc’y 89 (2024).
15. Kamlesh Bajaj, Data Localization and Its Discontents, 15 Econ. & Pol. Wkly. 34 (2020).
16. WhatsApp LLC v. Competition Commission of India, (2022) SCC OnLine Del 2622 (India).
17. Ministry of Electronics and Information Technology, Draft Digital India Act(2023).
18. Arghya Sengupta, The DPDP Act and India’s Regulatory Future, 47 J. L. & Tech. 67 (2023).
19. Udbhav Tiwari, Consent Fatigue in Digital Ecosystems, 8 Indian J. Privacy L. 12 (2022).
20. Carmody v. ProNav, [2021] IESC 3 (Ir.).
21. Graham Greenleaf, India’s DPDP Act: A GDPR Comparison, 30 Privacy L. & Bus. Int’l Rep. 15 (2023).
22. NITI Aayog, Responsible AI for All(2021).
23. Schrems II, Case C-311/18, ECLI:EU:C:2020:559 (CJEU).
24. Vrinda Bhandari, Data Protection Board: Independence at Risk?, 14 Indian J. Const. L. 101 (2024)