23 October 2024
Read More3 October 2024
Read More26 September 2024
Read MoreWe are a family of strong 800+ people including 470+ professionals working from 14 locations across India.
We have a rich heritage and enduring legacy which are pivotal in shaping trust, excellence, and unparalleled legal expertise, thus building a strong reputation and a trusted brand.
Read MoreWe started in 1985 in a single room set up by the two founders with no prior experience of working in a law firm. Both the founders had outstanding academic records and focused on their deep understanding of the law to form the foundation of the firm.
Integrity, Knowledge and Passion are the principles that resonate with every member of our LKS family and the work that we do. These values drive us to build a community of legally sound professionals and well-serviced clients.
Everything we have accomplished over the last four decades is a result of our unique way of thinking which is deeply influenced by our core values and principles that define us.
Read MoreWe and our professionals consistently garner appreciation for the quality of our services and the depth of our legal expertise. This consistent acknowledgment serves as a testament to our unwavering commitment to exceed expectations.
30 January 2024
Over the last decade, India has become one of the most significant consumers of data in the world. Currently, the internet penetration rate in India stands at 48.7% (forty-eight point seven per cent) and this number is expected to exceed 61% (sixty one per cent) by the end of 2025. An average internet user in India consumes approximately 19.5 GB (nineteen point five giga bytes) of data every month. Much of this growth can be attributed to improved internet infrastructure, cheap smart phones, and availability of reasonable data packs across the country.
Another major effect of this increased access to cheap internet and smartphones is the uptick in e-commerce and online banking. The e-commerce market is projected to grow at 18% (eighteen per cent) annually through 2025 and is expected to touch $350 billion by 2030. Further, India accounts for nearly 40% (forty per cent) of global online banking transactions.
The exponential increase in e-commerce and the consequent (permanent) change in the way most people purchase goods and services has also caused a massive increase in the volume of online data transfers. This means that for e-commerce transactions to be commercially viable, businesses need to ensure efficient and smooth movement of large volumes of data.
A natural side-effect of this is a threat to the privacy of financial, medical, and other forms of personal data shared by individuals over multiple apps, social media, and e-commerce platforms.
In view of the above, data privacy in this changed landscape has become an even more significant issue. There are a wide range of concerns that need to be addressed – ranging from consent before collection, integrity of processing processes, legality of transfers (including cross border data transfers), proper and legitimate use, grievance redressal and deletion at the appropriate time (after use, or on request).
Consent plays a critical role in securing the rights of individuals whose personal data is being processed (i.e., a data principal) and in this Article, we will briefly discuss the measures introduced under the Digital Personal Data Protection Act, 2023 (‘DPDP Act’) to address challenges around management of data principals’ consent.
The concept of ‘consent managers’ was first introduced in the Personal Data Protection Bill, 2019 (‘PDPB’). Under the PDPB, a ‘consent manager’ was defined as a "data fiduciary which enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform." Separately, the Reserve Bank of India (RBI) also provided for the concept of ‘account aggregators’ in the ‘Master Direction-Non-Banking Financial Company - Account Aggregator (Reserve Bank) Directions, 2016’. Under these master directions, the role of account aggregators (in relation to financial information) is similar to the role of a consent manager (in relation to personal data).
The role and responsibilities of a consent manager were further discussed in a publication issued by the NITI Aayog in 2020, titled ‘Data Empowerment And Protection Architecture’ (‘DEPA’). In the DEPA it was discussed that, under the PDPB, 'consent managers' were posited to manage a data principal’s consent through an accessible, transparent, and interoperable platform. It was further noted that consent managers would be ‘data blind’ and will not see or use personal data themselves.
The role of a consent manager in the data flow cycle would be as follows:
The DPDP Act defines a ‘Consent Manager’ as “a person registered with the Board who acts as a single point of contact to enable a data principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform.”
Under the DPDP Act, Consent Managers will: (a) be required to obtain registration from the Data Protection Board; (b) shall be subject to technical, operational, financial, and other conditions (as may be prescribed); and (c) shall be accountable to data principals. The obligations of a consent manager will be prescribed in rules to be issued under the DPDA.
Consent under the DPDP Act needs to be “specific, free, informed, unconditional, unambiguous with a clear affirmative action” and introduction of the mechanism of Consent Managers enables a fast and efficient means of achieving this, by bridging the gap between the Data Fiduciary and the Data Principal.
The use of Consent Managers benefits both Data Fiduciaries (by enabling easier compliance with consent-related statutory requirements) as well as Data Principals (by providing an efficient mechanism to grant and manage their consent). This improved efficiency of consent management also improves the overall speed, security, and efficiency of personal data flows.
Another benefit of the use of Consent Managers is that this will assist Data Principals in exercising their right of grievance redressal with more ease and efficiency.
The relevance of Consent Managers is likely to increase significantly over the next few years as they act as conduits for more and more online transactions and e-commerce. Digilocker is a prime example of the possibilities for quick adoption of this facility.
As we await the enforcement of the DPDP Act, industry players are already establishing compliance protocols and procedures as per the new law. Given the introduction of Consent Managers under the DPDP Act and the benefits that this new mechanism offers as a compliance bridge between the Data Principals and Data Fiduciaries, it is likely to gain significant leverage as a new tech-enabled service offered by Indian startups and entrepreneurs. However, it is important for entities offering consent management services to ensure that their activities do not fall within the ambit of data processing under the DPDP Act, as this would expose them to more stringent compliance requirements and significantly higher penalties.
[Prashant Phillips and Abhishek Singh are Executive Partner and Associate, respectively, in Data Protection and TMT practice, while Paritosh Chauhan is an Associate Partner in Corporate and M&A practice, of Lakshmikumaran & Sridharan Attorneys, New Delhi]