Skip to main content

Q1 - Who oversees Consent Managers - is it only the Data Protection Board, or also the government?

Answer

Consent Managers are regulated and overseen by both the Central Government and the Data Protection Board of India, but in different ways and at different stages of their operation.

1. Role of the Central Government

The Central Government is responsible for:

  • Registration and approval of Consent Managers.
    • Under Section 6(9), every Consent Manager must be registered with the Data Protection Board in such manner and subject to such technical, operational, financial, and other conditions as may be prescribed by the Central Government through rules.
    • The power to make these rules is granted under Section 40(2)(c) and (d).
  • Issuing standards and conditions for their functioning.
    • These include defining interoperability, transparency, and security standards that Consent Managers must follow when handling user consent data.
  • Overall policy and regulatory oversight of the framework for Consent Managers — ensuring they operate within the boundaries of national data-governance policy.

In summary, the Government sets the rules of operation for Consent Managers and determines who is eligible to be registered.

2. Role of the Data Protection Board of India

The Data Protection Board oversees day-to-day compliance and enforcement.
Its responsibilities include:

  • Registration administration – recording and maintaining the list of registered Consent Managers.
  • Inquiry and enforcement – under Section 27(1)(c), the Board may inquire into any breach by a Consent Manager relating to its obligations toward Data Principals.
  • Penalties and corrective actions – the Board may impose fines, suspend registration, or issue directions under Section 33(1) if a Consent Manager fails to meet its legal or operational duties.

Thus, while the Central Government defines the policy and standards, the Board acts as the enforcement authority, ensuring ongoing compliance.

Example

A registered Consent Manager fails to provide accurate consent logs during a complaint inquiry. The Data Protection Board investigates the issue, finds non-compliance with technical standards prescribed by the Government, and imposes a penalty while recommending suspension until the Consent Manager updates its systems.

Referenced Provisions:

  • Section 6(7)–(9) – Registration and obligations of Consent Managers.
  • Section 27(1)(c) – Board’s authority to inquire into breaches by Consent Managers.
  • Section 33(1) – Monetary penalties for non-compliance.
  • Section 40(2)(c)–(d) – Central Government’s power to make rules governing registration and operation of Consent Managers.