Skip to main content

Q3 - What happens if a Consent Manager itself suffers a data breach - who is liable, the Consent Manager or the Fiduciary relying on it?

Answer

If a Consent Manager experiences a data breach, the Consent Manager itself is primarily liable for that incident — not the Data Fiduciary — because it is an independent entity registered under Section 6(9) of the Digital Personal Data Protection Act, 2023 (DPDPA).

However, both the Consent Manager and any Data Fiduciaries that rely on it have distinct responsibilities that may be examined by the Data Protection Board of India to determine shared or separate liability.

A Consent Manager is directly responsible for:

  • Implementing security safeguards to prevent data breaches (Section 8(5) read with Section 6(8)).
  • Protecting consent records and other personal data in its custody.
  • Notifying the Data Protection Board and affected Data Principals of the breach under Section 8(6).
  • Ensuring its systems meet all technical and organisational standards prescribed by the Central Government (Section 6(9)).

If the breach arises from poor security, technical failure, or negligence by the Consent Manager, the Board may impose penalties under Section 33(1) and may also suspend or revoke its registration.

2. Role and Exposure of the Data Fiduciary

The Data Fiduciary is not automatically liable for a breach suffered by an independent Consent Manager.
However, the Board may evaluate whether the Fiduciary:

  • Exercised due diligence in selecting a registered and compliant Consent Manager.
  • Had appropriate contractual safeguards in place for handling consent data.
  • Responded responsibly once the breach became known (e.g., by informing affected users and coordinating remediation).

If the Fiduciary ignored these responsibilities or continued using an unregistered or non-compliant Consent Manager, joint liability may be considered.

3. Investigation and Enforcement

When such a breach occurs:

  1. The Consent Manager must report it immediately to the Data Protection Board and the affected individuals.
  2. The Board conducts an inquiry under Sections 27–28 to determine the cause, scope, and responsible parties.
  3. The Board may impose penalties or issue corrective directions to either or both entities based on their level of fault.
Example

A registered Consent Manager suffers a system hack that exposes user consent records and identifiers. The Consent Manager failed to patch its servers despite prior warnings — the Data Protection Board imposes a penalty for inadequate safeguards and non-notification. The Data Fiduciary using the platform had valid contracts and acted promptly after the breach, so it is not penalised.

Referenced Provisions:

  • Section 6(7)–(9) – Duties and registration of Consent Managers.
  • Section 8(5)–(6) – Security safeguards and breach notification obligations.
  • Section 27–28 – Inquiry and enforcement powers of the Data Protection Board.
  • Section 33(1) – Monetary penalties for breaches and non-compliance.