Skip to main content

Q4 - Can a foreign company be registered as a Consent Manager in India?

Answer

A foreign company can be registered as a Consent Manager in India only if it meets the registration, localisation, and compliance requirements prescribed under the Digital Personal Data Protection Act, 2023 (DPDPA) and related rules issued by the Central Government.

The Act itself does not prohibit foreign entities from becoming Consent Managers. However, under Section 6(9) and Section 40(2)(c)–(d), the Central Government may prescribe technical, operational, financial, and jurisdictional conditions for registration with the Data Protection Board of India. These conditions will effectively determine whether and how a foreign company can qualify.

1. Registration and Jurisdiction Requirements

To operate as a Consent Manager in India, a foreign company would likely be required to:

  • Establish a legal presence in India, such as a registered subsidiary, liaison office, or branch under Indian law.
  • Comply with Indian jurisdiction, meaning it must be subject to Indian courts and the Data Protection Board of India for enforcement and penalties.
  • Maintain data infrastructure and consent records within India or in a government-approved jurisdiction that meets prescribed adequacy or localisation standards.
  • Meet technical and security benchmarks defined by the Central Government (for interoperability, encryption, and auditability).

Without meeting these conditions, a foreign company cannot act as a valid Consent Manager under the DPDPA.

2. Role of the Data Protection Board and Central Government

  • The Central Government sets the eligibility criteria and operational standards for Consent Managers.
  • The Data Protection Board maintains the registry and ensures compliance.
    Both authorities must approve the registration before a company can begin operations.

3. Practical Implication

In practice, a global technology company wanting to operate as a Consent Manager in India would need to:

  1. Incorporate or register a local entity under the Companies Act, 2013.
  2. Apply to the Data Protection Board for registration as a Consent Manager.
  3. Demonstrate compliance with technical, financial, and jurisdictional requirements as notified by the Central Government.
Example

A technology company based in Singapore wishes to provide consent-management services for Indian fintech platforms. To operate legally, it registers a subsidiary in India, hosts consent data within Indian servers, and applies for registration with the Data Protection Board of India. Only after approval can it function as a recognised Consent Manager under the DPDPA.

Referenced Provisions:

  • Section 6(9) – Registration of Consent Managers and conditions of operation.
  • Section 40(2)(c)–(d) – Central Government’s power to prescribe rules for technical, financial, and operational requirements.
  • Section 27–28 – Oversight and enforcement powers of the Data Protection Board.
Visits: