Skip to main content

Q8 - If there is a dispute between a Fiduciary and a Consent Manager (e.g., over proof of consent), who resolves it?

Answer

If a dispute arises between a Data Fiduciary and a Consent Manager — for example, over the validity or proof of consent — the matter is resolved by the Data Protection Board of India, as established under Chapter V (Sections 18–28) of the Digital Personal Data Protection Act, 2023 (DPDPA).

1. Primary Authority: The Data Protection Board of India

The Data Protection Board is the statutory body empowered to:

  • Inquire into breaches of the DPDPA or its rules.
  • Adjudicate complaints or references related to violations by a Data Fiduciary or Consent Manager.
  • Impose monetary penalties or issue binding directions.

Under Section 27(1)(b) and 27(1)(c), the Board can conduct inquiries into:

  • Breaches by a Data Fiduciary regarding its obligations or the rights of Data Principals.
  • Breaches by a Consent Manager in relation to the handling of consent.

Therefore, if the disagreement involves whether consent was validly obtained, withdrawn, or communicated, the Board reviews the evidence (audit logs, timestamps, records from the Consent Manager’s system, etc.) and issues a decision.

2. Process of Resolution

  1. Either party (or the affected Data Principal) may file a complaint with the Board.
  2. The Board evaluates whether there are sufficient grounds to proceed with an inquiry (Section 28(3)).
  3. Both parties are given an opportunity to be heard, and the Board records its reasons in writing before issuing a direction or penalty (Section 28(6)–(11)).
  4. If dissatisfied, the aggrieved party can appeal the Board’s decision to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) under Section 29(1).
Example

A Data Fiduciary claims that a customer consented to share data for analytics, but the Consent Manager’s log shows that the consent was withdrawn before processing began. The Consent Manager reports this to the Data Protection Board. The Board examines both systems’ records, verifies the consent timestamps, and determines whether the Fiduciary acted lawfully or violated the consent terms.

Referenced Provisions:

  • Section 18–28 – Establishment, powers, and procedures of the Data Protection Board of India.
  • Section 27(1)(b) & (c) – Board’s authority to inquire into breaches by a Data Fiduciary or Consent Manager.
  • Section 28 – Procedure for inquiry and adjudication by the Board.
  • Section 29 – Appeals to the Appellate Tribunal (TDSAT).