India’s pioneering Account Aggregator (AA) framework has already demonstrated the transformative potential of consent-driven data-sharing in the financial sector.
Consent managers are envisaged as accessible, transparent, and interoperable platforms that act as a single point of contact for Data Principals (individuals) to give, manage, review, and withdraw their consents across a range of Data Fiduciaries.
Drawing on our learnings from the AA ecosystem, we believe a collaborative and interoperable approach is required while designing and operationalising the consent manager framework under the DPDP Act.
The AA Framework: Enabling consent-based financial data sharing
The Account Aggregator (AA) framework is a multi-regulatory initiative led by the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Insurance Regulatory and Development Authority of India (IRDAI), Pension Fund Regulatory and Development Authority (PFRDA), and the Ministry of Finance.
Operationalised through the RBI’s NBFC-AA Master Directions in 2016, this framework empowers individuals to provide, review, manage, and withdraw consent for sharing their financial data.
AAs enable the secure and real-time management of consents for financial information — which includes banking, lending, investment, pension, and tax data — and, consequently, the flow of such financial information directly from source systems.
Financial institutions can access this machine-readable, consent-based data, enabling greater efficiency, productivity, and innovation in delivering customer-centric financial services.
Today, the AA ecosystem operates at a population scale and continues to grow in adoption and utility.
The DPDP Act’s Consent Manager Regime: Building on AA’s Principles
The Digital Personal Data Protection (DPDP) Act, 2023, similarly envisages a consent-manager-led data governance framework. Under the Act, consent managers act as intermediaries through which data principals — the individuals to whom the data relates — can give, review, manage, and withdraw consent for sharing their data with data fiduciaries.
The techno-legal architecture of the consent manager regime aligns closely with the AA model, reinforcing the primacy of explicit and informed consent.
Like AAs, consent managers under the DPDP Act play a critical role in facilitating secure, controlled, and user-centric consent management and data flows across sectors — from healthcare and education to digital commerce and employment.
Draft DPDP Rules, 2025: Need to reconcile the AA and CM frameworks
The recently released Draft DPDP Rules, 2025 outline the registration process, obligations, and permitted activities of consent managers.
The Ministry of Electronics and Information Technology (MeitY) has made laudable efforts to clarify the registration and other obligations of consent managers.
Given the significant structural alignment between the AA and CM frameworks and their shared commitment to user empowerment and consent-based data-sharing, we have proposed a few revisions to the Draft Rules, which would help provide clarity and ensure the continuity of existing sector-specific regulatory frameworks, and enable the effective implementation of the CM framework under the DPDP Act (DPDPA).
1. Mandatory Registration with the Data Protection Board (DPB): Entities seeking to operate as consent managers under the DPDP regime must be mandatorily registered with the DPB. This ensures accountability, standardization, and alignment with the regulatory framework.
2. Enable Sector-Specific Consent Managers: The DPB should allow for the registration of sector-specific consent managers, provided they operate on common, interoperable APIs and technical specifications as prescribed. This supports innovation while maintaining interoperability and compliance. For example, in addition to the AA ecosystem already operating at scale, the Financial Health Records (FHR) framework, under the National Health Authority (NHA), is also in advanced stages of development with a comprehensive consent management system and health data schema. Our feedback to MeitY proposes allowing the registration of such sector-specific consent managers as consent managers under the DPDPA. This would ensure that existing regulatory frameworks are empowered and remain accountable under the DPDP regime.
3. Allow Commercial Arrangements with Data Fiduciaries: To ensure the healthy adoption and sustainable growth of an ecosystem of consent managers, they should be permitted to structure their business models around valid commercial agreements with data fiduciaries. While consent managers must continue to operate in a fiduciary capacity in relation to data principals, as required under the Draft DPDP Rules, such commercial arrangements, in and of themselves, should not be treated as a conflict of interest, as long as they do not compromise user consent and data protection.
A call for synergy, not redundancy
We advocate for a collaborative approach that leverages the maturity and operational insights of the AA ecosystem to inform the roll-out of the consent manager framework under the DPDP Act.
Rather than building overlapping regulatory architectures, India now has the opportunity to unify its consent-based data-sharing infrastructure, ensuring interoperability, eliminating redundancies, and laying the foundation for a future-ready, user-centric data governance regime.
(B.G. Mahesh is CEO and Pranav Narain, Legal Counsel, Sahamati)
(Sahamati (Sahamati Foundation), is a member-driven industry alliance formed to promote and strengthen the Account Aggregator ecosystem in India.)
Published - May 16, 2025 06:00 am IST
