About 27% of India's population is still illiterate or barely literate. Most privacy policies and terms of service for web and mobile applications are in English, and therefore it is only around 10% of us who can actually read them before providing our consent. Even if we can read them, few have the necessary legal training to understand them.

According to a tweet thread by Pat Walshe (@privacymatters), the Tetris app, a popular video game, has a privacy policy that lists numerous third-party advertising and analytics companies. These third parties include "123 Ad Networks; 13 Online Analytics companies; 62 Mobile Advertising Networks; and 14 Mobile Analytics companies." The linked privacy policies for Tetris run to 407,000 words — nearly as long as the entire *Lord of the Rings* trilogy. A four-year-old child playing the game and her parents would need an intermediary to deal with the corporations hiding behind Tetris.

Unlike the European Union, which has more than 37 years of experience with data protection law, India is starting afresh after the Supreme Court confirmed privacy as a constitutionally guaranteed fundamental right in the *Puttaswamy* judgement. While maintaining compatibility with the EU’s General Data Protection Regulation (GDPR) is important, India now has the opportunity to leapfrog and innovate in its data protection framework.

This article introduces three intermediary models emerging within India's data protection debate — each designed to enhance accountability — and concludes with a proposal from the Centre for Internet and Society.

Account Aggregators: The ‘India Stack’ ecosystem first proposed intermediaries called Account Aggregators to manage consent artefacts. India Stack has traditionally been described as having four layers — presenceless, paperless, cashless, and consent. The consent layer would feature these Aggregators. For example, when a user seeks an insurance policy, the portal collects personal information and consent, which is shared with multiple insurance companies that respond with personalised bids. However, while Account Aggregators make it easier to give and harvest consent, they do not simplify revocation.

Data Trusts: Cybersecurity expert Na. Vijayashankar has proposed ‘Data Trusts’ — intermediaries registered with the regulator that act as escrow agents for personal data. They would translate privacy notices into accessible language, ensure minimal disclosure, issue pseudonymous tokens, and monetise data for the benefit of data subjects. To ensure independence, he recommends public performance reviews, regulatory audits, and an arm’s-length relationship with data collectors.

Learned Intermediaries: Rahul Matthan, of Trilegal and the Takshashila Institution, proposed ‘Learned Intermediaries’ in his paper *Beyond Consent: A New Paradigm for Data Protection*. These certified entities would conduct audits on data controllers above a threshold, focusing on bias and discrimination. Audits could involve database query review, black box audits, and algorithm review, alongside possible rating systems — making the market more transparent and accountable.

Consent Brokers: Finally, I have proposed the model of a ‘Consent Broker’ — modifying the Account Aggregator concept. Each data subject would have a one-to-one relationship with a broker competing for their business. These brokers would manage consent artefacts, maintain distance from data controllers, and could even take proactive actions such as facilitating access and correction requests on behalf of data subjects.

The need of the hour is to produce regulatory innovations and robust discussion around all nine privacy principles outlined by the Justice A. P. Shah Committee — notice, choice and consent, collection limitation, purpose limitation, access and correction, disclosure, security, openness, and accountability.