BharatTax.co — Knowledge Portal
File GST ↗
158A

CGST Act · Section 158A

Consent based sharing

Chapter XXI — MiscellaneousCGST Act, 2017

☐ Has the proposed sharing been mapped to clauses (a), (b), or (c) of sub-s. (1)? ☐ Has the receiving system's notification status been verified? ☐ Is the consent instrument in the prescribed form (or best-practice equivalent pending…

Section 158A consent-based sharing — checklist (19 items)

Section 158A consent — based sharing — checklist (19 items)

☐ Has the proposed sharing been mapped to clauses (a), (b), or (c) of sub-s. (1)?

☐ Has the receiving system's notification status been verified?

☐ Is the consent instrument in the prescribed form (or best-practice equivalent pending Rules)?

☐ Has supplier consent been obtained for the specific clauses?

☐ Has recipient consent been obtained where required (clause (b); clause (c) with recipient identity)?

☐ Does the consent specify data points, receiving system, purpose, duration, withdrawal rights?

☐ Is the data flow strictly calibrated to consent scope (no over-disclosure)?

☐ Has the receiving system executed a contractual data-use limitation undertaking?

☐ Is the consent register maintained with audit-trail discipline?

☐ Has DPDP Act 2023 compliance been overlaid for natural-person data subjects?

☐ For Account Aggregator pathway — has RBI AA Master Direction been satisfied?

☐ Has the proportionality test (Puttaswamy / Modern Dental) been documented for the sharing?

☐ Has consent withdrawal handling been operationalised?

☐ Has the receiving system's breach-notification commitment been documented?

☐ Has tax liability been insulated from information-flow decisions (sub-s. (3) tail clause)?

☐ Have parallel automatic disclosures under s. 158(3) been distinguished in compliance manuals?

☐ Has Joint Commissioner / Compliance Head reviewed any sensitive consent (high-volume / multi-recipient)?

☐ Has the consent expiry / renewal cycle been scheduled?

☐ Has the entire sharing event been audited for Article 21 / Mafatlal procedural fairness?

Worked examples — five live scenarios

Example 1 — Account Aggregator-mediated lending

Facts: A registered taxable person — manufacturer — seeks a working-capital line from a bank. The bank requires GST turnover and tax-payment regularity assessment. The bank is partnered with a RBI-licensed Account Aggregator notified under s. 158A.

Analysis: Taxable person executes consent under s. 158A — clauses (a) registration / return data + (b) outward supplies — to flow to the AA, which transmits to the bank. Consent specifies 6-month duration, restricted to credit assessment, with audit trail. Bank receives only the consented data points. Sub-s. (3) shields Government and portal. Bank's downstream use is governed by the consent contract and RBI's AA framework.

Result: Lawful sharing under s. 158A. Taxable person receives credit; bank receives risk-graded data.

Example 2 — Recipient identity in clause (b) sharing

Facts: A supplier wishes to share its e-invoice records (clause (b)) with a notified analytics platform for supply-chain optimisation. The records contain recipient names, GSTINs, and supply quantities.

Analysis: Sub-s. (2)(b) requires recipient consent for clause (b) sharing. Supplier must obtain consent from each recipient before sharing the data that identifies them. If recipients refuse, supplier must mask / aggregate the recipient-identifying particulars. Alternative — supplier may share aggregated transaction data not identifying recipients (outside the consent-mandatory scope).

Result: Recipient consent essential before raw clause (b) sharing. Aggregation is the privacy-preserving alternative where consent is unavailable.

Example 3 — Consent withdrawal mid-cycle

Facts: A taxable person initially consented to share GSTR-1 with an analytics platform for 12 months. After 4 months, the taxable person withdraws consent due to concerns about data resale by the analytics platform.

Analysis: Withdrawal is effective from the withdrawal date. Data shared during months 1-4 remains governed by the original consent (subject to the analytics platform's contractual obligations). Data of months 5-12 is excluded from sharing. Analytics platform must cease ingestion and may face contractual breach claim if it continues to use months 1-4 data beyond the consented purpose. Notification to the analytics platform within prescribed timeline.

Result: Prospective withdrawal effective. Retrospective protection limited — past-shared data remains under the original consent's scope and the receiving system's contractual obligations.

Example 4 — Sharing of non-enumerated data — outside s. 158A

Facts: A taxable person attempts to authorise sharing of departmental audit findings (under s. 65) with a credit-rating agency. The audit report contains officer observations on the taxpayer's compliance posture.

Analysis: Audit findings are NOT enumerated in clauses (a), (b), or (c) of sub-s. (1). They are outside the s. 158A sharing universe. The structural confidentiality of s. 158 continues to apply. Sharing would breach s. 158, attracting officer liability under s. 133 and taxable person's exposure to disciplinary action by the receiving regulator. Practitioner advice — limit s. 158A sharing strictly to the enumerated data points; seek other lawful channels for non-enumerated data.

Result: Proposed sharing outside s. 158A. Prohibited.

Example 5 — Tax liability untouched by sharing

Facts: A taxable person shares GSTR-3B data under s. 158A with a notified credit-rating agency. The rating agency assigns a low rating citing payment irregularities. The taxable person argues that the data sharing exposed errors that should be set off against tax liability.

Analysis: Sub-s. (3) tail clause — sharing has 'no impact on the liability to pay tax on the supply'. The information-flow framework and the tax-assessment framework are independent. The rating agency's analysis cannot displace the taxable person's substantive tax liability. The taxable person's remedies for any incorrect tax position lie through s. 161 rectification, s. 107 appeal, etc., not through the information-sharing channel.

Result: Tax liability untouched by sharing. Taxable person must pursue separate tax-remedies framework.

Planning and litigation strategy

  • • Treat s. 158A consent as a controlled commercial asset — selectively deploy to enable credit, supplier financing, and analytics partnerships.
  • • Maintain a single consent register covering s. 158A, DPDP, and Account Aggregator consents for unified audit trail.
  • • Use granular consent — specific data points, defined receiving systems, defined duration — to limit downstream misuse risk.
  • • Embed consent-management in vendor onboarding for receiving systems — contract clauses for breach notification, audit rights, indemnity.
  • • Train finance / compliance teams on the distinction between automatic s. 158(3) disclosure and consent-based s. 158A sharing.
  • • Audit notified receiving systems' regulatory standing (RBI AA license, SEBI registration) before extending consent.
  • • Refresh consents on regulatory shifts — DPDP Rules, RBI AA Master Direction updates, CBIC Rules under s. 158A.
  • • Use aggregation / masking as the privacy-preserving alternative where recipient consent is unavailable for clause (b) sharing.
  • • Coordinate s. 158A consent with sectoral regulatory consents (RBI for financial-services consumers, IRDAI for insurance, SEBI for capital-markets).
  • • Maintain Joint Commissioner-level approval for high-volume / multi-recipient consents to ensure organisational oversight.
  • • Document the four-part proportionality test (Puttaswamy / Modern Dental) for each significant sharing event.
  • • Build operational checklists for consent withdrawal processing — communication to receiving system within prescribed timeline.
  • • Insulate tax-assessment decisions from information-sharing decisions — Sub-s. (3) tail clause discipline.
  • • Use s. 158A as a strategic positioning tool — controlled sharing supports lender confidence, vendor finance, and analytics-driven optimisation.
  • • Develop internal SOP for s. 158A breach response — contractual remedies, regulatory reporting, data-subject notification.

Litigation defence

  • • Defend any s. 158A sharing on the foundation of express consent — Puttaswamy informational autonomy.
  • • Where receiving system breaches consent scope, sue under contract for damages and breach-of-confidence tort.
  • • For DPDP Act overlap, plead unified compliance — DPDP consent + s. 158A consent in single instrument.
  • • Where consent was coerced (no genuine alternative), invoke Maneka Gandhi procedural-fairness challenge.
  • • Plead sub-s. (3) liability shield as defence against any claim against Government / common portal.
  • • Where receiving system exceeds notified scope, challenge under sub-s. (1) — sharing must be with notified system only.
  • • Cross-reference Mafatlal procedural-fairness in any Rule-making challenge under s. 158A.
  • • Where data shared under s. 158A is misused for tax-assessment leverage, plead sub-s. (3) tail clause — sharing does not affect tax liability.
  • • Defend consent-instrument validity by demonstrating clear purpose, defined duration, granular scope, withdrawal rights.
  • • Where withdrawal is honoured prospectively, plead the regulatory framework — withdrawal is forward-looking, past-shared data remains under original scope.
  • • For DPDP breach allegations, leverage s. 158A's explicit consent architecture to rebut absence-of-consent claims.
  • • Use Bharti Airtel framework to defend against claims that portal records are inaccurate — primary records lie with the taxable person.
  • • Plead Modern Dental College proportionality test to challenge over-prescriptive Rules under s. 158A.
  • • Coordinate cross-statute defence — s. 158A + DPDP + AA Master Direction + sector regulation.
  • • Plead Puttaswamy informational privacy as the constitutional floor — any State Action / Rule under s. 158A must satisfy the four-part test.
  • • Build comprehensive audit-trail evidence to defend any disclosure decision — consent register, contractual safeguards, regulatory compliance.

Cross-references

  • • Section 25 (Registration — clause (a) data source)
  • • Section 37 (Outward supplies / GSTR-1 — clause (b) data source)
  • • Section 39 (GSTR-3B return — clause (a) data source)
  • • Section 44 (Annual return / GSTR-9 — clause (a) data source)
  • • Section 68 (E-way bill — clause (b) data source)
  • • Section 133 (Officer liability — overridden by non-obstante in sub-s. (1))
  • • Section 134 (Cognizance — relevant for any s. 133 prosecution despite override)
  • • Section 149 (GST compliance rating — potential clause (c) data source)
  • • Section 152 (Bar on disclosure — overridden by non-obstante)
  • • Section 156 (Public servant status — applies to officers processing s. 158A consent)
  • • Section 157 (Good-faith protection — defence to any officer challenge)
  • • Section 158 (Confidentiality bar — overridden for s. 158A consented data only)
  • • Section 164 (Rule-making power — anchors detailed Rules under s. 158A)
  • • Section 168 (Power to issue instructions — Circulars on consent SOPs)
  • • Article 21, Constitution of India (informational privacy — Puttaswamy anchor)
  • • Article 14, Constitution of India (procedural fairness in consent framework)
  • • Article 226, Constitution of India (writ jurisdiction over breach of consent scope)
  • • Digital Personal Data Protection Act 2023 (parallel consent regime for natural persons)
  • • RBI Master Direction on Account Aggregators 2016 (operational consent infrastructure)
  • • SEBI registration framework for analytics intermediaries
  • • IRDAI consent framework for insurance regulated entities
  • • Information Technology Act 2000, s. 43A (data-protection liability for receiving systems)
  • • Indian Contract Act 1872, ss. 13, 14 (consent — free and informed)
  • • Indian Evidence Act 1872, s. 65B (electronic records — receiving systems' evidentiary handling)
  • • Notification framework under s. 158A (designating receiving systems — operational evolution)
  • • Notification 4/2017-CT (Common Portal — operates the s. 158A consent token interface)
  • • Puttaswamy v. UoI (2017) 10 SCC 1 (constitutional anchor)
  • • Maneka Gandhi (1978) 1 SCC 248 (procedural fairness)
  • • Modern Dental College (2016) 7 SCC 353 (proportionality test)
  • • Mafatlal Industries (1997) 5 SCC 536 (procedural framework for rule-making)
  • • Bharti Airtel v. UoI (2021) 11 SCC 374 (portal records as facilitator)
  • • Calcutta Discount Co. AIR 1961 SC 372 (purpose-limitation framework)
  • • RBI's NBFC-AA Master Direction (operational compliance anchor)
  • • FA 2023 insertion notes (statutory context)
  • • GST Council recommendations on consent ecosystem (deliberative anchor)
  • • CBIC SOP on consent-based sharing (operational framework — evolving)
← All sections (197)CGST Act hub