Associate, GameChanger Law Advisors
The Ministry of Electronics and Information Technology (“MeitY”) released the Digital Personal Data Protection Bill, 2022 (“DPDP Bill”), after the withdrawal of the Personal Data Protection Bill, 2019 (“PDP Bill”) in early 2022. This marks the Government’s brand-new shot at introducing a comprehensive data privacy law for India.
In this piece, we seek to analyse the manner in which consent has been dealt with in the DPDP Bill. Clause 7(1) of the DPDP Bill defines consent as “any freely given, specific, informed and unambiguous indication of the data Principal’s wishes by which the data Principal, by a clear affirmative action, signifies agreement to the processing of her personal data for a specified purpose”. As per this Clause, the following are the requirements for consent to be valid:
- Intentional: the consent to process personal data is to be given by a person competent to consent and should be voluntary and free from coercion.
- Informed: the data principal should be notified about the description of personal data sought to be collected by data fiduciaries and the purpose of the processing of such personal data in order to enable the data principal to make informed decisions and understand what they are agreeing to.
- Unambiguous indication: this mandates the need for a statement of clear affirmative action and makes pre-ticked opt-in boxes, silence or inactivity on the part of data principals, and explicit no active indication of choices to not be considered as valid consent.
- Specified purpose: this mandates the request for consent to be in a clearly distinguishable, intelligible, and easily accessible form, using clear and plain language so as to ensure that the specified purpose is conveyed to the data principal.
Although the DPDP Bill has adopted this definition, in large part, from Article 4(11) of the United Kingdom’s General Data Protection Regulation (“GDPR”), it has introduced the concept of consent managers who will act as intermediaries between the data principal and data fiduciaries. This introduction was made in order to streamline the process of receiving consent.
This piece is divided into three (3) parts. The first part provides context on the importance of consent to process personal data. The second part explains the consent mechanism under the DPDP Bill. In the third part, we provide our analysis of the consent mechanism under the DPDP Bill and make recommendations to make the consent-taking mechanism more robust.
(1) Why is consent required to process personal data?
In order to understand the mechanism of taking consent under the DPDP Bill, it is important to understand why consent is the legal basis for processing personal data. The DPDP Bill defines personal data under Clause 2(13) as “any data about an individual who is identifiable by or in relation to such data”. Such data that can identify an individual would include their name, address, email address, phone number, date of birth, identification card number such as Aadhar card, and so on. Since a natural person is identifiable through such personal data, the law recognises that it belongs to that natural person, also referred to as the ‘data principal’.
Further, in order to ensure the right to privacy of a data principal, the data principal should be entitled to control his/her own personal data. This has been acknowledged and extended in scope in the Supreme Court’s judgment in Justice K.S.Puttaswamy(Retd) vs Union Of India And Ors., where it was held that the right to exercise control over personal data also encompasses the right to control the individual’s existence on the internet with certain limitations. This sets the context for our discussion on the mechanism of context under the DPDP Bill.
(2) The mechanism of consent under the DPDP Bill.
Consent is essential for processing personal data under the DPDP Bill. The DPDP Bill envisages the following mechanisms for obtaining consent from the data principal:
(i.) Directly obtaining consent from the data principal
In this mechanism, the data fiduciary can obtain the consent of the data principal directly through an itemized notice. As per Clause 6(1) and Clause 7(3) of the DPDP Bill, every request for obtaining consent presented to the data principal must be an itemized notice (i.e., presented as a list of individual items) containing the description of personal data sought to be processed and the purpose of processing, in clear and plain language. Previously, the PDP Bill made it a mandate for the notice to contain the following information:
a. the purposes for which the personal data is to be processed;
b. the nature and categories of personal data being collected;
c. the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable;
d. the right of the data principal to withdraw his consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent;
e. the basis for such processing, and the consequences of the failure to provide such personal data;
f. the source of such collection, if the personal data is not collected from the data principal;
g. the individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable;
h. information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable;
i. the period for which the personal data shall be retained or where such period is not known, the criteria for determining such period;
j. the existence of and procedure for the exercise of rights;
k. the procedure for grievance redressal;
l. the existence of a right to file complaints to the Data Protection Authority; and
m. where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary.
The DPDP Bill does not provide any such guidance for obtaining the consent of the data principal to process their personal data.
(ii.)Consent via Consent Managers
The DPDP Bill, through Clauses 7(6) and 7(9), has introduced a novel concept of third-party “consent managers” who can facilitate the data principal to give, manage, review, and withdraw their consent through an accessible, transparent, interoperable platform. By the introduction of these entities that digitally enable consent through an interoperable technology framework, India will be the only country to statutorily recognize and adopt a tripartite model for data sharing. It can be inferred that consent managers are independent entities entrusted to manage data principals’ consent for sharing data through an interoperable, secure, and transparent platform with the data fiduciaries. It is also to be noted that, as per Clause 7(7) , consent managers are data fiduciaries and are accountable to data principals. Every consent manager would also be required statutorily to be registered with the Data Protection Board of India.
The introduction of consent managers is a welcome change as it allows the data subjects to keep track of all the consent provided by them through a consent manager platform. However, the DPDP Bill does not provide the necessary qualifications or provide for any explicit compliances that are to be mandatorily complied with by consent managers in order to safeguard the personal data and also the rights of the data principals.
(iii.) Deemed Consent
The DPDP Bill also introduces the concept of “deemed consent”. The purposes of processing which were either exempt from consent-based processing or were considered reasonable purposes, have been categorised under deemed consent. The following are the nine (9) scenarios, where the data principal’s consent for processing is presumed:
- personal data is voluntarily provided by the data principal and it is reasonably expected that such personal data is provided for entering into, or for the performance of a contract;
- processing by the state for the performance of any function under law, or provision of any service or benefit to the data principal;
- compliance with any judgment or order;
- response to a medical emergency involving threat to the life or health of the data principal or other individual;
- providing medical treatment or health services to any individual during an epidemic, disease outbreak, or public health crisis;
- disaster management or public disorder;
- employment-related purposes;
- in public interest; and
- for any fair and reasonable purpose as may be prescribed taking into consideration the legitimate interests of data fiduciary in processing and whether such interests outweigh any adverse effect on data principal, public interest, and reasonable expectations of data principal having regard to the context of processing.
As discussed above in this article, the DPDP bill defines consent to be a clear, informed, and affirmative action. However, it may be argued that recognizing the concept of deemed consent runs contrary to this principle of consent being clear and informed. This may also be why the GDPR itself does not recognise deemed consent. While the Indian Contract Act, 1872 provides for implied consent, in the context of personal data privacy this concept may not be as relevant and therefore, may need to be reconsidered.
In effect, deemed consent may be seen as diluting the transparency and accountability principles, since the data principals would be unaware of what, why, how, and when their data is being used or will be used. However, if decided to go with this introduction of deemed consent, it is suggested that there should be specific statutory safeguards mandating data minimization and privacy protection of the data principal. Following are some of the safeguards that may be considered to be mandated under the DPDP Bill:
- Restricting the data collection process to only what is necessary and sufficient.
- Track and restrict data hoarding attempts by data fiduciaries.
- Conduct periodic assessments to evaluate the necessity of storing each instance of personal data collected via deemed consent.
- Archive or delete data that has lived past its usefulness.
- Mandatory data encryption in cases where personal data is collected via deemed consent so as to ensure data protection.
- Psedonymisation is technological method used for stripping identifying information from larger sets of data. This process makes it impossible to link the data principal and the personal data provided by them.
As per Clause 7(4), Clause 7(5), and Clause 13(2)(d) of the DPDP Bill, the data principal has the right to withdraw consent for processing of data at any time. On withdrawal of consent, the data fiduciary is require to cause data processors, within a reasonable period of time, to cease processing of the personal data of such data principal.
(3) Our analysis of consent under the DPDP Bill
The following are our suggestions on how the consent-taking mechanism can be made more robust:
- Provide a standard format of consent notice so as to ensure all the necessary information has been given to the data subject while receiving their consent. This will also ensure that the information is captured in a simple, plain, and comprehensible manner.
- Consent managers are to be classified as significant data fiduciaries under Clause 11 of the DPDP Bill in order to ensure the protection of personal data and uphold the objective of the DPDP Bill.
- Prior or post facto notification should be made a mandate in regard to deemed consent so as to ensure accountability and transparency.
We believe that these suggestions will ensure that the validity of consent is not vitiated by lack of sufficient procedural safeguards in procuring such consent. We believe that these are relevant to be considered, as the Government finalises India’s new data protection law.
The Author would like to thank Saket Rachakonda (Senior Associate, GameChanger Law Advisors) for his inputs.
Disclaimer: This post has been prepared for informational purposes only. The information/or observations contained in this post does not constitute legal advice and should not be acted upon in any specific situation without seeking proper legal advice from a practicing attorney.
Click here to know more about our Technology practice.