Data protection requires a comprehensive system design strategy incorporating administrative, legal, and technical safeguards. To safeguard user rights, personal information, and privacy, the Ministry of Electronics & Information Technology (Meity) has released the draft of the Digital Personal Data Protection Bill 2022 (DPDPB). The bill covers the processing of digital personal data in India, obtained online or collected offline and digitized. It also applies to processing conducted outside India if it involves promoting products/services to Indian citizens or profiling Indian citizens.
The DPDPB mandates that personal data can only be processed with the individual’s consent for a lawful purpose. In some cases, consent may be deemed given. Analysing the provisions related to consent under the Act, this article explores its intricacies in relation to privacy regulation in India.
Evolution of the concept of ‘consent’ under various existing laws in India vs. DPDPB:
When the IT Act was enacted way back in 2000, its primary objective was to establish fundamental aspects of technology law, such as digital signatures and granting legal validity to electronic documents, among other similar provisions. However, the Information Technology (Amendment) Act of 2008 brought significant changes to the IT Act, and it came into effect on October 27, 2009. It introduced Section 43A, requiring corporate entities handling sensitive personal data to adopt reasonable security practices. It also included provisions for compensation in case of inadequate data protection. The inclusion of Section 72A, which enforced fines for intentional breaches of personal data, was also made. But the amendment did not provide specific definitions for personal data or sensitive personal data. The determination of “sensitive personal data or information” was left to the Central Government in consultation with professional groups. Subsequently, the 2011 Rules were established, marking India’s first legal framework for data privacy, effective from March 28, 2012.
Rule-5(1) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“2011 Rules”) states that:
“Body corporate or any person on its behalf shall obtain consent in writing through letter or Fax or email from the provider of the sensitive personal data or information regarding purpose of usage before collection of such information.”
Therefore, consent is crucial for collecting and using sensitive personal data. While the 2011 Rules emphasize the need for consent, they lack specific guidelines or requirements for obtaining valid consent or addressing its specifics.
In 2017, the Supreme Court of India declared the right to privacy as a fundamental right in the case of K.S. Puttaswamy v. UOI. This led to the formation of a committee led by B.N. Srikrishna to address data privacy in India. Recognizing the changing market dynamics and the increasing reliance on data in the digital economy, the committee recommended the adoption of a data protection law. As a result, the Personal Data Protection Bill 2019 was initially proposed but later withdrawn. Subsequently, a revised bill called the Digital Personal Data Protection Bill 2022 was introduced.
In comparison, the DPDPB of 2022 introduces a robust framework for consent, emphasizing informed, clear, and affirmative consent for personal data processing. It incorporates explicit consent principles, requiring specific and separate consent for each purpose. The bill mandates clear communication of consent requests in plain language, along with contact details of the Data Privacy Officer or authorized personnel. The new law defines the consent framework clearly, extending its scope to all personal data and providing detailed provisions for both sensitive and non-sensitive data. It prioritizes individual autonomy, transparency, and control over personal data, setting higher standards for obtaining and maintaining consent in data protection.
Ensuring consent compliance: DPDPB 2022 Requirement
Sections 7 and 8 of the bill outline requirements for ‘consent’ and ‘deemed consent,’ binding data fiduciaries to comply with them. Section 7(1) mandates ‘free,’ ‘specific,’ and ‘informed’ consent, ensuring voluntary agreement is limited to the stated purpose and not extended to undisclosed purposes. However, consent must not violate the provisions of the Act.
Section 7(3) obligates data fiduciaries to present consent requests in clear and plain language, providing the option for the data principal to access them in English or any language specified in the Eighth Schedule to the Indian Constitution. This inclusion aims to promote inclusivity and protect the rights of individuals who prefer their native language. However, compliance with these measures may present challenges for data fiduciaries, such as recruiting language-fluent staff, managing translations, and allocating additional resources. Maintaining consistency and timely updates across translations can be complex and time-consuming.
Section 8 of the bill deals with ‘deemed consent’. It lays down several conditions, and if the data principal acts in that manner, it is assumed that the data principal has given consent for the processing of their personal data. These conditions include the following:
i. When the data principal voluntarily provides personal data, and it is reasonably expected.
ii. For legal functions, services benefiting the data principal, or issuance of certificates, licenses, or permits.
iii. Compliance with an order or judgment under the law.
iv. Providing healthcare during epidemics or other emergencies.
v. Assisting in disasters or maintaining public order.
vi. Responding to medical emergencies for threats to life or health.
vii. Workplace-related goals like preventing espionage, protecting trade secrets, and managing employees.
viii. Processing for the public interest, including fraud prevention, mergers, security, and debt.
ix. Processing for fair and reasonable purposes, considering the data controller’s interests, public interest, and data subject’s expectations.
These are the conditions mentioned in the bill under which it would be considered that there is deemed consent from the data principal. However, compliance with the bill’s provisions may be challenging, particularly in determining what constitutes “fair and reasonable” purposes under Section 8(9). Assessing whether the data fiduciary’s legitimate interests outweigh the data principal’s rights requires careful evaluation, which can vary based on interpretations and perspectives. In India, with varying digital literacy rates, establishing a “reasonable expectation” regarding data-sharing consequences is complex. Moreover, many people lack an understanding of the implications of data sharing, potentially leading to significant privacy invasions for data principals.
Furthermore, compliance becomes challenging when authorities unreasonably process data in the name of public interest. Establishing and justifying public interest in processing personal data is subjective and can vary among stakeholders. Section 8(7) of the bill deems consent given for employment purposes, enabling employers to collect employee data without explicit consent. This provision allows surveillance technology use without employee consent, compromising privacy. It further empowers employers and exacerbates the power imbalance between employers and employees.
The bill contains a provision that limits the ability to withdraw consent in certain circumstances, which undermines the individual’s right to privacy. While the DPDPB acknowledges the right to withdraw consent, it does not apply in cases of deemed consent, restricting the rights of data principals in those situations.
Exemption for Government:
There are certain kinds of exemptions provided to the government on the basis of some vague ground, and this poses a serious threat to the right to privacy. These exemptions allow the government to process user data without consent and without adhering to the provisions of the Act. Section 18(2)(a) permits the government to process user data for reasons such as national security, maintaining friendly relations with other countries, upholding public order, or preventing the incitement of a “cognisable offence” related to these matters. Furthermore, Section 18(4) enables the government to retain a data principal’s information indefinitely, as the provisions of Section 9(6) do not apply to government instrumentalities. The lack of clarity in these subsections leaves room for varied interpretations and potential misuse of these powers by government agencies.
While the data protection legislation aims to safeguard individuals’ privacy, certain ambiguous provisions and numerous exceptions, such as those regarding deemed consent in Section 8 and exemptions in Section 18, pose a threat to the bill’s objectives.
The bill includes a provision that exempts government agencies from the limitation on data storage. This exemption allows them to retain personal data indefinitely, even when the original purpose for processing the data is no longer relevant and there is no legal obligation to store it. This exemption contradicts the principles of purpose limitation and data minimization, as it goes against the idea of deleting data once its intended purpose has been fulfilled. Furthermore, more and more obligations have been imposed on the data fiduciary, and this poses certain grave challenges in compliance with those measures.
Also read DPDPB and GDPR: Obligations of Controllers and Processors to know more about the obligations of Controllers and Processors in data processing. Tsaaro helps in compliance with the privacy laws, with the skilled privacy professionals in the market. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today. Get in touch with us at firstname.lastname@example.org.
 (2017) 10 SCC 1.