Skip to content

Consent: The Cornerstone of Data Privacy

Article by Tsaaro

7 min read

Consent is the cornerstone of data privacy. Any individual should have the opportunity to make choices about their personal data and give consent to the collection and processing of their data. Consent serves as a foundation for organisations to respect the autonomy of individuals with regard to their own data. Apart from ensuring regulatory compliance, a transparent consent mechanism instils confidence in users and builds long-term trust. Consent ensures ethical data practices and prevents misuse.

Consent is a lawful basis for processing personal data under data privacy laws like India’s Digital Personal Data Protection Act (DPDPA) and the EU’s General Data Protection Regulation (GDPR). Consent forms a crucial part of all data protection regulations that exist today. The general principle followed by major data privacy regulations states that informed consent is essential. Consent must be freely given, specific, informed, unambiguous and provided through clear, affirmative action.

India

The DPDPA places significant emphasis on consent as a cornerstone for the lawful processing of personal data. Section 4 of the DPDPA lays out two legal basis for the processing of personal data, i.e., Consent and certain legitimate uses. Apart from processing for the legitimate uses enumerated under Section 7 of the Act, Consent is mandatory for lawfully processing personal data. The Act establishes a clear framework where individuals (data principals) are empowered to exercise control over their personal data while organisations (data fiduciaries) are expected to process data responsibly.  

Similar to the GDPR and other data privacy regulations, the DPDPA, as per Section 6, requires consent to be given to the data fiduciary by the data principle in a free, specific, informed and unambiguous manner, with clear affirmative action. This consent is essentially understood as an agreement by the data principle to process their personal data for a specified purpose and the processing must be limited to what is necessary for the specified purpose. 

The data fiduciary must ensure that when consent is sought, a clear notice as per Section 5, about the purpose, processing and sharing practices must be provided. The data fiduciary is also obligated to cease such processing of data as soon as reasonably possible and erase the data once the given consent is withdrawn (unless otherwise permitted otherwise by law.) Furthermore, Section 9 provides that in the case of processing children’s data, verifiable parental consent is mandatory.

The DPDPA additionally provides for the appointment of a consent manager to ease the process of obtaining, managing, reviewing and withdrawing consent.

European Union

The GDPR establishes consent as a key legal basis for processing personal data. Recital 40 of the GDPR specifies that for the processing of data to be lawful, it must be processed on the basis of consent of the data subject or any other legitimate basis. Consent is integral to GDPR’s principles of transparency, fairness, and accountability, reinforcing trust between organisations and individuals. Consent is one of the lawful basis for processing personal data as laid out under Article 6 of the GDPR. It is essential for consent to be freely given, informed, specific and unambiguous with clear affirmative action including a written statement or oral statement. Data Subjects can withdraw any given consent at any time. The process of withdrawing consent must be as easy as giving the consent. Similar to the provisions of the DPDPA, as per Article 8 of the GDPR, parental or guardian’s verifiable consent is required when processing a child’s personal data.

Article 22 of the Regulation deals with the right to not be subject to a decision solely based on automated processing which produces legal or adverse effects concerning the subject unless it is necessary for the fulfilment of a contract, authorised by the Union or member state or based on explicit consent.

Penalties for failure to adhere to the conditions of consent can extend up to fines of € 20,000,000 or 4% of the annual global turnover of an undertaking, whichever is higher. 

The importance of consent in data privacy has been highlighted by various European Data Protection Authorities as well as the Court of Justice of the European Union (CJEU) on multiple occasions. For example, in 2019 the French Data Protection Authority (CNIL) imposed a fine of €50 Million on Google for failing to provide adequate information on their consent policies. It was found that Google made it too difficult for its users to understand and manage their consent and preferences on how their data is being used, especially in relation to target advertisements. The requirement of clarity, accessibility and informed consent was thereby violated by Google’s consent policy.

United Arab Emirates (UAE)

UAE’s Personal Data Protection Law (PDPL) emphasises consent as a fundamental basis to safeguard the privacy of individuals and ensure ethical data processing.  The PDPL provides Consent as the primary legal basis for the processing of personal data by a Controller. The Law prohibits the processing of personal data without the consent of data subjects with certain exceptions provided under Article 4 including processing to protect public interest, archival purposes, research, legal procedures, protecting data subject rights, etc. The consent must be a simple, unambiguous agreement, demonstrated through a clear affirmative statement or action in either written or electronic form that shows the data subject’s willingness to allow their data to be processed. The data subject also has the right to withdraw any given consent.

Article 18 deals with the right to object to a decision solely based on automated processing that produces legal or adverse effects concerning the subject unless it is necessary for the fulfilment of a contract, mandated under any law in force in UAE or based on explicit consent.

Consent of the data subject is also a crucial basis for cross-border data transfer if adequate protection level is not available in the receiving country as provided under Article 23 of the PDPL.

Kingdom of Saudi Arabia (KSA)

As per Article 5 of the Personal Data Protection Law of the Kingdom of Saudi Arabia (KSA PDPL), personal data can be processed only for the purpose to which the Data Subject has consented. Data Subjects can withdraw their consent at any time. Article 15 of the KSA PDPL also mandates the Controllers to not disclose any personal data until and unless the Data Subject consents to such disclosure. 

Article 7 of the KSA PDPL states that organizations cannot make consent a mandatory requirement for providing a service or benefit unless the service or benefit directly depends on the personal data being processed. 

Article 25 of the KSA PDPL is also an important provision since it provides that except for awareness materials from Public Entities, Controllers must not use personal communication means (e.g., email or post) for advertising without prior consent. Senders must provide a clear opt-out mechanism. Similarly, Article 26 provides that personal data, can be processed for marketing only if it is collected directly from the Data Subject with their consent. Sensitive data cannot be collected for marketing purposes.

The Implementing Regulation of the KSA PDPL also underscores the requirement of consent. Article 11 of the Implementing Regulation requires the Controller to obtain the Data Subject’s consent through clear, written, verbal, or electronic means. Consent must be freely given, transparent, and documented, including records of consent, time, and method. Separate consent is required for each processing purpose. Explicit consent is mandatory when Processing involves Sensitive Data, Credit Data, or decisions based solely on the automated Processing of Personal Data. Article 12 of this Regulation deals with withdrawal of consent and provides that upon withdrawal of consent, the Controller shall cease the Processing of data without undue delay. 

As per Article 13, in the case of data subjects who fully or partially lack legal capacity, the legal guardian of the Data Subject that fully or partially lacks legal capacity, verifiable consent of the legal guardian is required.  

Article 27 of the Regulation lays down that the Controller shall obtain the consent of the Data Subject and notify them of any request to disclose their Credit Data in accordance with the provisions of the Credit Information Law. 

Conclusion

Consent plays a foundational role in data privacy laws across various jurisdictions ensuring that individuals have autonomy and control over their personal data. The emphasis on free, clear, specific, informed and unambiguous consent as an important legal basis for data processing empowers individuals while obligating organizations to ensure transparency, fairness, and accountability in data practices. As data privacy regulations evolve, consent remains a critical tool for building trust, protecting individuals’ privacy, and ensuring compliance with global data protection standards. Organizations must prioritize clear, accessible consent processes to maintain ethical data practices and safeguard user rights.

Tsaaro Consulting

Introduction: Data protection laws worldwide empower individuals, referred to as ‘Data Subjects’ under the GDPR or ‘Data Principals’ under India’s …

Tsaaro Consulting

In today’s fast-paced, data-driven world, businesses collect large amounts of data and store such information regularly. This data is extremely …

Tsaaro Consulting

In an increasingly digital world, society today is growing around technology that tends to collect and process a large amount …

Tsaaro Consulting

Introduction  It was the Personal Data Protection Bill, 2019 that introduced the concept of “Consent Manager”. In the 2019 Bill, …

Tsaaro Consulting

Introduction In 2023, a significant milestone was achieved with the enactment of India’s long-awaited data protection law, the Digital Personal …

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them

Call Our Experts:

+91 95577 22103

small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png

We’d love to help your organization achieve your Data Protection goals!

Schedule a complimentary consultation with our Team of Experts.