Empowering Data Privacy: Understanding Consent in the DPDP Bill


The foundational principles of data consent and its withdrawal are central to the processing of personal data. Ensuring voluntary, well-informed, and affirmative consent, along with the freedom to retract consent, form the bedrock of data privacy. Furthermore, providing clear notifications and multilingual options enhances transparency and accessibility.

The DPDP Bill’s distinct approach of ‘legitimate uses’ underscores permissible data processing without consent, encompassing various essential scenarios. These principles collectively shape a comprehensive framework for safeguarding data subjects’ rights and interests in the digital era. This newsletter will deal shed light on how the DPDP Bill deals with the issue of consent and notice.

Active, Affirmative Consent:

Section 6 of the DPDP Bill, 2023 provides that a Data Fiduciary can process data when the data principal has given consent for a specified purpose unless the data principal has explicitly indicated that she does not consent to its processing. Consent forms the fundamental basis for the processing of personal data and must adhere to principles of being voluntary, specific, well-informed, unconditional, and unambiguous.


A notice should be presented to the data subject, accompanying or preceding any request for consent. This notice should inform the data subject about their personal data and the intended purpose of processing, along with guidelines on exercising their rights to revoke consent [as per Section 6(4)], utilize the grievance resolution mechanism (given under Section 13 of the Bill), and lodge a complaint with the designated authority (i.e., the Data Protection Board of India) as per the specified procedure. In cases where the data subject has granted consent for processing their personal data before the legislation’s enactment, a similar notification must be provided at the earliest reasonable opportunity.

It is important to note that as per the Bill, the data subject should have the option to access the notice and consent form in English or any other language indicated in the Constitution of India’s Eighth Schedule (thus including widely spoken languages like Marathi, Hindi, Kannada, Tamil, Telugu, Bengali, Gujarati, etc.). This is given under Section 5 of the Bill.

Legitimate Uses:

The DPDP Bill has replaced the concept of ‘deemed consent,’ which was outlined in the 2022 draft bill for processing personal data under specific exceptional circumstances without the data subject’s consent. This is now termed as ‘legitimate uses’, under Section 7 of the Bill. These exceptions allow a data fiduciary to process personal data without securing explicit consent from the data subject. These encompass processing data for employment-related matters, addressing medical emergencies, fulfilling legal obligations or state-provided services or benefits, and adhering to Court judgments or orders.


In conclusion, the DPDP Bill’s meticulous approach to consent and notice marks a significant stride in the realm of data protection. By emphasizing active, informed, and affirmative consent, alongside comprehensive notifications and multilingual accessibility, the framework establishes a robust foundation for safeguarding individuals’ data rights. The innovative concept of ‘legitimate uses’ further strikes a balance between privacy and necessity, allowing responsible data processing for vital scenarios. Together, these principles underscore India’s commitment to modernizing data privacy norms and ensuring a secure digital landscape for its citizens.

Major Privacy Updates of the Week

The Digital Personal Data Protection Bill, 2023 has been passed by Rajya Sabha:

The Digital Personal Data Protection Bill (DPDPB), 2023, swiftly moved through the legislative process, being presented in the Lok Sabha and promptly passed by the Lower House. Subsequently, the Rajya Sabha approved the bill after the Opposition’s walkout.

This bill, designed to regulate private firms’ data collection, underscores the government’s commitment to digital privacy and aligns with global data protection principles. The bill’s journey, from introduction to approval, marks a significant step toward enhancing personal data protection in the digital age. Read More

Biometric Concerns raised by France, Germany, and Kenya over WorldCoin’s Biometric Collection:

Worldcoin, the new cryptocurrency project launched by OpenAI CEO Sam Altman, has garnered over 2 million sign-ups globally within a week, but it has raised concerns in France, Germany, and Kenya. The project’s unique feature is the use of biometrics, requiring users to undergo iris scanning during the sign-up process.

Regulators in these countries are investigating the project’s large-scale processing of sensitive biometric data, citing potential privacy and data protection issues. France’s privacy watchdog has questioned the legality of the biometric data collection, while Kenya’s Office of the Data Protection Commissioner emphasizes the need for informed consent. Germany’s data watchdog has been investigating the matter under EU data protection rules due to the presence of a German subsidiary. Read More

Meta to incorporate new consent approach for Advertisement in the European Union:

Meta may soon require European users’ permission for targeted ads based on their data, aiming to resolve a long-standing conflict with the European Union over advertising practices.

The proposed protocol, expected to launch by October, will ask users for a simple “yes” or “no” option for opt-ins across its platforms, including Facebook and Instagram. This change comes after a fine amounting to €390 million fine from Ireland’s Data Protection Commission over Meta’s legal basis for processing personalized ads. Read more


Google fails to get $5 billion 'incognito' tracking suit dismissed:

A US judge rejected Google’s bid to dismiss a $5 billion class action lawsuit filed in June 2020. The lawsuit alleges that Google unlawfully tracked the online activities of Chrome users, even in Incognito mode. The plaintiffs argue that Google’s secret tracking via @Google Analytics, Ad Manager, and other apps violates user privacy.

District Judge Yvonne Gonzalez Rogers stated that users did not explicitly consent to this data collection, highlighting Google’s representations of private browsing mode. The lawsuit covers Google users since June 2016 and seeks $5,000 per user for violations of federal wiretapping and California privacy laws. Read More

Data Leak in Northern Ireland exposed Sensitive Information of Northern Ireland Police Officers:

On August 8, a data breach exposed the personal information of almost 10,000 Police Service of Northern Ireland officers and civilian staff. The breach occurred inadvertently during a Freedom of Information request, revealing names, roles, and locations, prompting concerns about terrorism threats and privacy.

The details were briefly accessible online before being taken down from the “What Do They Know” website. The Police Federation of Northern Ireland is calling for an immediate investigation, while politicians express their outrage and push for preventive measures to avoid similar incidents in the future. Read More

Curated by: Prajwala D Dinesh, Ritwik Tiwari, Ayush Sahay


Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!

*By clicking on subscribe, I agree to receive communications from Tsaaro