Of Consent and Lawful Uses:Where the Rubber meets the Road
While the concept of consent, in consonance with the current consent based regime under the Information Technology Act, 2000 (“IT Act”)[1] as well as the constitutional primacy of consent and autonomy under various court decisions dealing with the right to information privacy has remained firmly entrenched as the primary basis for collection and processing of personal data under the various drafts of general personal data protection legislation in India over the years,[2] the newly notified Digital Personal Data Protection Act, 2023 (“Act”)[3]also provides for “legitimate use” as key additional basis available to Data Fiduciaries[4] for collection and processing of personal data[5].
As a part of our series on the Act, we now examine how the Act deals with consent as well as legitimate use, as against the draft Digital Personal Data Protection Bill, 2022 (“Draft”)[6] and some global frameworks.
The Act continues to require that consent be free, specific, informed, unconditional, express and signified through an affirmative act.[7]
Under the Act, this notice must be given each time consent is sought,[8] potentially increasing the size of the tsunami of notices (and attendant fatigue) that Indians will soon be subject to.
The Act also continues to require that fresh notice be provided where processing has been consented to previously.[9] In India, where consent was only required for processing a narrowly defined set of ‘sensitive personal data or information’ under the IT Act,[10] Data Fiduciaries will have to examine their previous consents carefully, provide fresh notices, and (potentially) take fresh consents after the Act officially comes into force. It may therefore be useful to clarify the position around legacy personal data that has been processed without specific consent, where the law did not require the same. Data Fiduciaries can continue to process personal data for whose processing consent was collected prior to enactment of the Act[11], by providing notice in prescribed form[12], and in a move that will be welcomed by businesses, the Act clarifies that Data Fiduciaries may continue to process personal data until the Data Principal[13] withdraws consent[14].
Importantly, in a position that is currently more liberal than much of the other legislations around the world,[15] it currently allows consolidated consent to be taken by giving notice (clear, comprehensible, available in multiple languages, listing the purposes for which data may be processed, the manner in which a Data Principal may exercise her rights and the manner in which a complaint may be made to the Board) in a manner that may be specified.
Unlike the Draft, the Act no longer expressly requires that those notices list purposes in itemized form, and rather requires that notice be in a manner that will be prescribed.[16]
While this leaves open the possibility of a more onerous requirement for granular consents (i.e., separate consents for each purpose)[17], the Act also appears to address the concern of “all or nothing” bundled consents in a different manner.
Interestingly, in a change that appears intended to codify purpose limitation and avoid bundling, the Act includes:
While the former is welcome, the latter is problematic for two reasons:
The Act mirrors the position on withdrawal of consent as was specified in the Draft.[20] Data Principals have a right to withdraw consent for processing of data as easily as the manner for consent. However, such withdrawal would not affect the lawfulness of processing done prior to the withdrawal.[21] Upon withdrawal, the Data Fiduciary is required to cease processing of such personal data “within a reasonable time”, unless such processing is authorised under law.[22] The consequences of such withdrawal would be borne by the Data Principal.[23] In another move to strengthen consent, the Act extends the obligation of erasure of data upon withdrawal of consent to both the Data Fiduciary, and entities processing data on its behalf.[24]
The introduction of “deemed” consent, potentially from Singapore’s Personal Data Protection Act, 2012 (“PDPA”)[25], in place of “reasonable purpose” exceptions under the Draft was the locus of much debate. The Act replaces this concept with a more palatable concept of “legitimate use” and also ushers in significant changes, some of which may prove problematic:
A somewhat problematic change in the Act may be the removal of deemed consent exceptions for what were erroneously called public interest purposes[36] but translated into “reasonable purpose” processing in much of the world.
Entirely omitted are key reasonable purpose exceptions like prevention of fraud, network and information security, and operation of search engines.
While the exclusion of all personal data which has been made public by the Data Principal (or by operation of law) from the ambit of the Act may solve some for some of these purposes, this is by no means a comprehensive solution.
Other exceptions are narrowed significantly. For instance,
The omission and narrowing of the aforementioned types of exceptions which are common internationally,[42] and the removal of the mechanism through which additional “fair and reasonable” purposes could be specified,[43] is not only contrary to the general flexible, business friendly tone of the Act, but also may prove unwieldy in the years to come.
[1] The Information Technology Act, 2000 (“IT Act”) read with Rule 5, The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), available here.[2] The Draft, available here, the Report of the Joint Committee on the Personal Data Protection Act, 2019 (“2021 Act”), available here, the Personal Data Protection Act, 2019 (“2019 Act”), available here and the Personal Data Protection Act, 2018, available here.[3] The Digital Personal Data Protection Act, 2023 (“Act”), available here.[4] Section 2(i), Act: “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.[5] Section 2(t), Act: “personal data” means any data about an individual who is identifiable by or in relation to such data.[6] The Digital Personal Data Protection Bill, 2022 (“Draft”), here.[7] Section 6(1), Act.
[8] Section 5(1), Act.[9] Section 5(2), Act[10] IT Act read with Rule 5, SPDI Rules.
[11] Section 5(2), Act.[12] Sections 5(2) and 40(2)(b), Act.[13] Section 2(j), Act: “Data Principal” means the individual to whom thepersonal data relates and where such individual is—i a child, includes the parents or lawful guardian of such a child;andii a person with disability, includes her lawful guardian, acting onher behalf.[14] Section 5(2)(b), Act.[15] Article 7, General Data Protection Regulation (“GDPR”), availablehere.[16] Section 5(2), Act.[17] Section 6(2), Act.
[18] Section 6(1), Act.[19] Illustration to Section 6(1), Act.
[20] Sections 6(4), 6(5), Act and 6(4), Draft.[21] Section 6(5), Act.[22] Section 6(6), Act.[23] Section 6(5), Act.[24] Section 8(7), Act[25] Section 15, PDPA, available here.[26] Section 7(a), Act.[27] Section 8(9)(c), Draft.[28] Section 7(a), Act.[29] Illustration to Section 7(b), Act.
[30] Section 7(b), Act.[31] Section 7(c), Act.[32] Section 7(d), Act.[33] Section 7(e), Act.[34] Section 7(i), Act.
[35] Section 8(7), Draft.[36] Section 8(8), Draft.
[37] In comparison to Section 8(8)(b), Draft.[38] Section 17(1)(e), Act.[39] Section 8(8)(d), Draft.[40] Section 8(8)(a), Draft.[41] Section 17(1)(f), Act.[42] Section 6, Part 3, PDPA; Recital 47, GDPR.[43] Section 8(9), Draft.
Managing Partner of Cyril Amarchand Mangaldas. With over 37 years of experience, Cyril is regarded as the leading and authoritative figure in corporate law in India. He can be reached at [email protected].
Partner (Head- Technology & Telecommunications) at the Bengaluru office of Cyril Amarchand Mangaldas. Arun is part of the Technology, Media and Telecommunications (TMT) group and has special expertise in advising clients in the electronics, information technology enabled services, outsourcing and information technology sectors.
Partner (Head- Technology & Telecommunications) at the Bengaluru office of Cyril Amarchand Mangaldas. Arun is part of the Technology, Media and Telecommunications (TMT) group and has special expertise in advising clients in the electronics, information technology enabled services, outsourcing and information technology sectors. He was also a member of the Government of India’s working group on the legal enablement of information and communication technology systems. Arun was described as a “very effective and highly knowledgeable” lawyer by Chambers and Partners in 2011. He can be reached at [email protected]
Director and head of the Public Policy Practice, at Cyril Amarchand Mangaldas. He has a rich experience in advising public sector and private sector clients on policy issues related to ESG, Infrastructure, Technology and Finance. He can be reached at [email protected]
Partner in the General Corporate Practice at the Bengaluru office of Cyril Amarchand Mangaldas, and is part of the Technology, Media and Telecommunications practice of the Firm.
Anirban regularly advises clients across diverse sectors including healthcare, manufacturing, banking, information technology, automobile, financial services…
Partner in the General Corporate Practice at the Bengaluru office of Cyril Amarchand Mangaldas, and is part of the Technology, Media and Telecommunications practice of the Firm.
Anirban regularly advises clients across diverse sectors including healthcare, manufacturing, banking, information technology, automobile, financial services media and broadcasting on transactional as well as advisory matters. Anirban supports transactions by handling the entire documentation process for large scale technology transactions and advice on emerging trends in the data protection and privacy space. Anirban works with the business teams of clients closely to ideate and evolve legal documentation, policies and best practices based on commercial requirements of clients and interactions with regulators such as the Telecom Regulatory Authority of India (“TRAI”).
He graduated from West Bengal National University of Juridical Sciences, and first joined the firm in 2012. He can be reached at [email protected].
Senior Associate in the General Corporate Practice at the Bengaluru office of Cyril Amarchand Mangaldas. She can be reached at [email protected]
Senior Associate Designate in the General Corporate Practice at the Ahmedabad office of Cyril Amarchand Mangaldas. Mahim specialises in blockchain, data protection and information technology matters. He can be reached at [email protected]
Associate in the General Corporate Practice (Technology and Telecommunications) at the Bengaluru office of Cyril Amarchand Mangaldas. She can be reached at [email protected]
Associate in the General Corporate Practice (Technology and Telecommunications) at the Bengaluru office of Cyril Amarchand Mangaldas. She can be reached at [email protected].
Associate in the General Corporate Practice at the Bengaluru office of Cyril Amarchand Mangaldas. She can be reached at [email protected]
IT ActActDraftPDPAIT ActSPDI“2021 Act”2019 ActActDraftGDPRTRAI