Consent under the Digital Personal Data Protection (DPDP) Bill is the key concept which establishes the relationship between Data Principals and Data Fiduciaries. While the previous iterations of the draft Bill mentioned ‘deemed consent’ the same has been replaced with ‘certain legitimate uses’ which has introduced a concept of specific non-consent from the Data Principals point of view. Design of the consent form will therefore be key to minimize litigation and complaints.
Background
On 3 August 2023, the DPDP Bill was tabled by the Central Government in the Lok Sabha. The Bill is the outcome of several rounds of stakeholder consultations. The passage of this Bill would end a six-year hiatus after the Supreme Court’s landmark judgement which affirmed the right to privacy as a fundamental right under the Constitution of India.
In this article, we examine the manner in which digital personal data of the Data Principal (‘owner of the data’) can be gathered and used by the Data Fiduciary (‘the agency that is handling and processing the personal data’) and the finer points therein.
The Concept of Specific Consent
While the previous iteration of the Bill laid down the concept of ‘deemed consent’, the concept of deemed consent has been removed in this iteration and has been replaced by a combination of specific consent and for certain legitimate uses which does not require specific consent.
Specific consent – covered in Clause 6 (1) of Chapter 2, outlines that the manner in which the consent of the Data Principal has to be obtained – ‘free, specific, informed, unconditional, and, unambiguous’. Also, the language specifies that the consent shall signify an agreement between the Data Principal and the Data Fiduciary stating that the personal data of the Data Principal may be processed for the specific purpose and the consent is limited to the specific data that is necessary for the specific purpose. In other words, the clause is aimed at protecting Data Principals against data access creep – taking more data than necessary to execute the specific purpose.
The example that the Bill outlines clarifies the point that an organization that is providing telemedicine services requests consent for processing a client’s customer data for delivering telemedicine services, and for accessing the customer’s phone contact list. Based on the concept of specific consent, as envisaged in the Bill, the Data Fiduciary has no requirement for the customer’s phone contact list, and hence is barred from accessing or using that data.
However, there is a further clause which seems to brings in the concept of deemed consent through a different mechanism – which we will park for now, and proceed further.
The means of acquiring and managing consent
The Bill stipulates that the request for consent has to be presented to the Data Principal in a clear and plain language either in English or any language that is specified under the Constitution, and shall provide details of the Data Fiduciary’s Data Protection Officer.
However, the Bill does not prescribe any format or language in which such consent needs to be taken. The way in which the consent is worded, can provide the Data Fiduciary with a wide range of personal data of the Data Principal – which combined with the subsequent Clause on legitimate use of personal data – brings in the first layer of interpretation of the Bill – which so far has been clear and prescriptive. Before we analyze the implications of this statement, let us examine in what way can a Data Fiduciary process personal information.
The conditions for processing Personal Data by a Data Fiduciary
Clause 7 of Chapter 2 – Certain Legitimate Uses – outlines the purposes for which a Data Fiduciary can process personal data. The first part of the two-part clause states that a Data Fiduciary may process the personal data of a Data Principal for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary. This statement is very clear – for example, if I give my medical bill to an online pharmacy to place an order for medicines – the online pharmacy can use the information to deliver the medicines to me.
The second part of the clause makes for more interesting reading, wherein the clause mentions that the Data Fiduciary may process the personal data of a Data Principal in respect of a purpose of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data.
It is the second part of this statement which brings in the potential possibility of ‘deemed consent’. Essentially, what this means is that if a Data Principal has specifically not indicated that she has not consented to the use of her data towards a particular use, the Data Fiduciary can use the data for that purpose – essentially this makes it the equivalent of a specific non-consent.
The ramifications of this clause for various stakeholders
This brings in the first layer of interpretation of the Bill. While the obligation to obtain consent rests with the Data Fiduciary, the Bill also lays an emphasis on the role of the Data Principal, vis-à-vis in being cognizant of what one is giving consent to. Infact, in reading with the clause on certain legitimate uses, the Bill places more emphasis what uses the Data Principal has not provided a specific non-consent to.
Conclusion
This places a significant import on the design and language of the consent forms based on which the transactions between a Data Principal and Data Fiduciary is governed. The known-knowns are clear and unknown-unknowns cannot be foreseen. It is the known-unknowns wherein the Data Fiduciary knows what he wants to do with the data, but the Data Principal does not – which will cause this law to be tested – both on the field and in the judiciary. The consent forms will be the first instance where the rubber meets the road – and Data Fiduciaries are well advised to focus on how consent forms are drawn up.