In part one of this series on India’s Digital Personal Data Protection Act, 2023 (the Act), we look into the Act’s scope and application. In part two, Rachit Bahl, Rohan Bagai, and Neha Agarwal, delve into consent and legitimate uses.
On August 11, 2023, India enacted the Act. Once its provisions come into force, the Act will replace Section 43A of the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (SPDI Rules).
The Act introduced a unique concept of a fiduciary relationship between data subjects and data controllers and classified them as ‘data principals’ and ‘data fiduciaries,’ respectively. Akin to data protection regimes across jurisdictions, the Act also envisages the role of data processors who process personal data on behalf of data fiduciaries and imposes obligations on data fiduciaries to ensure that their data processors comply with the Act through contractual arrangements.
Basis for processing personal data
Any processing of personal data of data principal must only be in accordance with the provisions of the Act and be based on:
- the data principal’s consent for processing their personal data for a lawful purpose; or
- certain legitimate uses, as specifically identified under the Act.
In other words, while the Act heavily relies on the consent of the data principal as the basis for processing personal data, it also envisages certain specific grounds on which the personal data of the data principal can be processed without obtaining their permission/consent.
Consent
If consent is the underlying basis for processing personal data, such consent needs to be free, specific, informed, unconditional, unambiguous, and with clear affirmative action. The consent should also clearly signify the data principal’s agreement to process their personal data for the specified purpose and be limited to only such personal data as is necessary for the specified purpose.
Based on the above requirements prescribed under the Act, it seems clear that a data fiduciary needs to ensure that the following tenets are adhered to while processing the personal data of data principals based on their consent:
- the consent language should not be broad and all-encompassing: it should be specific and limited to the purpose for which the personal data of the data principal is proposed to be processed (i.e., purpose limitation);
- only data elements that are necessary for the specified purpose should be collected and processed (i.e., data minimization);
- the mechanism for obtaining consent from the data principal cannot be passive: the data fiduciary should build their user experience (UX)/consumer experience (CX) in a way that requires the data principal to actively opt-in to provide their permission for the processing of their personal data (i.e., requires affirmative action from the data principal); and
- consent cannot be bundled: If a data fiduciary proposes to process personal data for multiple purposes, it must ensure that such data principal is given the opportunity and freedom to choose the purpose(s) for which they wish to allow the data fiduciary to use their personal data. If not, it may not be considered to be a ‘free’ consent, which is one of the essential attributes of a valid consent under the Act.
Notice
While requesting consent from the data principal, the data fiduciary needs to provide a ‘notice’ to the data principal either along with or prior to obtaining such consent. This notice must be presented to the data principal in clear and plain language with the following information:
- categories of personal data processed;
- purpose of the processing of personal data;
- process for data principals to exercise the right to withdraw consent and right of grievance redressal; and
- process for data principals to file a complaint with the Data Protection Board of India.
The data principal needs to be provided an option to access the contents of the notice in English or any language specified in the 8th Schedule to the Constitution of India (such as Hindi, Bengali, Assamese, etc.).
For situations where the data principals have already given their consent to the data fiduciary for processing of their personal data before the commencement of the Act, the data fiduciary is required to provide a similar notice containing the aforesaid details as soon as it is reasonably practicable. Such data fiduciary can continue processing personal data, until and unless, the data principal withdraws their consent. Accordingly, the Act preserves consents obtained prior to the enforcement of the Act and requires data fiduciaries to merely provide notice.
Withdrawal of consent
The data fiduciary is also required to ensure that the data principal is provided the right to withdraw their consent for processing their personal data at any time. The option to withdraw consent provided by the data fiduciary should be such that offers the data principal the same level of ease with which the consent was given.
Once such consent is withdrawn by the data principal, the data fiduciary must cease and require its data processor to also cease processing their personal data unless such personal data is required to be retained to meet a legal obligation.
Personal data of children and persons with disability
For processing the personal data of the data principal who is below the age of 18 years or a person with a disability, the data fiduciary needs to obtain verifiable consent from the parent/legal guardian to process their personal data. The manner of obtaining such verifiable consent is likely to be notified under the rules that may be notified by the Government of India.
Legitimate uses
The Act has introduced a basis for processing personal data without the consent of the data principal for certain special use cases and termed it as ‘legitimate uses.’
The legitimate uses for which a data fiduciary may process the personal data of a data principal without obtaining their consent include specified purposes for which the data principal has voluntarily shared personal data without objecting to such processing, processing for purposes of employment or those related to safeguarding the employer from loss or liability (such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, etc.), for responding to medical emergencies, for performing any function under law or the State providing any service or benefit to the data principal, for compliance with any judgment or order issued under any law, etc.