INTRODUCTION
The concept of data privacy in India is still evolving and is presently governed by the Information Technology Act, 2000 (hereinafter referred to as “IT Act”). With the aim to introduce a specific and comprehensive legislation pertaining to data privacy, the Personal Data Protection Bill,2019 (hereinafter referred as “PDP Bill”) was tabled after taking inspiration from one of the most comprehensive data protection regulation, the General Data Protection Regulation (hereinafter referred to as “GDPR”).
Furthermore, the landmark judgment of K.S. Puttaswamy v. Union of India [(2017) 10 SCC 1] has paved way for the introduction of a legislation to specifically deal with data protection. The Supreme Court in this judgment observed that the Central Government should develop an effective system for protection of data and through which a balance can be maintained between the concerns of state and interest of an individual.
The main objectives of the PDP Bill include safeguarding an individual’s personal data, regulating the flow and use of personal data, and setting up an authoritative body for these purposes. Also, the processing of personal data by the companies and the government shall be regulated by the PDP Bill.
Consent forms the foundation of every legislation governing data protection. It is an established global practice of obtaining consent of an individual before using or collecting his/her personal data and the same has been incorporated under the PDP bill. Through this Article, we seek to analyse the role of consent for data protection in the Indian scenario.
CONSENT MANAGERS
The concept of ‘consent managers’ has been introduced under the PDP Bill. As per the explanation given under Clause 23 of the PDP Bill a consent manager is “a data fiduciary which enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform.”
The Consent Managers, are thus, data fiduciaries who are entrusted with aiding the data principal in managing their consent via transparent and extensible system. They are bound by the regulations of Data Protection Authority (herein after referred to as “DPA”) and are required to be registered with them.
PROVISIONS RELATING TO ‘CONSENT’ UNDER PDP BILL, 2019
For an effective working of any data protection legislation, consent plays a very important role. The advantage of having a consent-based system is that the users’ autonomy is respected and clear-cut foundation is laid for processing of data by the body who has received such consent.
The PDP Bill clearly prohibits usage of personal data by data fiduciary except for lawful, clear and specific purposes. Clause 23(3) of the PDP Bill provides that consent of a data principal can be given to data fiduciary or be withdrawn from it via consent managers. Such consent or withdrawal via consent managers is to be considered as direct communication between the data principal and data fiduciary.
Following are certain provisions under the PDP Bill which deals with consent:
A. Processing of Personal Data
Clause 11 of the PDP Bill provides that the processing of personal data shall not take place unless the consent for same has been provided by the data principal at the beginning of the processing. The data fiduciaries are vested with the duty of processing personal data in a fair and reasonable way and can use it for such purpose to which the data principal has consented to or purposes related to it. Thus, a fresh consent is required for using it for a new purpose.
Furthermore, data fiduciaries while collecting personal data with consent is required to give notice to data principal regarding the same and it must contain the information about the data principal’s right of withdrawal of consent and procedure for such withdrawal. The test of ‘valid consent’ has been laid down under Clause 11(2) of the PDP Bill and states that the consent must be:
- Free, as per Indian Contract Act, 1872;
- Informed, taking into account whether the requirement of providing information under clause 7 has been complied with or not;
- Specific, taking into consideration that scope of consent with regard to the purpose of processing can be identified by the data principal;
- Clear, taking into account whether the same has been indicated via an affirmative act;
- Capable of getting withdrawn.
B. Processing Personal Data without Consent
Clause 12 of the PDP Bill provides exceptions to Clause 11 and limits its power. As per the said clause, the State can process personal data without subject’s consent so as to provide him any benefit or service, to issue license, permit or certification for any act of subject, to comply with court’s orders or judgments, to taken action during breakdown of public order, medical emergency or disaster.
Additionally, an employer can also process personal data without consent for the purposes of termination, recruitment, attendance verification, performance assessment, etc., provided that it must not be SPD, and the same is stipulated in Clause 13 of the PDP Bill. Additionally, data can be processed for other ‘reasonable purposes’ provided under Clause
C. Processing of Sensitive Personal Data
With regards to the consent for processing of Sensitive Personal Data (hereinafter referred to as “SPD”), there are certain additional requirements such as (a) the purpose of processing that is capable of causing substantial harm must be informed to data principal, (b) consent must be clear and not inferred, (c) a choice consenting separately for purposes of, operation in usage of different classes of SPD related to processing.
D. Processing Personal Data of Children
Parental consent is a precondition for processing SPD and personal data of children (person below age of 18 years) by the data fiduciary. The collection of such data must be done in their best interest and for safeguarding their rights. However, parental consent isn’t required where child protection service or exclusive counselling is provided to a child by a ‘guardian data fiduciary’.
E. Cross Border Data Transfer
For transfer of SPD outside India for its processing, data principal’s explicit consent is required along with fulfilment of certain other conditions mentioned under Clause 34 of the PDP Bill.
F. Right to be Forgotten
Where the continuous disclosure of personal data by data fiduciary is being done with the consent of data principal, it can be prevented or restricted by data principal if such consent has been withdrawn by him, as per Clause 20 of the PDP Bill.
G. Re-identification and processing of de-identified Personal Data
Such personal data that a data fiduciary has de-identified is re-identified; or has been re-identified and processed, by any person whether intentionally or not, without taking such data fiduciary’s consent is made punishable according to clause 82 of the PDP Bill.
H. Retention of Personal Data
The retention of personal data by the data fiduciary beyond the period required for the satisfaction of its purpose is restricted under clause 9(1) of PDP Bill. However, with the ‘explicit’ consent of data principal the same can be retained for longer period.
‘CONSENT’ UNDER THE GENERAL DATA PROTECTION REGULATION
The GDPR is a personal data and privacy protection legislation of the European Union and was created to bring uniformity in law relating to data protection and provide more control in the hands of subject.
The GDPR’s primary aim is of maintaining integrity and protecting data in the modern and technically advanced world.
Consent is defined under Article 4 of GDPR as “any freely given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
From this definition, the essential conditions that forms valid consent can be identified. The most important condition in order to obtain consent is that it must be freely given. This implies that the consent given by the data subject must not be under any undue influence or coercion. The data subject while giving consent should have control over such data and have a real choice. Under Recital 43 of the GDPR, there are some concepts that facilitate the identification of free consent, and they are as follows:
- Imbalance of power
Presence of power imbalance (between data controller and data subject) in certain cases, such as those which involves public authorities or employer-employee relation, indicates high probability of consent not being a free one.
- Conditionality
Provision of service or performance of any contract on the condition that the consent for processing personal data (not needed for such contract’s performance) is given by the data subject is considered undesirable under Article 7 of GDPR. Thus, it strives to prevent “bundling up” of consent with contract’s performance. Furthermore, consent provided in such circumstances aren’t deemed as free under Recital 43.
- Granularity
There exist situations where the data controller processes data for multiple purposes. In such cases, separate consent of the data subject must be obtained by the data controller for every purpose. Recital 32 of GDPR states that “Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them”. Where such consent is not obtained by data controller, it implies absence of free consent.
- Detriment
Recital 42 of GDPR requires the data controller to show that consent can be easily refused or withdrawn by data subject without any detriment. Thus, where refusal or withdrawal of consent isn’t allowed the consent won’t be regarded as free.
The second condition for validity of consent is that it must be an informed one. Giving information to data subject aids them in making informed decision and understanding what they are agreeing upon. So, where certain vital information like identity of controller, right of withdrawal, etc., are not given to data subject, their control is rendered to a mere illusion and their consent won’t be a valid ground to process data.
Third essential of a valid consent is that it must be specific, i.e., the consent for data processing must be used for that specific purpose only for which it is given, and a separate consent must be obtained for separate specific purposes.
The fourth essential of valid consent is that, it must be unambiguous and it must be indicated through any written state or affirmative act on behalf of data subject. Furthermore, for processing of special type of personal data, an explicit consent is required to be obtained from users by the controller under article 9 of GDPR. Such explicit consent must be in written format.
AMLEGALS REMARKS
Data privacy and protection of personal data has become one of the most important parts of an individual’s life in the modern world. Regulation of such crucial issue must be done via an omnibus legislation on the matter. Consent plays a very vital role in such legislations and forms the primary foundation of PDP Bill.
Overall, while the proposed legislation implements a number of steps to give individuals more control over their personal data, it remains to be seen if a consent-based regime.
Will consumers truly desire to gain control over their data, including by spending more time reading privacy policies and making informed decisions? Will they be able to successfully prosecute firms that violate the law’s provisions? These are certain grey areas to be looked upon.
-Team AMLEGALS assisted by Ms. Surbhi Jhanwar (Intern)
For any queries or feedback, please feel free to get in touch with aditi.tiwari@amlegals.com or mridusha.guha@amlegals.com.
Leave a Reply