Decoding ‘Consent’ under the Digital Personal Data Protection Act, 2023
India has joined the ranks of dozens of nations worldwide that have enacted comprehensive data protection laws, with the Digital Personal Data Protection Act, 2023 (“DPDPA” or the “Act”) receiving presidential assent on August 11, 2023.
The Act, which applies to personal data collected in digital form or non-digital data subsequently digitized, came into existence following the Supreme Court’s recognition of the ‘Right to Privacy’ as a fundamental aspect of the ‘Right to Life’ enshrined under Article 21 of the Indian Constitution. In the case of Justice K.S. Puttaswamy vs. Union of India (2017), the Supreme Court recommended that the Government of India establish a regime for the protection of Personal Data.
Contours of Privacy & Consent:
In our increasingly digital age, the right to privacy has emerged as one of the most critical issues. Simply put, freedom from unwarranted intrusion is a fundamental human right. The Puttaswamy judgment highlighted that “privacy safeguards individual autonomy and recognizes an individual’s ability to control important aspects of their life.” It drew upon debates and writings on the evolution of privacy, emphasizing that personal decisions that define a way of life are inherently connected to privacy. Privacy, being an integral component of human dignity, is now more crucial than ever to protect through a robust, equitable, and enforceable rights-based regime within the legal system.
To foster a culture of privacy, organizations must adhere to two key principles:
(a) only collect, use, retain, and disclose personal information that is clearly necessary to achieve their goals, and (b) provide comprehensive training to those handling this information regarding the value of privacy protection while implementing monitoring mechanisms to ensure accountability.
In essence, organizations cannot treat privacy lightly. Giving consumers choices regarding the use, storage, management, and collection of personal information has become paramount. In Europe, where EU Data Protection Authorities are increasingly imposing fines on non-compliant businesses, understanding when to rely on consent is crucial for employers and employees.
A legal basis for processing user data is consent. Section 6 of the Act addresses Affirmative Consent, stipulating that consent must be precise, freely provided, informed, unconditional and unambiguous. In other words, data subjects must understand that their agreement pertains only to the processing of their data for the intended purpose and the specific personal information required for that purpose. Coercion should play no part in this process. Importantly, data principals retain the right to withdraw their consent at any time, with the same ease with which they initially gave it. The withdrawal of consent will not affect the legality of data processing based on prior consent. Organizations must also adhere to the notice requirements outlined in Section 5 and the permissible uses outlined in Section 7.
According to Section 5, notice must be provided each time consent is sought, and even if consent was previously granted before August 11, 2023, new notice must be given before processing data. The format for this notification is still under development, likely subject to rulemaking, with the possibility of additional requirements emerging.
Data principals should have the option to view the notice and consent form in either English or any other language listed in the Eighth Schedule of the Indian Constitution, which includes Urdu, Tamil, Telugu, Sanskrit, Punjabi, Marathi, Hindi, Kannada, Bengali, Gujarati, Kashmiri, and more.
Section 7 of the Act outlines the “legitimate uses” for which personal data may be processed without the data principal’s consent. These include employment-related processing, responding to medical emergencies, fulfilling legal obligations on behalf of the state or central government, providing services or benefits to the data principal, and complying with any judgments or orders made pursuant to any law. It’s noteworthy that the DPDP Act does not include certain grounds, such as processing for the fulfillment of a contract and legitimate interests, which are allowed under the EU GDPR. Clauses similar to “contractual necessity” and “legitimate interests” (common in GDPR) are currently absent from the list of “legitimate uses,” though future regulations and judicial interpretations may include them.
Conclusion:
In an era where personal data is frequently exchanged and processed, the DPDP Acts’ emphasis on consent as a cornerstone of data protection marks a significant stride in enhancing individuals’ privacy rights. By ensuring that individuals play a clear and active role in determining how their data is used, the Act aims to create a safer and more transparent digital environment. Within the DPDPA framework, consent reinforces the notion that personal data primarily belongs to the individuals to whom it pertains.
As the DPDPA takes effect, organizations must adapt their data collection and processing practices to align with the Act’s consent requirements. This shift towards greater transparency and individual empowerment signifies a substantial evolution in data protection laws and reflects the growing recognition of the importance of privacy in our digital age.
Disclaimer : No information contained in this website may be reproduced, transmitted, or copied (other than for the purposes of fair dealing, as defined in the Copyright Act, 1957) without the express written permission of Rainmaker Online Training Solutions Pvt. Ltd.