Consent in data protection bill empowers individuals even as businesses allowed legitimate use of information

With Digital Personal Data Protection Bill more guidance will come (in rules) on notice and consent, this combination of important requirements, properly enforced, can create a strong and effective consent environment in India.

In the long journey since the Supreme Court upheld a constitutional, fundamental right to privacy in 2017, leading up to the Digital Personal Data Protection Bill, 2023 which is moving through Parliament, the question of how individuals express consent and exercise their autonomy has been central. How this question is answered will have far-reaching consequence, including on how business is done in India.

This is by no means a simple question. While “granular” consent, i.e., separate indication for each set of purposes, offers a tempting vision of absolute control, in reality, this is offset by consent and notice fatigue. Users inundated by hundreds (if not thousands) of requests for consent each day are often poorly placed to respond to sub-categories of further consent. The Bill, much improved following an extensive consultation process involving over 20,000 submissions and several dozen meetings, seeks to find a very interesting and novel balance.

Obtaining consent

Fundamentally, it requires that consent must be obtained after providing a clear and legible notice, and must be free, specific, informed, express and signified through a clear act, rather than, say, merely accessing a website or application. Even if the Bill did nothing more, this, along with an effective enforcement mechanism, would provide a significant boost to India’s current anaemic general data protection regime which is dated, poorly enforced, and followed more in breach than in observance.  The Bill, however, goes a little further and implements three important concepts to improve this position.

First, it deems that even where consent is given, it will only cover data which is “necessary for the specified purpose” of processing. An illustration seems to indicate that this necessity will be read very strictly. Second, it requires that data, even collected with consent, be deleted when the purpose of its collection is no longer being served. It also gives circumstances where this will be presumed. Third, it requires that individuals will be able to withdraw their consent, at least as easily as they expressed it.

While more guidance will come (in rules) on notice and consent, this combination of important requirements, properly enforced, can create a strong and effective consent environment in India. The Bill goes even further and creates a novel system of registered consent managers. This will allow users to mindfully think about what they want done with their data, record their preferences once, and thereafter, use their consent manager to manage consents for the hundreds of products and services they use every day.

Defining legitimate use

Not all is doom and gloom for Corporate India. Perhaps to balance things out, the Bill also allows businesses to make “legitimate use” of data under other circumstances. For instance, when an individual voluntarily provides data for a purpose, data can be used for that purpose unless the person indicates otherwise. Employers can use data of their employees for the purposes of employment, to safeguard themselves from loss or liability, or to provide employees with services or benefits sought by them. Legitimate use without consent is also allowed for other urgent needs such as providing healthcare in epidemics, responding to a medical emergency, and the like.

Two additional relaxations which may prove important for Corporate India allow processing data for mergers and other arrangements approved by court, and to find whereabouts, financial information, or assets, of defaulters to financial institutions. Taken together, all of this means that whilst businesses operating in India are provided with practical avenues to secure consent, when offering products or services to Indians they will have to be very careful about how they treat data.

Users will be more aware of their rights, and have a right to know exactly what data businesses hold, and how they use it and have recourse to a dedicated digital body in the form of the Data Protection Board to act on user grievances.

From the time the Bill comes into force, which may happen sooner than we expect, businesses can only use, collect or store data under a valid consent, or for a recognised legitimate use. For consents to be valid, they will have to be obtained using notices which will need to be simple and precise to make sense to users, while still being descriptive enough to list how their data will be used and why. This reflects the Bill’s balance between the practical necessities of business operations and the rights of data principals in their personal data.

Cyril Shroff is Managing Partner, Cyril Amarchand Mangaldas. Views are personal, and do not represent the stand of this publication.