New data protection bill encompasses antitrust provisions, redefines `consent’ in digital economy

The statement of the 2023 Data Protection Bill takes cognizance of the fact that data has a huge role to play in the growth of the digital economy.

By Abir Roy and Aman Shankar (Advocates, Sarvada Legal)

The Digital Personal Data Protection Bill, 2023’ (DPDP Bill/2023 Bill) passed in the Rajya Sabha on August 9, has adopted a mature approach to regulating and protecting personal data. Adopting the 2022 version, the 2023 Bill has been formulated on the touchstone of a principle-based approach. The statement of the 2023 Bill takes cognizance of the fact that data has a huge role to play in the growth of the digital economy and therefore protection of personal data is equally important and imperative. The economic essence of the Bill and its impetus to businesses and start-ups can be gauged from the exemption provisions created in Clause 17(3) of the 2023 Bill. The Competition Act, (CA) 2002, that closely governs digital markets and activities of market participants, was similarly enacted to support the economic development of the country. The CA governs the conduct pertaining to abuse of dominant position by an enterprise as well as keeps a check on agreements or combinations which will have appreciable adverse effect on competition in the market. A closer analysis of the 2023 Bill will exhibit its correlation and overlap with the CA which businesses must be cautious about for business hygiene. In fact, Clause 6(2), 2023 Bill recognizes that consent shall be invalid even when it is taken in violation of any other law in force (for example, CA).

It is peculiar to note that the 2023 Bill regulates even partly automated processing of personal data. However, it has dropped its applicability to “profiling” activities which means any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a data principal. This can be an indication that certain classes of AI use (e.g., digital advertising) may be exempted. Similarly, the government may exempt a particular data fiduciary with verifiably safe processing activity from obligations related to parental consent and remove the prohibition on tracking, behavioural monitoring, and targeted advertisement directed at children. But, in all the situations, the antitrust law obligations, covering unfair usage and the leveraging of user data, will apply with full force, especially on the dominant entities in the digital market.

Somewhat similar to Clause 7(8), 2022 Bill, the 2023 Bill in Clause 6(1) read with Clause 5(2) provides that the consent by data principal for already concluded contracts has to be unconditional. This clause also has the potential of addressing issues related to abuse of dominant position by those platforms whose services are unavoidable/necessary in their offerings. Also, the purpose and limitation framework in seeking consent should address the issues pertaining to excessive data collection, which can simultaneously be looked into by the Data Protection Board of India and the Competition Commission of India (CCI). It is also interesting to note that competition law and privacy laws go hand-in-hand in the European Union and the ripple effect can be seen globally, including India. A very seminal European Court of Justice ruling in Case 252/21, Meta Platforms and Ors. v. Bundeskartellamt pronounced recently on July 4, 2023, stated that member state antitrust authorities can enter into the exercise of finding a violation of the General Data Protection Regulation (GDPR) while investigating a case of abuse of dominant position. It analysed several vital areas of intersection of both the laws with the crux being that certain conduct may be justified under the GDPR but can run foul under the antitrust laws.

Clause 7(a), 2023 Bill mentions the voluntary giving of personal data and non-indication of ‘no consent’ by data principal as a legitimate use case. Such an activity may be fine under the privacy law but will run foul under the antitrust law, especially in the digital market. An untrained user generally doesn’t investigate the data he/she shares, and its purpose. The situation is exacerbated with the prevalence of dark patterns for taking consent in lieu of services. This is being examined by privacy regulators as well as competition law authorities. The US Federal Trade Commission is already examining usage of ‘dark pattern’ by Amazon for enrolling consumers in Amazon Prime without consent and making the cancellation process complicated. This also comes with tricked consent to onerous conditions of sharing personal data, wherein the consent withdrawal process is complicated. Such a provision of ease in withdrawing consent can be seen in Clause 6(4) of the 2023 Bill. All these issues around consent management have propelled the need for a new set of entities called ‘consent-managers’ under the 2023 Bill, which is rare in privacy laws, globally.

Under the 2023 Bill, the liabilities are casted upon the data fiduciary (Clause 9(1)). However, the Bill gives the right to the data fiduciary to “engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract.” In a complex digital market structure involving marketplace service providers and sellers wherein both come together to provide users with some services, the question of who a data fiduciary is and who a data processor is, is bound to arise. The question gains more importance considering the recent antitrust cases in India wherein data, its ownership, privacy of data and sharing amongst businesses has become a contested point. Once it is determined who the data fiduciary is and who data processor is, wherein the data fiduciary has the liability and obligations under the 2023 Bill, the negotiation on indemnity clauses and other contractual clauses will be of paramount importance between the data fiduciary and the processors to secure their respective interests, in the general business framework as well. All these activities will attract antitrust principles with equal force, depending on the negotiating data fiduciary and processor. Somewhat like the commitment and settlement mechanism under the recent Competition Act 2023, the 2023 Bill also envisages the concept of voluntary undertaking under Clause 32.

Definitely, interesting times lie ahead for the start of the privacy law journey in India. The 2023 Bill is promising in its intent and approach both for individuals and businesses. The future is to observe legal compliance as a behavioural activity by every company dealing in digital data and map all the sectoral laws carefully for business compliance.

(Abir Roy is a co-founder and partner at Sarvada Legal, Aman Shankar is an Advocate in the firm)