India: Notice And Consent Requirements In India's New Digital Data Regime

Given the imminence of India's refurbished digital data framework, and in light of the diversely innovative ways in which personal data is collected and/or processed these days on account of new technologies and platforms – 'notice' and 'consent' requirements have assumed additional importance.

In this note, we address some of those aspects, especially with reference to the current draft of India's Digital Personal Data Protection Bill, 2022 ("DPDP") and the EU's General Data Protection Regulation ("GDPR"). In the next note, we will focus on the idea of 'deemed consent' under DPDP.

Consent

Article 4(11) of GDPR defines 'consent' as a "freely given, specific, informed and unambiguous indication" of an individual's wishes by which they signify agreement to the processing of their personal data through a statement or clear affirmative action.

While Section 7(1) of DPDP defines 'consent' similarly, it expressly adds the element of a 'specified purpose'. In other words, the purpose for which the personal data of an individual will be processed needs to specified in the notice given to them while seeking their consent.

This element is present in GDPR too, specifically in Article 6 when it states that processing shall be lawful only if, and to the extent that, either one of the following applies: (1) it is necessary for certain specified reasons and/or purposes (see Article 6(1) (b)-(f), GDPR); or (2) the concerned individual has given their consent for one or more specific purposes.

Article 7(1) of GDPR further clarifies that when processing is based on consent (as opposed to stemming from necessity), it is the data controller (i.e., the person seeking an individual's consent for processing, similar to a 'data fiduciary' under DPDP) who is required to demonstrate that such consent had indeed been given. Similarly, Section 7(9) of DPDP states that when a question about the giving of consent arises in a proceeding, the data fiduciary will be required to prove that: (i) it had provided appropriate notice, and (ii) consent had been obtained pursuant to such notice.

Notice

Section 6 of DPDP deals with 'notice' requirements. For instance, during, or prior to, requesting an individual for consent, a data fiduciary is required to give them, in clear and plain language, an itemized notice that contains a description of the personal data sought to be collected, as well as the purpose of processing such data. Such a notice can be: (i) a separate document, (ii) an electronic form, or (iii) a part of the same document through which personal data is sought to be collected. Alternatively, it could be in some other form as may be prescribed by regulation.

This is similar to GDPR's Article 7 where it specifies that in the event of an individual giving their consent in the context of a written declaration which also concerns other matters, a 'request for consent' is required to be presented in a manner that is clearly distinguishable from such other matters. Further, this request must be in an intelligible and easily accessible form, using clear and plain language. While Article 7(2) also states that any part of such a declaration which constitutes an infringement of GDPR will not be binding, Section 7(2) of DPDP similarly specifies that any part of a required consent which constitutes an infringement of DPDP's provisions will be invalid to the extent of such infringement.

Withdrawal of Consent

While Article 7(3) of GDPR states that an individual will have the right to withdraw their consent at any time, Section 7(4) of DPDP provides the same right. However, DPDP additionally qualifies such right by stating that the consequences of withdrawal will be borne by the individual concerned. The meaning of this qualification, while similar to ones contained in earlier versions of DPDP, is not clear.

For instance, Clause 11(6) of the Personal Data Protection Bill, 2019 ("PDP 19") – a previous iteration of DPDP – had stated: "Where the data principal withdraws his consent from the processing of any personal data without any valid reason, all legal consequences for the effects of such withdrawal shall be borne by such data principal" (emphasis supplied).

Meanwhile, Clause 12(5) of the Personal Data Protection Bill, 2018 ("PDP 18") – an even earlier version of DPDP – had contained a slightly different formulation: "Where the data principal withdraws consent for the processing of any personal data necessary for the performance of a contract to which the data principal is a party, all legal consequences for the effects of such withdrawal shall be borne by the data principal" (emphasis supplied).

PDP 18 had clarified that only a specific type of withdrawal with respect to a previously given consent could lead to a situation where the consequences of withdrawal would be borne by the 'data principal' (i.e., the person associated with the underlying data). Specifically, it needed to involve the processing of such personal data that was necessary for the performance of a contract. In other words, consent for processing personal data was not intended to be asked for (or given) with respect to performing contractual obligations – which could involve things like paying for goods and services.

Article 6(1)(b) of GDPR conveys a similar idea. Based on a plain reading of this provision, if someone orders for a product on an online platform, the website would be justified in processing their personal data –such as in respect of name, delivery address, debit card number, etc. – under a contractual necessity to facilitate home delivery. In such a situation, the website or platform would need to justify that its obligations under the contract could not be performed without processing the personal data of the purchaser.

Further in this regard, Recital 43(2) of GDPR, dealing with freely given consent, states that consent is presumed to not be freely given if the performance of a contract, including the provision of a service, is dependent on such consent despite it not being necessary for contractual performance.

Accordingly, whereas Article 7(4) of GDPR specifies that 'utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract,' Section 7(8) of DPDP states that the performance of any contract which has already been concluded between a data fiduciary and a data principal will not be made conditional on consent to the processing of personal data that is not necessary for such purpose.

In addition, GDPR and DPDP mirror each other when they clarify that: (i) the withdrawal of consent will not affect the lawfulness of processing based on consent given before such withdrawal; and (ii) the ease of withdrawing, and providing, consent, respectively, should be comparable (see Article 7(3), GDPR and Section 7(4), DPDP).

Nevertheless, where GDPR requires the data subject to be specifically informed about the giving of consent before it is given, DPDP has no exact equivalent.

Consent Manager

Importantly, DPDP includes the idea of a 'consent manager'. A consent manager is supposed to enable an individual to give, manage, review, and withdraw consent through an accessible, transparent, and interoperable platform (see Section 7(6), DPDP). Further, this entity will be accountable to, and need to act on behalf of, the data principal. Accordingly, every consent manager is required to register with the Data Protection Board of India ("DPBI"), subject to technical, operational, financial, and other conditions as prescribed. While PDP 18 did not deal with the concept of a consent manager, Clause 23 of PDP 19 had introduced this idea into proposed legislation, which DPDP has continued with.

Earlier, a report on a free and fair digital economy, submitted by a government-constituted expert committee in July 2018 (the "Expert Committee", and such report, the "EC Report") had discussed the advisability of having a 'consent dashboard' which could enable data principals to keep track of consents in real time. Among other potential models discussed in the EC Report, one was where data principals have access to a dashboard operated by a third entity to manage all data fiduciaries they deal with. However, it was found that such a single point dashboard – albeit more convenient from the perspective of data principals – would require significant interoperability (i.e., the ability of different systems, devices, applications, and products to connect and communicate in a coordinated way, without effort from the end user).

The Expert Committee had also looked into the idea of an aggregator that tracks consents – i.e., an entity that stores only the fact that various consents have been provided by a data principal with respect to different data fiduciaries. Thus, such an aggregator would not ordinarily store the actual data. Eventually, the EC Report recommended that consent dashboards could be introduced in India incrementally. While the approach where a data fiduciary controls its own dashboard could be an initial step, a central dashboard that coordinates with various data fiduciaries may be introduced either sector-wise or universally, over a period of time.

A revised iteration of PDP 19 called the 'Data Protection Bill, 2021' ("ProposedDP Act") – which formed part of a joint parliamentary committee's report on PDP 19 (see handwritten p. 463 onwards) – had dealt with the concept of consent managers too. Pursuant to the Proposed DP Act, consent managers were envisaged as data fiduciaries registered with a data protection authority, providing interoperable platforms to aggregate consents from a data principal. Data principals, in turn, could provide their consents to consent managers for the purpose of sharing their personal information with various data fiduciaries. Further, data principals could even withdraw consents through such consent managers.

Analysis and Suggestions

The Proposed DP Act, which – unlike DPDP – included the concept of 'sensitive' personal data, had also specified that such data could only be processed with the explicit consent of data principals. Thus, the Proposed DP Act required such consents to be additionally obtained after informing the data principal about the purpose of processing – which, in turn, was likely to cause them significant harm. Further, such a consent had to be conveyed in clear terms such that it could be plainly understood without referring to surrounding conduct or context. Furthermore, such consents would be valid only if they were issued pursuant to a choice given about providing separate consents for different purposes with respect to different categories of sensitive personal data. Accordingly, it appears that requirements related to consent have been diluted under DPDP relative to the Proposed DP Act.

Nevertheless, under DPDP, the 'notice' requirement under Section 6 could be made mandatory in the future even in cases of non-consensual data processing (e.g., in cases of 'deemed' consent under Section 8(1); for a discussion on deemed consents, please see the next note of this series). For instance, under GDPR, even when personal data has not been obtained from 'data subjects' themselves (the GDPR equivalent of data principals), Article 14 requires a comprehensive list of information to be provided – such as the source from which a piece of personal data originates (including whether it came from publicly accessible sources). Further, in such cases, the 'controller' – i.e., the GDPR equivalent of a data fiduciary – is required to provide the necessary details within a reasonable period after obtaining the data. Similarly, in India, the Proposed DP Act had required the data fiduciary to provide notice to the data principal at the time of collecting their personal information – even if such information was not being collected from the data principal directly. However, DPDP in its current form does not appear to require a notice to data principals when their consents are not necessary to process data.

Notice

Section 6(1) of DPDP requires the necessary 'notice' to contain a description of: (i) the personal data sought to be collected, as well as (ii) the purpose of processing such data. Accordingly, extending the notice obligation to instances of 'deemed consent' (under Section 8) may ensure a 'purpose limitation' with respect to the collected information. In fact, earlier iterations of DPDP, despite not contemplating situations of deemed consents, nevertheless contained specific provisions on purpose limitation (e.g., Clause 5 of PDP 18).

Alternatively, an additional requirement could be introduced in DPDP such that a data fiduciary may be required to provide a new notice every time the purpose of data processing suffers a change. For instance, Article 13(3) of GDPR specifies that when a controller intends to process personal data for a purpose other than that for which it was collected, such controller is required to provide the data subject with information on the 'other' purpose, along with any other relevant information (prior to further processing). In addition, exceptions from notice requirements under DPDP could be limited in the future by conditions of necessity and/or situations where the legitimate purpose of data processing is rendered impossible (or stands frustrated) on account of notice requirements. However, Section 12 of DPDP does give every individual the right to obtain: (1) confirmation from a fiduciary about whether their data is being, or has been, processed; (2) a summary of such data and processing activities undertaken; (3) a consolidated list of all other data fiduciaries with which such data has been shared. After all, in cases where a data principal's consent has been obtained, Section 9(9) of DPDP allows a data fiduciary to share, transfer, or otherwise transmit the underlying data to any other fiduciary or processor – as long as such transmission occurs pursuant to a valid contract.

Further, Section 6(1) of DPDP, as it presently stands, only requires disclosures on: (i) the description of personal data which is to be processed; and (ii) the purpose of processing – along with mandatory disclosures in clear and plain language through an itemized notice during or before requesting an individual for consent. On the other hand, GDPR – over and above Article 7 (which deals with 'conditions for consent') – imposes stricter disclosure obligations on controllers (see Article 12(1)). Further, while GDPR requires such information to be provided free of charge and in writing (or by other means, including in electronic form where appropriate), the information may be provided orally as well, pursuant to a request made by the data subject (provided that the data subject's identity is proven by other means).

In addition, even though DPDP's Section 7(3) separately requires the data fiduciary to disclose the contact information of its officers who are (or will be) responsible with regard to the underlying data while presenting each request for consent, various other items of information could be incorporated in the future under DPDP as well – in addition to the existing list of disclosures to be made to data principals under Sections 6 (notice) or 7(3) (requests for consent).

For instance, sub-articles (1) and (2) of GDPR's Article 13 ('Information to be provided where personal data are collected from the data subject') contain an elaborate list of requirements, which includes items that are not currently present in DPDP. Such additional items may include details related to the following:

• The legal basis for processing the data in question
• The legitimate interests pursued by the controller or by a third party when such processing is necessary for a particular purpose
• The recipients (or categories of recipients) of the personal data
• The fact that the controller intends to transfer personal data to a third country or to an international organization, along with the existence (or absence) of adequacy decisions and/or appropriate safeguards – as well as the means by which a copy of such decisions/safeguards may be obtained or otherwise reviewed
• The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
• The existence of a right to request the controller for access to, or rectification/erasure of, the personal data
• The existence of a right to request the controller to restrict data processing
• The existence of a right to object to data processing
• The existence of a right to data portability
• The existence of a right to withdraw consent at any time – along with the fact that consents provided before withdrawal will remain lawful
• The right to lodge a complaint with a supervisory authority
• Whether providing personal data is a statutory or contractual requirement
• Whether providing personal data is a necessary requirement to enter into a specific contract
• Relatedly, whether the data subject is obliged to provide their personal data, and the possible consequences of not providing such data
• The existence of automated decision-making (including profiling), along with relevant information about the reasons for such type of data processing, as well as the significance and consequences for the data subject in that regard.

Similar to GDPR's Article 13, earlier iterations of DPDP had also required comprehensive disclosures to be made in notices – much more than what DPDP requires at present. For instance, Clauses 8(1)(a) - (n) and 7(1)(a) – (n) of PDP 18 and PDP 19, respectively, had required a data fiduciary to provide each individual with a GDPR-like list of information during or prior to collecting personal data. Alternatively, if the information was not being collected from data principals themselves, the data fiduciary was nevertheless obliged to disclose such information as soon as was it reasonable/practical to do so. The Proposed DP Act, too, required more elaborate disclosures. However, DPDP appears to have simplified the format significantly.

Concluding Thoughts

Despite palpable dilutions over time, disclosure requirements with respect to a Section 6 notice for obtaining a Section 7 consent before processing personal data could be enlarged upon under DPDP in the future.

Such enlarged mandate could include information about the permissibility of withdrawing consent, the consequences of not providing such consent, the source of collection, the entities with which such data may be shared, the storage period, as well as other elements. Further, if the notice relates to sensitive data, the information requirements at the time of providing notice may also be expanded upon, especially as the data protection regime in India evolves over time.

While Article 4(12) of GDPR defines a 'personal data breach' to include the accidental or unlawful destruction, loss, alteration, unauthorized disclosures of (or access to) personal data during transmission, storage, or processing – Section 2(14) of DPDP contains a somewhat similar definition. In addition, the legal requirements which get triggered when a breach occurs – such as those listed in GDPR under Article 33 ('Notification of a personal data breach to the supervisory authority') and Article 34 ('Communication of a personal data breach to the data subject') are similarly addressed in DPDP.

For instance, DPDP's Section 9(5) states that in the event of a personal data breach, the data fiduciary or the data processor, as applicable, will be required to notify the DPBI and each affected data principal. However, while GDPR's Articles 33 and 34 lay down explicit guidelines about how to comply with notifications/communications when such a data breach occurs, Section 9(5) of DPDP merely states that these notifications will need to be made in a prescribed form and manner – the details of which will presumably be issued later.

This insight/article is intended only as a general discussion of issues and is not intended for any solicitation of work. It should not be regarded as legal advice and no legal or business decision should be based on its content.