Historically, India lacked a standalone legislation specifically addressing the intricate dimensions of personal data collection, usage, protection, and privacy rights. The Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, governed aspects of data handling, but a comprehensive and overarching law was absent. The DPDPA aims to rectify this gap, providing a framework that encompasses the rights and obligations of both data principals and data fiduciaries. As the Act ushers in this new era of data protection, it is important to note that the full scope and nuances will become clearer with the issuance of rules and the operationalization of the Board. These subsequent developments will provide more clarity on the implications of the Act, offering guidance on compliance and interpretation.
In this age of digital transformation, where information is a valuable currency, the DPDPA highlights the significance of protecting personal data. This blog will specifically unravel the intricacies of the Act's consent-related provisions, which form the bedrock of how organizations navigate the collection, processing, and management of personal data in the evolving digital landscape.
TO READ MORE ABOUT -
- DPDP ACT 2023 Click here
- Information Technology Act, 2000 ("IT Act")Click here
- SPDI Rules
UNDERSTANDING CONSENT
At the core of the DPDP Act lies the pivotal concept of 'consent.' The principle of consent-based processing is a fundamental goal aimed at strengthening the rights of individuals in an age marked by rapid technological progress. Consent is the explicit permission granted by individuals, allowing the collection, processing, and sharing of their personal data. The Act places considerable emphasis on securing valid and informed consent, deeming it a fundamental prerequisite for any data- related activities.
The Act describes two ways in which personal data of data principals may be processed:
- Firstly, with the explicit consent of the data principal, and
- Secondly, when the data is processed for the specific purpose for which it was obtained and for certain legitimate uses.
CONSENT MECHANISM IN THE DPDP ACT -
1. EXPLICIT CONSENT -
The significance of consent under the DPDPA is outlined in Section 6, emphasizes the responsibility of a Fiduciary to process a Principal's personal data solely for a specific purpose and with the prior consent of the principal. The consent required for processing personal data under the Act is characterized by being free, specific, informed, unconditional, and unambiguous, with a clear affirmative action. These qualitative features signify that consent is not merely a checkbox but an agreement indicating the willingness of the individual to allow the processing of their personal data for a specified purpose, limited to the necessary data for that purpose.
a. Consent should be freely given – The Act requires the consent to be freely given. It should be voluntarily provided, without coercion, deception, or undue influence. This implies that individuals must genuinely have the freedom to decide whether to grant consent for data processing or not.
Consent should be specific - Consent must be directed toward a particular purpose exclusively. Any consent acquired from a data principal should be explicit and not unclear or cryptic. It should be directly related to the specific purpose for collecting and using personal data, ensuring individuals have a clear understanding of the extent of data processing.
c. Consent should be informed – The Act requires the data fiduciaries to ensure that the individuals fully comprehend how their personal data will be collected, used, and shared before granting consent. It should contain clear and accessible information covering the purpose,scope,data retention, data sharing with third parties and the rights the individuals have.
d. Notice – The Act requires a notice to precede or accompany every consent request to inform the data principal about the personal data, processing purposes, and avenues for withdrawing consent or addressing grievances. To obtain consent, the data fiduciary must present a notice specifying the personal data, processing purposes, complaint process to the Data Protection Board, method of exercising rights, and contact details of the Data Protection Officer.
e. Notice in Multiple Languages - The notice and consent process must be conveyed in clear language, allowing data principals the choice to access the information in English or any of the 22 regional languages listed in the Eighth Schedule of the Constitution of India.
To read more about the Constitution of India click here -
CHILDREN’S CONSENT -
The DPDP Act places specific emphasis on protecting the privacy of children in the digital space. Section-2(f) of the Digital Personal Data Protection Act, 2023, defines a ‘child’ as an individual who has not yet reached the age of eighteen years. In section 9, it introduces measures to obtain verifiable consent from parents or lawful guardians before processing the personal data of children or persons with disabilities. The Act prohibits data fiduciaries from tracking, behavioral monitoring, or targeted advertising directed at children, extending these restrictions to all types of data fiduciaries. This reflects the Act's commitment to safeguarding children's digital well-being. Furthermore, the Act establishes clear obligations for data fiduciaries when processing children's data, ensuring that such processing does not cause any detrimental effect on the well- being of the child.
To read more about the Act click here -
CONSENT MANAGERS -
Consent Managers play a crucial role in empowering data principals to exercise control over their consent preferences. These managers, if chosen by data principals, offer a transparent and interoperable platform for providing, managing, reviewing, or withdrawing consent. It is mandatory for every consent manager to be registered with the Board, ensuring accountability to the data principal. Additionally, consent managers must furnish readily available means for data principals to address grievances and are subject to penalties for non- compliance with their obligations or any breach of registration conditions. However, the DPDPA emphasizes that the consent manager must be accountable to the Data Principal and act on their behalf.
WITHDRAWAL OF CONSENT -
The Act acknowledges the right of the data principal to withdraw their consent. This process, as mandated by the Act, should be as straightforward as the initial consent collection. Withdrawal does not impact the legality of data processing that occurred before consent withdrawal. The data fiduciary is obligated to promptly halt the processing of the data principal's personal data. Although the Act doesn't specify a timeframe for reasonable time, it is advisable for the data fiduciary to initiate and document the steps taken for data erasure immediately upon consent withdrawal. The ease of withdrawing consent is crucial, and once withdrawn, the data fiduciary must cease processing the personal data within a reasonable time or delete it, unless required by law. The data principal bears the consequences of consent withdrawal.
2. CERTAIN LEGITIMATE USES -
Section 7 of the DPDPA stipulates that certain "legitimate uses" do not necessitate explicit consent for processing a Principal's data. It narrows down the circumstances under which organizations can process personal data without explicit consent.
Under the DPDP Bill, companies or data fiduciaries can process personal data for the specified purpose for which the individual voluntarily provided the data, unless the individual explicitly withholds consent. For instance, in the context of employment, details shared by an employee and data related to their immediate employment fall under legitimate use, eliminating the need for additional consent unless the data is processed for a purpose beyond the individual's employment.
While personal data processing generally requires lawful consent, the DPDP Act introduces exemptions for specific legitimate uses. Consent is not mandatory for scenarios such as voluntary data sharing, processing by the State for permits, licenses, benefits, services, fulfillment of legal obligations, medical emergencies, health services, public order breakdowns, and employment-related data.
The Act permits data processing based on specific legitimate uses as an alternative to explicit consent, outlining instances where consent is not mandatory. Legitimate uses include processing data when users voluntarily provide information, issuance of benefits, certificates, licenses, responding to emergencies, and fulfilling obligations under the law. While the concept of 'Certain Legitimate Use' is relatively new, its interpretation and application by organizations may vary, and legal rulings in specific cases could provide further clarity on its scope and application.
EXCEPTION TO CONSENT -
Under section 17, in specific situations, there are exceptions outlined in data protection regulations where the explicit consent of individuals may not be required for data processing. These exceptions are not exhaustive but may include scenarios such as:
Investigation of Offences: In cases involving the investigation of criminal offenses, especially where law enforcement agencies are involved, obtaining individual consent may not be a prerequisite for processing relevant data. This exception allows authorities to carry out necessary inquiries and procedures without seeking explicit consent from the individuals involved.
Processing for Scheme of Compromise or Merger or Amalgamation: During corporate activities like mergers, amalgamations, or compromise schemes, the processing of personal data may be involved for legal, administrative, or business purposes. In these instances, obtaining consent may not be mandatory, allowing organizations to manage the complexities of such transactions without requiring individual consent.
Detecting Financial Frauds: When it comes to the detection of financial frauds, such as fraudulent transactions or activities that may compromise financial integrity, the need for immediate investigation and preventive measures takes precedence.
RIGHTS OF THE DATA PRINCIPAL -
The DPDP Act upholds and builds upon existing rights for Data Principals, emphasizing that these rights are applicable only when processing is based on consent. These rights include -
(i) Right to obtain information about processing which includes -
a. a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data;
b. the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and
c. any other information related to the personal data of such Data Principal and its processing, as may be prescribed.
(ii) Right to seek correction and erasure of personal data - A Data Principal shall have the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent.
(iii) Right to nominate another person to exercise rights in the event of death or incapacity
(iv) Right to grievance redressal – A data principal shall have the right to report in case of any violations of their data privacy rights.
CONCLUSION -
In conclusion, the Digital Personal Data Protection Act (DPDPA) represents a pivotal step in India's commitment to safeguarding dFata. With a strong focus on consent mechanisms, particularly outlined in Section 6, the DPDPA establishes a comprehensive structure for ensuring individuals have control over their personal data. The introduction of innovative concepts like consent managers and the emphasis on 'legitimate use' showcase a dedication to global data privacy standards.
By emphasizing transparency, accountability, and user consent, India's data protection framework not only aligns with global standards but also paves the way for a more secure and respectful digital environment. As users, it is imperative to stay informed about our rights and responsibilities under this legislation, promoting a culture of digital awareness and respect for privacy in the vast evolving landscape of the internet.
KINDLY VISIT OUR RESOURCES PAGE TO FIND INFORMATION ABOUT GLOBAL PRIVACY LAWS - https://www.dpo-india.com/Resources/