In the age of digital transformation, the protection of personal data has become paramount. Recognizing this, governments worldwide are enacting comprehensive data protection laws to safeguard individual privacy and control over personal information. India’s response to this imperative is the Digital Personal Data Protection Act, 2023 (DPDPA). A cornerstone of the DPDPA is its consent-related provisions, which lay the foundation for how organizations collect, process, and manage personal data. Part 1 of this article series will delve into these provisions, offering a comprehensive understanding of the requirements and implications associated with consent under the DPDPA. The timeline for the DPDPA is provided below:
Background
The Digital Personal Data Protection Bill, 2023, which was introduced in Lok Sabha on August 3, 2023, by the Minister of Electronics & Information Technology has been passed by the Parliament i.e., by Lok Sabha on August 7, 2023, and unanimously by Rajya Sabha on August 9, 2023; and has further received Presidential assent on August 11, 2023.
The previous drafts i.e. the Personal Data Protection Bill, 2019 and the Digital Personal Data Protection Bill, 2022 being ascribed to numerous amendments, laced with several issues relating to data localization, transparency, compliance intensive, etc., had been withdrawn by the Central Government (CG). The said draft came into being after the Supreme Court, in Justice K.S. Puttaswamy vs. Union of India, (2017), upheld the ‘Right to Privacy’ as a part of the fundamental right- ‘Right to Life’ enshrined under Article 21 of the Indian Constitution and had suggested the CG to put in place a law for the protection of personal data.[1]
The DPDPA applies to the processing of digital personal data, which is broadly defined as data in digital form (whether collected in digital form, or in non-digital form and then digitized) about an individual identifiable by such data. The DPDPA defines three primary stakeholders, namely: the data principal[2] (Data Principal/ Principal) to whom the data relates, the data fiduciary[3] (Data Fiduciary/ Fiduciary) i.e. the person responsible for determining the means and purpose of a Principal’s data, and the data processors[4] who process the data on behalf of the Fiduciary.
Consent under the DPDPA
Role of Consent: Section 6 of the DPDPA deals with Consent. It obliges a Fiduciary to process a Principal’s personal data only for the specified purpose and after obtaining the consent of the Principal. Such consent has to be “free, specific, informed, unconditional, and unambiguous with a clear affirmative action”.[5] Notably, the Data Fiduciary shall not require consent to process a Principal’s data for certain “legitimate uses”, as per Section 7 of the DPDPA. These are for:
For Principals with disabilities or below eighteen (18) years of age, the DPDPA provides that their consent will be provided by their parent(s) or legal guardian.[6]
Importantly, the Data Principal has the right to withdraw their consent at any time and with the same facility with which such consent was initially given.[7] When consent is withdrawn, the DPDPA specifies that the Fiduciary must, within a reasonable time, cease, and cause its data processors to cease, processing the personal data, unless such processing is required or authorized under the DPDPA, the rules made thereunder, or any other law in India.[8]
Consent requirements via privacy notices: The DPDPA establishes that every request for consent made to a Principal must be accompanied or preceded by a notice[9], provided by the Fiduciary, informing the Principal about:
When seeking consent from a data principal, the DPDPA highlights that this must be clear and in plain language, with the contact details of a Data Protection Officer (“DPO”), where applicable, or of any other person authorized by the data fiduciary to respond to any communication from the data principal included. Lastly, the Data Fiduciary must be able to prove that a privacy notice was issued to the Data Principal and that their consent was obtained.
Consent managers: A noteworthy aspect of the DPDPA relates to the concept of a ‘consent manager’; an individual to whom the Data Principal may give, manage, review, or withdraw their consent.’[10] Consent managers must be registered with the Data Protection Board[11] and thereafter have the ability to act as a single point of contact to enable the Principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform. However, the DPDPA emphasizes that the consent manager must be accountable to the Data Principal and act on their behalf.[12]
Conclusion
The DPDPA represents a significant milestone in India’s data protection landscape, with its consent provisions at the forefront. These provisions, outlined in Section 6 of the DPDPA, establish a robust framework for obtaining and managing consent from data principals. They emphasize the importance of free, specific, informed, unconditional, and unambiguous consent, ensuring Principals have control over their personal data. Moreover, the DPDPA introduces innovative concepts such as consent managers, registered with the Data Protection Board, to facilitate seamless consent management. With its passage and Presidential assent, the DPDPA sets a vital precedent for data protection in the digital age, aligning India with global data privacy standards and reinforcing individual rights.
In Part 2 of this series, we discuss the implications of a consent based approach in safeguarding a Data Principal’s data in the light of major global data protection regulations. Further, we discuss whether the adoption of a consent centric approach by India justifies the earlier envisioned Osaka Agreement by world leaders during 2019’s G20.
Corrida Legal is consistently rated as the best corporate and data protection law firm in Gurgaon, Delhi and Mumbai. Reach out to us on LinkedIn or contact us at contact@corridalegal.com /+91-8826680614 in case you require any legal assistance.
[1] Para 178, K.S. Puttaswamy and Anr. vs. Union of India ((2017) 10 SCC 1).
[2] Section 2(j) of the Digital Personal Data Protection Act, 2023.
[3] Section 2(i) of the Digital Personal Data Protection Act, 2023.
[4] Section 2(k) of the Digital Personal Data Protection Act, 2023.
[5] Section 6(1) of the Digital Personal Data Protection Act, 2023.
[6] Section 9(1), the Digital Personal Data Protection Act, 2023.
[7] Section 5(5), the Digital Personal Data Protection Act, 2023.
[8] Section 6(6) of the Digital Personal Data Protection Act, 2023.
[9] Section 5, the Digital Personal Data Protection Act, 2023.
[10] Section 2(g) of the Digital Personal Data Protection Act, 2023.
[11] Section 2(c) of the Digital Personal Data Protection Act, 2023.
[12] Section 6(8) of the Digital Personal Data Protection Act, 2023.