The fourth version of the data protection law is a leaner and simpler version compared to the previous versions of the Bill. The same simplicity of the Bill has, however, also been the source of much of its criticism. It has left many guessing and unsure of what to expect from the Bill.
INDIA has brought out a new draft data protection legislation. The fourth version of the data protection law, titled the Draft Personal Data Protection Bill, 2022 is a leaner and simpler version compared to the previous versions of the Bill.
The same simplicity of the Bill has, however, also been the source of much of its criticism. It has left many guessing and unsure of what to expect from the Bill. Most recently, a group of retired judges, civil societies and bureaucrats wrote to Members of Parliament raising concerns against the Bill, objecting, inter alia, to the proposed amendments to the Right to Information Act, 2005 (‘RTI Act’). This piece takes a look at the consent framework within the Bill and the corollary provisions, and explains some of these gaps within the Bill.
What is the consent and rights framework of the Bill?
Clause 7 of the Bill contains provisions for seeking consent of the data principal. Data principal is defined under the Bill to mean the “individual to whom the personal data relates.” Any person that determines the purpose and means of processing this personal data is termed as a ‘data fiduciary’ under the Bill. Clause 7 confers the data principal with the right to withdraw consent but also states that the consequences of such withdrawal are to be borne by the data principal. However, it is not clear what the Bill means by use of the term ‘consequences’. Further, such a rider may act as a deterrent for the data principal to withdraw consent and defeat the purpose of withdrawal of consent.
Clause 8 of the Bill contains the much-criticised provision of ‘deemed consent’. As per clause 8, a data principal is said to have given consent to the processing of her personal data if the same is considered necessary. The clause provides for the necessary situations under which consent will be deemed to have been given.
The Bill also proposes an amendment to Section 8(1)(j) of the RTI Act (Clause 30 of the Bill). This can have the effect of undermining accountability and transparency. This amendment will permit refusal to disclose personal information even when such disclosure is relevant to larger public interest.
Amongst other things, it contains a residuary sub-clause that provides that consent may be deemed for data processing for any “fair and reasonable purpose as may be prescribed” after taking into consideration the following: a) if the legitimate interest of the data fiduciary outweighs any adverse effect on the right of the data principal; b) any public interest in such processing; and c) the reasonable expectations of the data principal in the context of such processing. However, the Bill neither defines what constitutes fair and reasonable purpose (which it leaves for future prescription by the Union Government) or legitimate interest of the data fiduciary.
Clause 12 provides for the right to information about the personal data collected. However, by virtue of sub-clause 3 to Clause 18, the government has the power to exempt notified data fiduciaries or classes of data fiduciaries from the purview of clause 12, thus defeating the right to information of the data principal.
The Bill also proposes an amendment to Section 8(1)(j) of the RTI Act (Clause 30 of the Bill). This can have the effect of undermining accountability and transparency. This amendment will permit refusal to disclose personal information even when such disclosure is relevant to larger public interest. It also proposes removal of the proviso to section 8 which states that the information that cannot be denied to the Parliament or a state legislature shall also not be denied to any person.
These proposed amendments could have the implication of promoting opacity in the functioning of government entities and executives, especially given the broad exemptions available to the state instrumentalities under the Bill, as discussed later.
The Bill also exempts State authorities and institutions from the requirement under Clause 9(6) that prohibits retention of personal data when either the purpose of the personal data collected is served or the retention is no longer necessary for legal or business purposes (‘purpose limitation’).
A right to consent also implies control over one’s data. The Bill fails to ensure the purpose of consent in its entirety by failing to empower the data principal with control over her data. Additionally, the Bill also omits to provide for important information that the notice should contain. For instance, the Bill does not require the notice to state for how long the data is to be kept. It is important for the data principal to have knowledge of this, to be able to effectively exercise rights such as withdrawal of consent, have control over her data, or ask for updation.
Deemed consent is a concept borrowed from Singapore’s data protection law called Personal Data Protection Act, which provides for situations in which an individual is deemed by law to have given consent without giving actual consent. The explanatory note to the Bill released by the Union Ministry of Electronics and Information Technology explains deemed consent to apply in “clearly defined situations wherein insisting on consent would be counterproductive”.
The Bill fails to ensure the purpose of consent in its entirety by failing to empower the data principal with control over her data. Additionally, the Bill also omits to provide for several important information that the notice should contain.
However, unlike the Bill’s broad provisions for deemed consent, Singaporean law has a specific framework of deemed consent which includes deemed consent by conduct, contractual necessity, or by notification. It also allows for withdrawal of consent in cases of deemed consent. It provides for deemed consent with regulations that require the data user to state the purpose of collection/use of personal data, notification, opt-out period and risk assessment.
Similarly, the Australian Privacy Principles Guidelines (‘APP Guidelines’) provide for an equivalent provision called ‘implied consent’. The APP guidelines clarify implied consent to mean consent which may “reasonably be inferred in the circumstances from the conduct of the individual and the APP entity.” The APP entity is to consider the following factors to establish implied consent:
The individual was presented with a clear and prominent opt out option, including information on implications of not opting out, and it was easy to exercise the opt-out option.
The individual is likely to have received and read the information about the proposed collection, use, disclosure and the opt out option
Failure to opt out does not lead to serious consequences.
If the individual opts out later in time, she is placed in a position as if opted out earlier.
The provision for deemed consent under the Bill provides for wide ranging circumstances for storage, collection and processing of an individual’s data without their consent. This could potentially lead to violation of one’s right to privacy.
The Supreme Court, in the landmark case of Justice K.S. Puttaswamy versus Union of India (2017)held that in case of a likelihood of violation of the right to privacy by collection of personal data, such an entity, whether public or private, is required to fulfil the ‘test of proportionality’. As per the proportionality test, there needs to be a rational nexus between the object and the means employed to achieve that object. Further, such collection of data should follow the least intrusive method for achieving the purpose (‘data minimisation’), and the extent of the infringement caused is to be balanced with the importance of the purpose of processing the data collected. The latter is also key to the ‘principle of legitimate interest’ which is an integral principle of data protection.
As per the principle of legitimate interest, personal data should be processed while ensuring lawfulness, fairness and transparency. It is not dependent on the purpose of processing and can therefore apply to a wide range of circumstances. Consequently, it places the onus on the data fiduciary to balance the data principal’s interests, rights and freedoms against its own interest. The principle can be broken down into a three-part test:
– Purpose test: if there is a legitimate interest for the data processing
– Necessity test: whether the processing of data is necessary for the purpose
– Balancing test: whether the interest of the data fiduciary for the given purpose overrides the data principal’s interests, rights or freedoms.
In order to commence the processing of the data, all three of the above need to be satisfied. While the Bill does provide for purpose limitation, it subjects the same to broad exemptions. Similarly, it does not lay out an adequate framework in adherence to the several internationally accepted integral principles of data protection, as explained above. This has the effect of diluting the existent protections and rights available to the data fiduciaries under the Bill, given that the Bill also omits to provide for several crucial rights such as right to access (to be able to see how much information is held about them: timeframe, purpose, categories and recipients), right to communication (before their data is processed, data principals must be provided with information in a clear and transparent manner. The notice requirements in the Bill are inadequate to uphold this right), and right to object (data principals can object to the processing of their personal data by the data fiduciary).
What is the notice requirement under the Bill?
Most data protection laws rest on the right of the data subject to have maximum control over their personal data. This is the fundamental basis for the exercise of rights available to the data principal. A notice ensures that the data principal can exercise her various rights such as the right to access, correct and delete the data or right to withdraw consent to the processing of her data. As a corollary, it also ensures accountability for the data fiduciary.
The notice requirements of the Bill, both in terms of when it is required to be given and the scope of information to be provided, fall short of ensuring many of the rights available to the data fiduciary, such as the right to know about the data being processed, who is processing the data, and the right to ask for correction, updation or deletion of one’s personal data.
However, a major drawback of the Bill is that it has considerably reduced the scope of information that a data fiduciary is required to provide in the notice. This is a regression from the previous version of the Bill that further required information regarding the rights of the data principals, grievance redressal mechanism, retention period of information, and source of information collected.
However, the notice requirements of the Bill, both in terms of when it is required to be given and the scope of information to be provided, fall short of ensuring many of the rights available to the data fiduciary, such as the right to know about the data being processed, who is processing the data, and the right to ask for correction, updation or deletion of one’s personal data. As researcher Trishee Goyal points out, “the DPDP Bill, 2022 seems to suppose that a notice is only to be provided to take consent of the data principal.”
For instance, Hong Kong’s data protection legislation has an extensive notification framework obliging ‘data users’ to take “all practicable steps” to ensure that the ‘data subject’ is explicitly informed on or before data collection and on or before first use of the data. This includes information regarding the purpose of collection, to whom the data may be transferred, whether the supply of data is obligatory or voluntary, and the consequences of failure to supply data. Notification for the first use of the data collected is required to inform the data subject of their right to request access to and correction of their personal data, and contact details of the individual handling such requests. It also requires that the personal data shall not be processed for a new purpose without the express consent of the customer. This implies that the organisations are expected to process data only within the purpose and scope set out in the notice to the customer.
The Bill substantially reduces the required information to be mandatorily contained in the Bill and brings it down to two things: description of data being collected and the purpose of collection. The previous version of the Bill placed an obligation on the data fiduciary to notify the data principal based on the collection of data and not the consent. The current approach of the Bill leaves a huge gap by allowing the data fiduciaries to collect data under certain circumstances without informing the data principal about the information collected or the purpose of such collection.
As per the European Union’s General Data Protection Regulation (‘GDPR’), a person whose data is being collected is required to be informed clearly about, amongst other things, details of the organisation collecting data, for how long the data will be kept, who else might have it, whether their personal data will be transferred, and the rights of the individual such as the right to access personal data and the right to withdraw consent at any time. The Bill does not provide for many of these requirements.
The Bill enables the government to exempt certain data fiduciaries by notification based on simply the “volume and the nature of personal data” collected, notwithstanding the purpose of the data processing. Under the Bill, exempted data fiduciaries are not required to: a) comply with the notice requirements, b) ensure the accuracy of the data processed, c) comply with purpose limitation, and d) provide information under right to information. Such a provision of exemption in the Bill risks a pick and choose approach by the government in deciding the applicability of the Bill. In the absence of the requirement to inform the data principal in cases of exemption, there is no way to know that the data being collected under the exemption has fulfilled its purpose of collection for which the exemption applied and thus is no longer necessary. There is no mechanism under the Bill to ensure accountability in cases of exemption.
Exempting the government from deleting the data collected despite the fulfilment of its purpose of collection goes against the principle of purpose limitation and data minimisation.
For instance, under the GDPR, exemptions operate under the principle that they are applicable only if “it would otherwise be unfeasible to uphold the rights and principles under GDPR”. In case of a reliance on an exemption, the concerned business or organisation is required to document the situation and the reasons for reliance.
The Bill also exempts government agencies from storage limitation, which means they can continue to retain personal data for an unlimited period of time even when the purpose of processing ceases to exist and there is no legal requirement to store the data. Exempting the government from deleting the data collected despite the fulfilment of its purpose of collection goes against the principle of purpose limitation and data minimisation.