DPDP Bill, 2022: Personal data processing now primed with ‘deemed consent’, and other changes

Key takeaways:

• Personal data can be processed for a “lawful purpose” which is any purpose not forbidden by law
• Government introduces ‘deemed consent’ in case of public interest or any law
• Data can now be retained for “legal or business purposes”
• Data fiduciaries to give itemised notice before requesting a Data Principal’s consent to process personal data

The Government of India came out with the fourth version of the data protection Bill, now dubbing it Digital Personal Data Protection Bill, 2022. In this version, the Bill brings back “lawful purpose” of personal data processing, introduces deemed consent and consent manager among other changes.

The feedback on this draft Bill “in a chapter wise manner” can be sent by December 17, 2022 using the MyGov website shared by the government. The notice also specified that “no public disclosure of the submissions will be made.”

Definitions as per the new Bill

The new Bill uses the following terms:

Data Fiduciary: Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
Data Principal: The individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child;
Data Processor: Any person who processes personal data on behalf of a Data Fiduciary;
Data Protection Officer: An individual appointed as such by a Significant Data Fiduciary under the provisions of this Act

Changes in obligations of data fiduciaries

Bringing back lawful purpose in processing data: The framing for the Clause on personal data processing was rephrased again. It reintroduced the term “lawful purpose” from the 2019 version, clarifying that the same is “any purpose which is not expressly forbidden by law.” In the new Bill, it now reads:

“A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and Rules made thereunder, for a lawful purpose for which the Data Principal has given or is deemed to have given her consent in accordance with the provisions of this Act.”

Lalit Panda, Senior Resident Fellow at Vidhi Centre for Legal Policy, pointed out in a Twitter thread that the Bill removed explicit mention of purpose specification, limitation, safeguards for sensitive personal data, most of which are “core obligations.”

Bill introduces ‘deemed consent’: The term ‘deemed consent’ essentially adds in a new clause that a data principal is “deemed” to have consented to the processing of their personal data:

“for the performance of any function under any law, or the provision of any service or benefit to the Data Principal, or the issuance of any certificate, license, or permit for any action or activity of the Data Principal, by the State or any instrumentality of the State;

“for the purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by a Data Principal who is an employee, verification of attendance and assessment of performance;

“in public interest”

The latter condition then further elaborates in cases of ”

(a) prevention and detection of fraud;
(b) mergers, acquisitions, any other similar combinations or corporate restructuring transactions in accordance with the provisions of applicable laws;
(c) network and information security;
(d) credit scoring;
(e) operation of search engines for processing of publicly available personal data;
(f) processing of publicly available personal data; and
(g) recovery of debt;
(9) for any fair and reasonable purpose as may be prescribed after taking
into consideration”

Panda said that deemed consent was essentially the same as “non-consensual grounds” of processing data. He also mentioned that this clause conflicts with consent withdrawal provisions.

5) One ground confuses implied consent with reasonable expectations instead of requiring implied voluntariness.
6) Various reasonable purposes required to be prescribed with safeguards now directly made into grounds. Most significantly: publicly available data.

— Lalit Panda (@somesortofpanda) November 18, 2022

Data can be retain for legal or business purposes: The Bill states that a Data Fiduciary must cease to retain personal data, or remove the means by which the personal data can be associated with particular Data Principals if “retention is no longer necessary for legal or business purposes.”

As an example, the Bill talks about how banks are required to retain personal data of customers for a period beyond six months, under KYC rules. In such a case, a bank “may retain” Person ‘A’s’ personal information, collected while opening an account, even after the person closes said account. This is because the KYC rules will serve as a “legal purpose” to retain data.

Panda was worried that this made data retention “porous.”

Data Fiduciary to give itemised notice beforehand: Before getting a Data Principal’s consent, a data fiduciary will have to give an itemised notice describing in clear language the personal data sought to be collected and the purpose of processing of such personal data. However, Panda pointed out this only applies to consent. What happens in case of deemed consent?

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

Purpose Limitation 

What the 2018 Bill said: Personal data will be processed only for:

• Clear, specific, lawful purposes; 
• Specified or incidental purposes that the data principal would expect given the context in which the data was collected.

What the 2019 Bill said: The Bill was revised to say that personal data processing is prohibited except for specific, clear, lawful purposes. In case, the data is processed, it must be done :

• In a fair and reasonable processing and ensure the privacy of the data principal’s privacy
• For the purpose consented to or anticipated by the data principal

What the 2021 Bill said: The Joint Parliamentary Committee felt the previous framing on prohibition had “a negative connotation” and changed it to “the processing of personal data by any person shall be subject to the provisions of this Act and the rules and regulations made thereunder”.

Similarly, the Committee added the expression “or which is for the purpose of processing of personal data under section 12″ in sub-clause 5(b) of the 2019 Act. It felt that the limitations of purpose must be understood in the “context of the purpose.” It also noted there was no mention of grounds for processing data without consent.

Collection Limitation

What the 2018 Bill said: Personal data collection will be limited to data necessary for processing.

What the 2019 Bill said: Language was refined. It read, ” The personal data shall be collected only to the extent that is necessary for the purposes of processing of such personal data.”

What the 2021 Bill said: Provision unchanged.

Lawful and Consent-Based Data Processing

What the 2018 Bill said: Under the “lawful processing” provision, personal data and sensitive personal data will only be processed on the basis of the grounds laid out in Chapters III and IV of the Act respectively. 

What the 2019 Bill said: The “lawful processing” provision was deleted. 

Instead, a new provision was inserted on “consent necessary for processing of personal data”. It read, “The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing.” It also stated that consent will be invalid unless it is free, informed, clear, specific, and capable of being withdrawn.

For sensitive personal data processing, explicit consent would be obtained after clearly informing the data principal of the purpose for processing that is likely to cause significant harm. 

Additionally, the provision of goods or services, performance of contracts, or enjoyment of legal rights or claims will not be conditional on consenting to personal data processing not necessary for that purpose.

The burden of proof that the data principal has explicitly consented lies with the data fiduciary. The data principal will bear the legal consequences if they withdraw consent without any valid reason.

What the 2021 Bill said: Provision of goods, services, etc., will additionally not be “denied based on exercise of choice“.

• JPC Rationale: None provided.

The Committee rephrased the Clause specifying action against data principal for withdrawing consent sans reasoning. It read, “Where the data principal withdraws his consent without any valid reason, the consequences of the same, shall be borne by such data principal.”

• JPC Rationale: To remove redundancies and superfluous phrases. 

Notices

What the 2018 Bill said: The data fiduciary should provide the data principal with certain information on: 

• Purposes for data processing; 
• Categories of data collected; 
• Identity and contact details of the data fiduciary and data protection officer;
• Basis for processing data under Sections 12-17 and 18-22 (and consequences of failing to provide such data);
• Source of data collection, if the personal data is not collected from the data principal;
• Individuals or entities with whom personal data may be shared;
• Potential cross-border transfers of personal data; 
• Period of data retention (if unknown, criteria for determining this period must be conveyed);
• Right to withdraw consent and the procedure to do so, existence of and procedure for exercising data principal rights (in the case of consent-based processing);
• Procedure for grievance redressal, existence of a right to file complaints to the Data Protection Authority
• “Data trust scores” assigned to the data fiduciary;
• Other information specified by the Authority.

Issuing a notice is not applicable if it “substantially prejudices” data processing under Sections 15 or 21 (processing of personal data and certain categories of sensitive personal data for “prompt action”).

What the 2019 Bill said: Basis for processing data under Sections 12-14 must be provided, and there will be consequences of failing to provide such data. Issuing a notice is not applicable if it would “substantially prejudice” data processing under Section 12. 

Section 12 contains provisions for processing personal data without consent, Section 13 for processing related to “employment, etc”, and Section 14 for processing for “other reasonable purposes”.

What the 2021 Bill said: Barring minor phrasing changes, the provision remained the same.

Sharing, transfer of personal data

What the 2018 Bill said: The fiduciary shall “take reasonable steps to ensure that personal data processed is complete, accurate, not misleading and updated”. In doing so, it should keep in mind whether the personal data:

• Will be used to make a decision about the data principal;
• Will be disclosed to other individuals or entities;
• Will be kept in a form distinguishing personal data based on facts, opinions, or personal assessments.

When disclosing personal data that is incomplete, inaccurate, misleading, or outdated to other individuals or entities, the fiduciary shall take “reasonable steps” to notify them of this.

What the 2019 Bill said: Provision remained the same. 

What the 2021 Bill said: Notification in the event of incomplete data disclosures will not apply if doing so prejudices processing personal data without explicit consent.

• JPC Rationale: Failing to have such a provision “may create hurdles in the smooth functioning of government agencies processing personal data”.

A new provision states “a data fiduciary may share, transfer or transmit the personal data to any person as part of any business transaction in such manner as may be prescribed”. The provision will not apply if it prejudices processing personal data without consent.

• JPC Rationale: This will “curb the seamless sharing, transfer or transmission of data between various entities and individuals especially under the garb of services.”

Data Storage Limitation

What the 2018 Bill said: Personal data will be retained for as long as is necessary for the purpose-based processing. It may be retained for longer if explicitly mandated, or necessary for legal compliance. Data fiduciaries must periodically review whether it is necessary to retain it—if unnecessary, it should be deleted.

What the 2019 Bill said: The Bill revised certain provisions, namely:

• Personal data will be retained for as long as is needed for processing, and be deleted at the end of processing;
• It may be retained if “explicitly consented to by the data principal,” or if necessary for legal compliance.

What the 2021 Bill said: “The data fiduciary shall not retain any personal data beyond the period necessary to satisfy the purpose for which it is processed and shall delete the personal data at the end of such period“.

• JPC Rationale: The revision will help “the functioning of agencies which process the collected data multiple times for welfare purposes.”

Written with inputs from Aarathi Ganesan 

Note: This story was updated at 3:50 PM on November 19, 2022 with the link to send feedback to the government.

Note: Story updated at 2:27 PM on December 1, 2022, to correct grammatical errors. 

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.