By Vinay Narayan
While the release of the Digital Personal Data Protection Bill, 2022 (DPDPB) is welcome, given that India does not have a data protection law at all as yet, the DPDPB carries forward some concerning provisions from the previous Personal Data Protection Bill, 2021 (PDP). One such provision is that of ‘Deemed Consent’ (S. 8 of the DPDPB), that sets out situations where the consent of the data principal for processing of her data is assumed, and does not need to be explicitly sought. Deemed consent is usually determined by courts based on the circumstances of a case and the actions of parties involved.
At the outset, it must be noted that the reliance on the notice and consent framework within the DPDPB, similar to the EU GDPR, is problematic. Even when provided a notice, users are typically unaware of the actual uses their data is put to. Moreover, the flood of consent notices leads to consent fatigue, wherein users consent to everything by default as they are constantly bombarded with consent notices. Admittedly, the DPDPB has sought to mitigate this issue by recognising ‘consent managers’ – data fiduciaries who will help users manage their consent. One hopes that this is the first step towards a broader legal recognition in India of data stewards – trusted intermediaries who engage and negotiate with stakeholders to represent the best interests of data principals.
Section 8 of the DPDPB carries within it provisions from the PDP that were contained in Sections 12 – 14. While the DPDPB has been commended for being a shorter and more concise legislation than the PDP, in the case of ‘deemed consent’, brevity comes at the cost of clarity and user protection. Three instances that stand out are deemed consent for situations involving reasonable expectation, employment relationships, and credit scoring.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
The first subsection under the ‘deemed consent’ provision notes that consent is deemed to be given in a situation where a data principal voluntarily provides the data and it is reasonably expected that she would provide such personal data. However, the provision makes no mention of the consent being limited to the purpose for which data was provided. Further, the standard of reasonableness (set out in sub-section 8(9)), will only serve to cause problems as it includes the reasonable expectation of the data principal. Setting aside the fact that most people do not understand the consequences of the sharing of their data, determining what is a ‘reasonable expectation’ for an individual is extremely complex in a country like India where digital literacy rates vary widely between rural (25%) and urban areas (61%), between States (60-80% in rural Kerala while 0-20% in rural UP), between sectors, and within sectors themselves.
1.13 of the PDP, which dealt with deemed consent in employment situations, laid out four scenarios where an employer could process an employee’s data without her consent. This was further caveated by noting that such processing could be done when consent would not be appropriate given the nature of an employer-employee relationship, or if obtaining consent would involve disproportionate effort on the employer’s part. S. 8 of the DPDPB has done away with this. Consent will now be deemed to have been given if the processing is necessary for the purposes of employment. This opens the door for non-consensual processing of an employee’s data by her employer seriously violating an employee’s privacy. Such a provision will now enable the further use of surveillance technologies that allow employers to take screenshots and video monitoring – without the consent of employees. This can have deleterious consequences for employees’ privacy. The employer already exercises a great degree of power in the employer-employee relationship dynamic, and such provisions will only deepen the imbalance and give employers greater control and leverage over their employees.
While non-consensual processing for ‘public interest’ (DPDPB S. 8(8)) was allowed in the PDP (S. 14), it was safeguarded by the need for explicit regulations allowing for non-consensual processing in these circumstances. Furthermore, the Data Protection Authority was also empowered to lay down additional safeguards in such situations. The DPDPB however does away with these requirements. This is especially concerning in the area of credit scoring, with the use of AI-based systems that find empirical relationships between new factors. This can be done through analysis of a range of data from social media profiles to activities such as what is eaten and worn. This has serious implications for privacy and the financial wellbeing of individuals, and the DPDPB has now expanded the scope of data that can be processed for this without an individual’s explicit consent.
Section 8 serves to aid the processing of an individual’s data without their explicit consent, without adequately safeguarding their rights and interests. What is also critical is that while the DPDPB recognises the right to withdraw consent (Section 7(4)), it would appear that this right does not apply to situations of deemed consent, thus further weakening the rights of a data principal in such an instance.
While it is important for data protection legislation to account for the futility of obtaining consent in certain cases, allowances for non-consensual data processing must not reach a level that threaten individuals’ right to privacy and open the door for further harms. Given that the DPDPB is still in the public consultation phase, one hopes that allowances for data processing in the DPDPB where consent has been ‘deemed’ to be given are read down.
Vinay Narayan is a researcher at Aapti Institute
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.