wordpress blog stats
Connect with us

Hi, what are you looking for?

DPDP Bill 2022: ‘Deemed’ Consent, to users’ detriment

In the case of the ‘deemed consent’ provision in the draft data protection law, brevity comes at the cost of clarity and user protection

By Vinay Narayan 

While the release of the Digital Personal Data Protection Bill, 2022 (DPDPB) is welcome, given that India does not have a data protection law at all as yet, the DPDPB carries forward some concerning provisions from the previous Personal Data Protection Bill, 2021 (PDP). One such provision is that of ‘Deemed Consent’ (S. 8 of the DPDPB), that sets out situations where the consent of the data principal for processing of her data is assumed, and does not need to be explicitly sought. Deemed consent is usually determined by courts based on the circumstances of a case and the actions of parties involved.

At the outset, it must be noted that the reliance on the notice and consent framework within the DPDPB, similar to the EU GDPR, is problematic. Even when provided a notice, users are typically unaware of the actual uses their data is put to. Moreover, the flood of consent notices leads to consent fatigue, wherein users consent to everything by default  as they are constantly bombarded with consent notices. Admittedly, the DPDPB has sought to mitigate this issue by recognising ‘consent managers’ – data fiduciaries who will help users manage their consent. One hopes that this is the first step towards a broader legal recognition in India of data stewards – trusted intermediaries who engage and negotiate with stakeholders to represent the best interests of data principals.

Section 8 of the DPDPB carries within it provisions from the PDP that were contained in Sections 12 – 14. While the DPDPB has been commended for being a shorter and more concise legislation than the PDP, in the case of ‘deemed consent’, brevity comes at the cost of clarity and user protection. Three instances that stand out are deemed consent for situations involving reasonable expectation, employment relationships, and credit scoring.


FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.


Section 8(1)

The first subsection under the ‘deemed consent’ provision notes that consent is deemed to be given in a situation where a data principal voluntarily provides the data and it is reasonably expected that she would provide such personal data. However, the provision makes no mention of the consent being limited to the purpose for which data was provided. Further, the standard of reasonableness (set out in sub-section 8(9)), will only serve to cause problems as it includes the reasonable expectation of the data principal. Setting aside the fact that most people do not understand the consequences of the sharing of their data, determining what is a ‘reasonable expectation’ for an individual is extremely complex in a country like India where digital literacy rates vary widely between rural (25%) and urban areas (61%), between States (60-80% in rural Kerala while 0-20% in rural UP), between sectors, and within sectors themselves. 

Employment relationship

1.13 of the PDP, which dealt with deemed consent in employment situations, laid out four  scenarios where an employer could process an employee’s data without her consent. This was further caveated by noting that such processing could be done when consent would not be appropriate given the nature of an employer-employee relationship, or if obtaining consent would involve disproportionate effort on the employer’s part. S. 8 of the DPDPB has done away with this. Consent will now be deemed to have been given if the processing is necessary for the purposes of employment. This opens the door for non-consensual processing of an employee’s data by her employer seriously violating an employee’s privacy. Such a provision will now enable the further use of surveillance technologies that allow employers to take screenshots and video monitoring – without the consent of employees. This can have deleterious consequences for employees’ privacy. The employer already exercises a great degree of power in the employer-employee relationship dynamic, and such provisions will only deepen the imbalance and give employers greater control and leverage over their employees.

Credit Scoring

While non-consensual processing for ‘public interest’ (DPDPB S. 8(8)) was allowed in the PDP (S. 14), it was safeguarded by the need for explicit regulations allowing for non-consensual processing in these circumstances. Furthermore, the Data Protection Authority was also empowered to lay down additional safeguards in such situations. The DPDPB however does away with these requirements. This is especially concerning in the area of credit scoring, with the use of AI-based systems that find empirical relationships between new factors. This can be done through analysis of a range of data from social media profiles to activities such as what is eaten and worn. This has serious implications for privacy and the financial wellbeing of individuals, and the DPDPB has now expanded the scope of data that can be processed for this without an individual’s explicit consent.

Conclusion

Section 8 serves to aid the processing of an individual’s data without their explicit consent, without adequately safeguarding their rights and interests. What is also critical is that while the DPDPB recognises the right to withdraw consent (Section 7(4)), it would appear that this right does not apply to situations of deemed consent, thus further weakening the rights of a data principal in such an instance.

While it is important for data protection legislation to account for the futility of obtaining consent in certain cases, allowances for non-consensual data processing must not reach a level that threaten individuals’ right to privacy and open the door for further harms. Given that the DPDPB is still in the public consultation phase, one hopes that allowances for data processing in the DPDPB where consent has been ‘deemed’ to be given are read down.

Vinay Narayan is a researcher at Aapti Institute 


This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read 

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

India's smartphone operating system BharOS has received much buzz in the media lately, but does it really merit this attention?

News

After using the Mapples app as his default navigation app for a week, Sarvesh draws a comparison between Google Maps and Mapples

News

In the case of the ‘deemed consent' provision in the draft data protection law, brevity comes at the cost of clarity and user protection

News

The regulatory ambivalence around an instrument so essential to facilitate data exchange – the CM framework – is disconcerting for several reasons.

News

The provisions around grievance redressal in the Data Protection Bill "stands to be dangerously sparse and nugatory on various counts."

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ