- Eliminate vague parameters for deemed consent in the bill and add notice of purpose.
- Add a clause for purpose limitation and notice to data principals for data collected under deemed consent.
- Clearly define reasonability of data processed under deemed consent for transparency.
- Include provisions for safeguarding privacy of citizens under deemed consent.
“If you look at all kinds of provisions over here, in terms of the onus of proof being on the data principal to prove that they’ve been harmed in a certain way…in a manner that it will be considered by the court, or for the matter, in terms of deemed consent that if…I make a restaurant booking through dine out, I’m giving deemed consent. These are just excellent examples of saying that this Bill just legitimizes the non-protection of user data,” said Zainab Bawa, Chief Operating Officer at Hasgeek about the Digital Personal Data Protection (DPDP) Bill 2022 on December 14, 2022.
Speaking at MediaNama’s ‘Reworking the Data Protection Bill’ event, Bawa and fellow discussant, Subhashish Bhadra from Klub, talked about the provision of deemed consent in the bill, the ambiguity over its understanding and the problems related to its applicability.
The Ministry of Electronics and Information Technology (MeitY) is seeking chapter-wise public feedback on the draft law until January 2, 2023. The submissions will be held in a “fiduciary capacity” and will not be publicly disclosed. Click here for more of MediaNama‘s journalism on the DPDP Bill and India’s data protection laws.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
Ambiguity over the phrase “deemed consent”
According to the experts, the European Union’s General Data Protection Regulation talks about ‘non-consensual’ data sharing and lays out rules for alternate grounds for data processing. The DPDP Bill’s previous iterations included welfare delivery, security of the nation and other factors for non-consensual data sharing. With the inclusion of “deemed consent” as a provision, the current version presents a more ambiguous mention of such processes.
“I think there is a little bit of ambiguity in the way they have drafted the language around deemed consent in eight one, where what are those situations where you can say that somebody is reasonably expected that she would have provided such information,” states a speaker. There is no clarity over how reasonable expectation can be defined by law.
Notice of purpose for deemed consent
The DPDP Bill lays out different parameters for deemed consent such as medical emergency, matters of public interest, public emergency, prevention and detection of fraud and legitimate interests of a data fiduciary. One of the speakers argued that while some of these parameters such as the medical one can be legitimate, it is important to eliminate the vagueness and add a notice as to the purposes for which deemed consent is taken. “In addition to notice, what I would do away with is the clause that says basically that the government can make any new grounds for deemed consent. Removing that open-endedness and adding notice, and in general kind of whittling down the number of grounds for deemed consent would be the changes I would think of,” he adds.
Another speaker stresses on the fact that the data principals know that they have given their data, but they must know that their data is being shared, because then they have the right to not give that consent in the first place. “Transparency is an integral part therefore notice is an integral part and therefore, in deemed consent, if there is no notice mechanism, then effectively, I have no visibility over what’s happening to my data and so therefore, I don’t have the right to say no, for one,” he adds.
It is important to note that while entities are supposed to give notice and have purpose limitation and also disclose the recipients for obtaining consent, deemed consent stands out as an exception to that. One of the speakers notes that deemed consent is understood to be “voluntarily provided” and that there’s “reasonable expectation” that it has to be provided.
“There’s no incentive to actually follow through on the consent norms, because exceptions are broad enough to cover your users. And the purposes can be anything because you’re getting deemed consent for those purposes simply by not notifying the user. So, the exception is turning into the norm through that very provision,” he adds.
No way to check reasonability
One of the speakers pointed out the “absence of necessity and proportionality as considerations for the fair processing of personal data” collected through deemed consent. If an individual gives their data voluntarily to a restaurant, they expect that the information is being used only to verify the person’s details, but it is highly likely that industry practices may also “mean that data is being used for marketing purposes” and there is no means to check the reasonability of such use.
The speaker notes, “There’s no standard to test that reasonability because there is no necessity proportionally standard that’s inserted here. That is one of the things that enables for the processing. And as you pointed out, it essentially treats and tokenize[s] the individual as a data resource rather than data principal.”
Taking the case of CCTV surveillance and deployment of facial recognition systems, both for security purposes, the speakers raised concerns about the limitations of purpose under deemed consent. As there is deemed consent on “ambient data” in particular, which the speaker notes is “the trickiest to deal with the CCTV case”, but is the individual’s consent meant for facial recognition too thereafter? “Where does it end is the question because the whole idea is to limit the data sharing right to protect my rights, your rights as individuals. I’m saying where do you draw the line because that line has to be drawn with this bill,” he adds.
The discussants say that the individual must know the purpose for which their data is going to be used and once the purpose is served, will they have the right to ideally get the data withdrawn. “The fact is, it shouldn’t be that once it’s out the door, anyone anywhere can do whatever they want with it because effectively, that’s the difference between it being my data, and the data of the organization that collects it from me for serving a purpose of which I’m allowing it to do,” he notes.
Another stakeholder views purpose limitation as a way to restrict the deemed consent clause and recommends a clause to be added stating that if the purpose that is sought could be achieved by other means, then individuals must have such alternatives.
Where deemed consent can be misused?
One of the speakers highlighted cases where deemed consent can be misused and the ways in which users have been “black boxed” from the concept of how their data is being processed under deemed consent. “Data is not being used in silos is what we have to constantly remind ourselves because even today, suppose I go to Amazon, I accept cookies, and I accept this thing,” she adds.
Example: As a user one may feel okay to use Google Maps through Ola, because it is fulfilling the particular purpose of reaching point X.
However, the speaker touches upon the far-reaching repercussions of such sharing of databases. “Today, it’s Google Maps and Uber sharing their databases and the links between them. But tomorrow, you might have health related data, you might have this very same data. Location data, in fact, is so private and personal and intrinsic to you. You never know where it’s going, if it’s going to this intelligence agency,” she adds.
Additionally, with the unified healthcare interface coming in, the discussants also elaborated on the risks of misuse of children’s health data by online health service providers under deemed consent provisions. Another speaker noted that with exemptions under the bill, the government can bring in anything that could be counted as deemed consent, which “basically obviates the need for an individual’s explicit consent”, thereby diluting the individual’s rights.
While the bill lays out situations where consent is deemed, the attendees note that it does not specify when the businesses should be taking explicit consent and when they should be taking deemed consent.
Can data collected through explicit and deemed consent be separated?
One of the important points of discussion highlights whether there can be separation of inferences drawn from data collected and processed from explicit consent and deemed consent.
One of the speakers note that, “Unless the purposes are similar, there is no similar processing. And if the purposes aren’t similar, and you’re taking explicit consent in one case, and you’d be taking deemed consent in the other, then there are two different sets of data.”
Deemed consent and privacy
The discussants raised pertinent questions on whether processing publicly available data– to which individuals might have deemed consent–will amount to data breach and if the bill provides protection from such cases of privacy violation.
The questions raised include:
- Is surveillance under public interest?
- Are operations of search engines for the purpose of public processing of publicly available data, public interest?
- Example, “If all of our photographs are on social media, publicly available, can Clearview AI effectively scrape all of it and build facial recognition databases, because they have deemed consent under processing a publicly available data. I’m saying the phrase purpose; public interest is being defined in a law without any history of all of this stuff.”
One of the speakers noted that the definitions of harms such as ‘bodily harm’ and ‘impersonation’ is extremely narrow and it will be difficult for a person to make a case of why a certain thing may be harmful to them. Additionally, if it is deemed consent, there is no notice of purpose given. “I might argue that data I’ve collected from you was meant to come…If you don’t have notice, how will you know, purpose? So that I think is the problem with deemed consent that in the absence of notice, it could really legitimize many different forms of data usage,” he adds.
In cases such as CCTV surveillance in a mall, where explicit consent is not given but people feel okay about data being collected for quantifying the footfall, a discussant raised concerns about the data being use for other purposes, which may violate one’s privacy. She notes that one may not get a chance to say the purpose was not allowed because the data was used under deemed consent.
Note: The headline was updated on December 19th, 2022 at 1:45 PM for brevity
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- What Are The Consequences Of ‘Deemed Consent’ Provision In The Data Protection Bill? #NAMA
- How Does The Data Protection Bill Deal With Basic User Rights And Privacy? #NAMA
- How The Data Protection Bill Restricts Children’s Access To The Internet #NAMA
- How Will The Data Protection Bill Approach Personal Data Transfers Outside Of India? #NAMA
- Data Protection Bill 2022 Focuses On Enabling Govt Access To Data And Surveillance, Not Citizens’ Privacy #NAMA