Key Recommendations:
- Define “falsifying information” in user duties
- Clarify how withdrawal of consent will be exercised in case of deemed consent
- Define sensitive personal data and exclude it from the ambit of deemed consent
- Data pertaining to harms should be classified as sensitive data
- There should be a timeline for the implementation of the Bill
“…So I think the purpose of any policy or law is really to simplify what an organization will have to do going forward. So either it simplifies or makes more complex. So I suppose one of the questions that’s open for all of us to discuss here is, does the text of this DBDB Bill reduce or increase data governance risks for companies. And whether, you know, at the end of the day, a law is going to make it more or address current complexity and reduce operational concern. So I think tha’ts an open question for all of us to discuss…” said Zainab Bawa, COO of Hasgeek, on December 14, 2022 regarding the Digital Personal Data Protection (DPDP) Bill, 2022.
Speaking at MediaNama’s ‘Reworking the Data Protection Bill’ event, Bawa and fellow discussant, Subhashish Bhadra, Director at Klub Works, talked about the interplay of consent, deemed consent and withdrawal of consent. Many stakeholders joined the open house discussion to talk about how companies can navigate through these provisions especially despite the lack of definitions in the Bill regarding topics like sensitive personal data.
The Ministry of Electronics and Information Technology (MeitY) is seeking chapter-wise public feedback on the draft law until January 2, 2023. The submissions will be held in a “fiduciary capacity” and will not be publicly disclosed. Click here for more of MediaNama‘s journalism on the DPDP Bill and India’s data protection laws.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
Deemed consent hinders right to withdraw the same
As per Clause 7(4) of the DPDP Bill, the Data Principal has the right to withdraw consent where the basis of processing personal data is the Principal themselves. However, many stakeholders were unsure about how the right worked in case of deemed consent.
One person pointed out that withdrawal of consent cannot work in case of specific grounds of deemed consent such as court hearings, or during the course of litigation. However, what about credit scoring?
“Why should I contribute my data to credit scoring?” he asked.
Speakers suggested that there be explicit provisions that state when withdrawal of consent can work in case of deemed consent.
Can deemed consent be separated from consent?
Yet another person argued that withdrawal can be used only in case of explicit consent.
Such a distinction complicates the Bill further because many parts where consent is mentioned like rights relating to sharing, to processing, notice, “is assumed to also include deemed consent.”
“I think the language also makes it pretty clear that, as soon as they say that it is deemed to be consent, then it remains consent as soon as it is deemed for that purpose. And I think that’s something that brings us back to the question, can you bifurcate data?” said a speaker.
She argued that deemed consent relates to data processing and not data collection, because consent is deemed for processing of data that has already been collected by a certain entity. However, in cases of CCTVs in public places, speakers argued that deemed consent applies to collection as well.
Does right to erasure exist in the DPDP Bill?
One stakeholder pointed out that once the purpose of processing data is satisfied, the business is supposed to remove that data, except in case of legal and business reasons. He argued that this means individuals can proactively ask for erasure but it will not be done automatically by the business.
Another person interpreted this clause to mean that while a business purpose cannot nullify a request for erasure, it can retain the data nonetheless.
Future provisions may offer relief: One attendee suggested that the confusion regarding right to erasure may be resolved once the government “prescribes” further rules and regulations.
“If you see clause 13 One, it says data principles, you’ll have the right to correction erasure, for personal data, in accordance with applicable laws, and in such manner as maybe prescribed. So this is still something that’s still wide open in terms of what they’ll come up with,” she said.
When does business purpose end? A speaker said that there is no clarity on when a “business purpose” for retaining data ends. He gave the example of deemed consent when booking a railway ticket, or booking an Uber, etc and pointed out there is no clarity on when the business purpose of the shared data will end.
This essentially “kills storage limitation” – a provision that was included in previous versions of the Bill. The only time data can be deleted is when a Data Principal makes an explicit request for the same.
Lack of classification of data will hinder operations: As per the participants in the discussion, data is so distributed that nobody knows where a certain data is. To follow the provisions of the Bill, companies will have to make their own data inventory of what data is spread across which divisions. As such, stakeholders asked for time to implement the Bill and look into the fact that data has not been cataloged. This applies especially in case of deemed consent.
Define sensitive personal data: Some speakers worried about the amount of protection afforded to health data by the Bill. Earlier, helath data may have come under the term of sensitive personal data. However, the latest version does not include such definitions. One person said the distinction of personal data from sensitive personal data is important for transfer of such data.
Earlier, there was a localization requirement for critical data privacy. Imposing such obligations is easier with the data distinctions in mind. In absence of such definitions, a speaker suggested that sectoral regulators step in and fill in the gap.
Another speaker suggested that sensitive personal data be differentiated on the basis of harms like mental health data or certain physical health data, when intersected with other databases. Referring to definitions in previous versions of the Bill will also allow for a comprehensive definition.
Distinguish business data from personal data: A stakeholder argued that businesses may only require a person’s business information and not personal data. The Singapore data protection law from which the DPDP Bill is inspired makes a distinctions between business information and personal information for that reason. Similarly, the GDPR too addresses this issue to some extent. Stakeholders asked that such provisions be included in the Bill as well.
The Truecaller conundrum
Part of the discussion was also spent in discussing deemed consent and its grounds for public interest including for prevention of fraud, or prevention and detection of fraud. According to MediaNama Founder Nikhil Pahwa, many people Truecaller for this reason. At the same time Truecaller takes the address book of one person to identify who’s calling whom when the numbers are unknown. This means that the system does not take the consent of the person who owns the name and number that is being processed. Moreover, the person also does not receive a notice regarding the processed data.
Discussions among stakeholders suggested that such cases suggest two layers of contract – one with the company and one among the individuals sharing the data. Focusing on solely on the contract with the company, one speaker Kiran suggested that the purposes for processing such data be limited to the individual in contract with the company and not the third party.
There are still other complications like Wikipedia profiling that excludes the person being profiled from being involved in the making of the page.
Bill begs for a definition of ‘lying’:
As pointed out by a stakeholder, pseudonymity or giving incorrect information is a way of protecting oneself.
“There’s very clearly a penalty here for lying. And one of the best mechanisms to defend my privacy is to lie,” said the stakeholder.
In this respect, user duties was viewed by the discussants as a “very problematic thing” because withholding data is a means of ensuring an individual’s data is not released. Another person pointed out that the duties are in line with a school of thought which argues that fundamental duties are more important than fundamental rights.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also Read:
- Data Protection Bill’s Deemed Consent Provision “Turns Exceptions Into The Norm” #NAMA
- What Are The Consequences Of ‘Deemed Consent’ Provision In The Data Protection Bill? #NAMA
- How Does The Data Protection Bill Deal With Basic User Rights And Privacy? #NAMA
- How The Data Protection Bill Restricts Children’s Access To The Internet #NAMA
- How Will The Data Protection Bill Approach Personal Data Transfers Outside Of India? #NAMA
- Data Protection Bill 2022 Focuses On Enabling Govt Access To Data And Surveillance, Not Citizens’ Privacy #NAMA
