wordpress blog stats
Connect with us

Hi, what are you looking for?

Does withdrawal of consent trump deemed consent or vice versa? #NAMA

How would withdrawing consent work if one’s information has been used under the ‘deemed consent’ provision in the data protection bill, 2022?

Key Recommendations:

  • Define “falsifying information” in user duties
  • Clarify how withdrawal of consent will be exercised in case of deemed consent
  • Define sensitive personal data and exclude it from the ambit of deemed consent
  • Data pertaining to harms should be classified as sensitive data
  • There should be a timeline for the implementation of the Bill

“…So I think the purpose of any policy or law is really to simplify what an organization will have to do going forward. So either it simplifies or makes more complex. So I suppose one of the questions that’s open for all of us to discuss here is, does the text of this DBDB Bill reduce or increase data governance risks for companies. And whether, you know, at the end of the day, a law is going to make it more or address current complexity and reduce operational concern. So I think tha’ts an open question for all of us to discuss…” said Zainab Bawa, COO of Hasgeek, on December 14, 2022 regarding the Digital Personal Data Protection (DPDP) Bill, 2022.

Speaking at MediaNama’s ‘Reworking the Data Protection Bill’ event, Bawa and fellow discussant,  Subhashish Bhadra, Director at Klub Works, talked about the interplay of consent, deemed consent and withdrawal of consent. Many stakeholders joined the open house discussion to talk about how companies can navigate through these provisions especially despite the lack of definitions in the Bill regarding topics like sensitive personal data.

The Ministry of Electronics and Information Technology (MeitY) is seeking chapter-wise public feedback on the draft law until January 2, 2023. The submissions will be held in a “fiduciary capacity” and will not be publicly disclosed. Click here for more of MediaNama‘s journalism on the DPDP Bill and India’s data protection laws.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

Deemed consent hinders right to withdraw the same

Advertisement. Scroll to continue reading.

As per Clause 7(4) of the DPDP Bill, the Data Principal has the right to withdraw consent where the basis of processing personal data is the Principal themselves. However, many stakeholders were unsure about how the right worked in case of deemed consent.

One person pointed out that withdrawal of consent cannot work in case of specific grounds of deemed consent such as court hearings, or during the course of litigation. However, what about credit scoring?

Why should I contribute my data to credit scoring?” he asked.

Speakers suggested that there be explicit provisions that state when withdrawal of consent can work in case of deemed consent.

Can deemed consent be separated from consent?

Yet another person argued that withdrawal can be used only in case of explicit consent.

Advertisement. Scroll to continue reading.

Such a distinction complicates the Bill further because many parts where consent is mentioned like rights relating to sharing, to processing, notice, “is assumed to also include deemed consent.”

“I think the language also makes it pretty clear that, as soon as they say that it is deemed to be consent, then it remains consent as soon as it is deemed for that purpose. And I think that’s something that brings us back to the question, can you bifurcate data?” said a speaker.

She argued that deemed consent relates to data processing and not data collection, because consent is deemed for processing of data that has already been collected by a certain entity. However, in cases of CCTVs in public places, speakers argued that deemed consent applies to collection as well.

Does right to erasure exist in the DPDP Bill?

One stakeholder pointed out that once the purpose of processing data is satisfied, the business is supposed to remove that data, except in case of legal and business reasons. He argued that this means individuals can proactively ask for erasure but it will not be done automatically by the business.

Another person interpreted this clause to mean that while a business purpose cannot nullify a request for erasure, it can retain the data nonetheless.

Advertisement. Scroll to continue reading.

Future provisions may offer relief: One attendee suggested that the confusion regarding right to erasure may be resolved once the government “prescribes” further rules and regulations.

“If you see clause 13 One, it says data principles, you’ll have the right to correction erasure, for personal data, in accordance with applicable laws, and in such manner as maybe prescribed. So this is still something that’s still wide open in terms of what they’ll come up with,” she said.

When does business purpose end? A speaker said that there is no clarity on when a “business purpose” for retaining data ends. He gave the example of deemed consent when booking a railway ticket, or booking an Uber, etc and pointed out there is no clarity on when the business purpose of the shared data will end.

This essentially “kills storage limitation” – a provision that was included in previous versions of the Bill. The only time data can be deleted is when a Data Principal makes an explicit request for the same.

Lack of classification of data will hinder operations: As per the participants in the discussion, data is so distributed that nobody knows where a certain data is. To follow the provisions of the Bill, companies will have to make their own data inventory of what data is spread across which divisions. As such, stakeholders asked for time to implement the Bill and look into the fact that data has not been cataloged. This applies especially in case of deemed consent.

Define sensitive personal data: Some speakers worried about the amount of protection afforded to health data by the Bill. Earlier, helath data may have come under the term of sensitive personal data. However, the latest version does not include such definitions. One person said the distinction of personal data from sensitive personal data is important for transfer of such data.

Advertisement. Scroll to continue reading.

Earlier, there was a localization requirement for critical data privacy. Imposing such obligations is easier with the data distinctions in mind. In absence of such definitions, a speaker suggested that sectoral regulators step in and fill in the gap.

Another speaker suggested that sensitive personal data be differentiated on the basis of harms like mental health data or certain physical health data, when intersected with other databases. Referring to definitions in previous versions of the Bill will also allow for a comprehensive definition.

Distinguish business data from personal data: A stakeholder argued that businesses may only require a person’s business information and not personal data. The Singapore data protection law from which the DPDP Bill is inspired makes a distinctions between business information and personal information for that reason. Similarly, the GDPR too addresses this issue to some extent. Stakeholders asked that such provisions be included in the Bill as well.

The Truecaller conundrum

Part of the discussion was also spent in discussing deemed consent and its grounds for public interest including for prevention of fraud, or prevention and detection of fraud. According to MediaNama Founder Nikhil Pahwa, many people Truecaller for this reason. At the same time Truecaller takes the address book of one person to identify who’s calling whom when the numbers are unknown. This means that the system does not take the consent of the person who owns the name and number that is being processed. Moreover, the person also does not receive a notice regarding the processed data.

Discussions among stakeholders suggested that such cases suggest two layers of contract – one with the company and one among the individuals sharing the data. Focusing on solely on the contract with the company, one speaker Kiran suggested that the purposes for processing such data be limited to the individual in contract with the company and not the third party.

Advertisement. Scroll to continue reading.

There are still other complications like Wikipedia profiling that excludes the person being profiled from being involved in the making of the page.

Bill begs for a definition of ‘lying’:

As pointed out by a stakeholder, pseudonymity or giving incorrect information is a way of protecting oneself.

“There’s very clearly a penalty here for lying. And one of the best mechanisms to defend my privacy is to lie,” said the stakeholder.

In this respect, user duties was viewed by the discussants as a “very problematic thing” because withholding data is a means of ensuring an individual’s data is not released. Another person pointed out that the duties are in line with a school of thought which argues that fundamental duties are more important than fundamental rights.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Advertisement. Scroll to continue reading.

Also Read:

Written By

I'm interested in the shaping and strengthening of rights in the digital space. I cover cybersecurity, platform regulation, gig worker economy. In my free time, I'm either binge-watching an anime or off on a hike.

Free Reads


Vaishnaw's remarks come a day after Google removed apps belonging to Matrimony.com, Info Edge (Naukri and 99 Acres), Shaadi.com, Altt, Truly Madly, Stage, Quack...


Paytm has started distancing itself from PPBL in light of the current negative spotlight on PPBL.


The move can be seen as an attempt by Paytm to distance itself from the troubled Paytm Payments Bank, which has been significantly restricted...

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



NPCI CEO Dilip Asbe recently said that what is not written in regulations is a no-go for fintech entities. But following this advice could...


Notably, Indus Appstore will allow app developers to use third-party billing systems for in-app billing without having to pay any commission to Indus, a...


The existing commission-based model, which companies like Uber and Ola have used for a long time and still stick to, has received criticism from...


Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ