From user consent to legitimate uses: Here are the rejected amendments to India’s Data Protection Act

Ad: India’s Data Protection Bill is here, and your business needs to adapt. K&S Digiprotect, with its team of data protection experts, offers compliance services tailored to help you adapt to the new regulations, safeguard your data and build trust with your customers. Contact us now!

The passing of the Digital Personal Data Protection Bill, 2023 in the Rajya Sabha proved to be anti-climactic with the absence of Opposition MPs during the discussion and voting process. There was much scope for discussion as well considering around 50 amendments were scheduled to be discussed by MPs Dr. John Brittas, Vinay Vishwam and A. D. Singh.

Meanwhile, around 21 amendments were moved with regards to the Bill in the Lok Sabha of which only one amendment moved by Vaishnaw was approved. All the other 20 amendments were moved by RSP MP N.K. Premachandran largely focusing on the treatment of consent in the Bill. His arguments were as follows:

Specifying the need for user consent: The Bill describes personal data breach as “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.” Premachandran moved an amendment to insert “without obtaining consent in writing with signature” at the end of this definition. Similarly, under grounds for processing personal data, Premachandran asked that the user’s consent for processing for data should be given “in writing with signature.”

These amendments put greater onus on entities to ensure user consent before processing data.

Expanding the scope of notice and purpose limitation: Premachandran moved that personal data for “certain legitimate purposes” should only be used “prior notice to the Data Principal and with written consent duly signed by the Data Principal”.

Article continues below ⬇, you might also want to read:

• Digital Personal Data Protection Bill 2023 Passed In Rajya Sabha
• Remove RTI Amendment From The Data Protection Bill: Ex-Central Information Commissioner Shailesh Gandhi
• India’s Data Protection Bill Will Greatly Undermine Press Freedom: DIGIPUB
• Digital Personal Data Protection Bill Passed In Lok Sabha
• A Complete Guide To India’s Digital Personal Data Protection Bill, 2023

He also suggested that where an entity is allowed to continue processing a user’s personal data until and unless there is a withdrawal of user consent, the scope of the processing should be limited to “the purpose for which consent has been given” in the notice.

Legitimate purpose to be sanctioned by a committee: The Bill allows the processing of personal data without an explicit request of consent in case of performance of state duties, fulfilment of obligations under the law, medical emergencies and employment purposes.

Premachandran asked that all of these situations must first require “prior permission of the three Member Committee consisting of a Retired Judge of Supreme Court acting as the Chairman and two retired High Court Judges as the Members.” This would have ensured that due process of law will be followed.

Limiting data retention provisions: The Bill states that an entity must cease processing of a user’s personal data “within a reasonable time” once consent is withdrawn. The MP asked that “reasonable time” be substituted with “five hours” to ensure a proper time-frame for data retention once consent is withdrawn.

Remove state instrumentalities under legitimate uses: Section 7 of the Bill talks of legitimate uses of processing data without asking for consent and the entities to whom this data may be provided including “the State and any of its instrumentalities.” MP N.K. Premachandran asked that the phrase “any of its instrumentalities” be removed from the situations relating to provision of benefits, performance of state function, etc. Doing so would narrow down the wide-ranging access given to government entities. However, this amendment was rejected.

Narrowing down of processing under medical emergency: As per the Bill, personal data may be processed if there is a legitimate use “for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual.” Premachandran asked that “any other individual” be omitted from this clause.

Narrowing down of processing under safety provision: As per the Bill, personal data may be processed if there is a legitimate use “for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order.” Premachandran moved that “or any break down of public order” be removed from this clause.

Provision of Data Protection Officer’s contact: The Bill states that every request for consent shall be presented to a user in a clear and plain language, “providing the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication” from the user. Premachandran asked that “where applicable” be omitted from this clause. This ensures that every consent request compulsorily has contact details of the relevant authority.

Note: The headline was edited at 11:13 AM on August 11, 2023, for brevity.