Here’s when entities don’t need to ask for consent as per India’s Digital Personal Data Protection Bill

Ad: India’s Data Protection Bill is here, and your business needs to adapt. K&S Digiprotect, with its team of data protection experts, offers compliance services tailored to help you adapt to the new regulations, safeguard your data and build trust with your customers. Contact us now!

Imagine going to your favourite cafe and finding out the management has set up a facial data collecting camera inside premises. You would think that nothing of the update, assuming that the recording will only be used to screen customers. However, what if we told you that as per the latest version of India’s draft data protection Bill the cafe will not only collect this personal data but also process it? All of this will be thanks to provisions allowing ‘certain legitimate uses’ retained in the Digital Personal Data Protection Bill, 2023 [PDF].

Read the Bill Summary here. 

What are ‘certain legitimate uses’? The Bill says that “A Data Fiduciary may process personal data of a Data Principal for any of following uses, namely:

• “for the specified purposes for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data;
• for the State and any of its instrumentalities to provide or issue to the Data Principal such subsidy, benefit, service, certificate, licence or permit as may be prescribed, where––
• (i) she has previously consented to the processing of her personal data by the State or any of its instrumentalities for any subsidy, benefit, service, certificate, licence or permit, or
• (ii)such personal data is available in digital form in, or in non-digital form and digitised subsequently from, any database, register, book or other document which is maintained by the State or any of its instrumentalities and is notified by the Central Government;
• subject to standards followed for processing being in accordance with the policy issued by the Central Government or any law for the time being in force for governance of personal data.”

As per the example provided in the Bill, this clause means that if a person provides their personal data to avail a specific government benefit like maternity benefit, the same data can be used to process benefits under other government schemes as well.

• “for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State;
  
• for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force;

• for compliance with any judgement or decree or order issued under any law for the time being in force in India, or any judgement or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; 

• for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; 

• for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; 

• for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order;

• for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.”

Essentially this means that legitimate use specifically depends on whether there is a ‘lack of objection’ against said processing of data. This takes an approach opposite to that of regular consent.

Article continues below ⬇, you might also want to read:

• India’s Digital Personal Data Protection Bill, 2023 gives the government powers to exempt itself from the Bill, block content, and more
• How does India’s Digital Personal Data Protection Bill address Data Breaches?
• India’s Digital Personal Data Protection Bill, 2023: What privacy rights do individuals have?
• Here’s when entities don’t need to ask for consent as per India’s Digital Personal Data Protection Bill

Previous provisions talked of deemed consent: Last year, the government had introduced the concept of deemed consent in the data protection Bill. Now, while the provisions remain largely the same, the words ‘deemed consent’ have been replaced by ‘legitimate use.’ During MediaNama’s discussion on the previous version of the Bill, speaker Lalit Panda had called these provisions “an insult to personal autonomy.” According to Panda only the first sub-clause within the ‘Deemed Consent’ section qualified as “deemed consent.” The rest should be called “non-consensual consent or implied consent” he said. Another criticism was that the Bill did not state the purpose for such a manner of data processing. 

Public interest is no longer grounds for processing personal data: Public interest’ is no longer one of the grounds for processing personal data. Last year, many stakeholders had voiced confusion and criticised this clause that included various other vague grounds like prevention of fraud. Last year, MediaNama’s Nikhil Pahwa talked about how the concept can also be used to process data on the public forum. Although two of the grounds under this clause have been shifted to exemptions, the removal of this provision is still welcome news. 

Data cannot be retained for legal or business purposes: In the previous version, the Bill said that the officer responsible for the collection and processing of personal data – called a Data Fiduciary – must ensure the erasure of all data once it has served its “legal or business purpose.” This meant that entities, like a bank, could keep the data you had shared with them to open a savings account even after the account closed due to “legal reasons.” The new version removes this phrasing altogether, although there are exemptions in the Bill relating to debts, mergers and corporate restructuring transactions.

No need to issue notice for legitimate purposes: The Bill says that notices detailing the type of personal data and the purpose for its processing will only be required for consent provisions. This means that notice will not be required in case of legitimate purposes.

Since the introduction of deemed consent last year, experts have been unsure whether the officer in-charge of intimating and requesting user consent has to send notice to users under deemed consent. Typically these officers or data fiduciaries are supposed to send an itemised notice describing in clear language the personal data sought to be collected and the purpose of processing of the same. However, it’s unclear as to how this applied to ‘deemed consent.’ 

Vinay Narayan, a researcher at Apti Institute, similarly criticised this concept for aiding in the processing of an individual’s data without adequately safeguarding their rights and interests. 

How the issuance of notice has evolved over the years

Provisions relating to notice have been a part of the Bill since it’s original version was drafted in 2018. The only case wherein it was not applicable was if it “substantially prejudiced” data processing. It even specified that the officer has to provide the user with certain information on: 

• Purposes for data processing; 
• Categories of data collected; 
• Identity and contact details of the data fiduciary and data protection officer;
• Basis for processing data under Sections 12-17 and 18-22 (and consequences of failing to provide such data);
• Source of data collection, if the personal data is not collected from the data principal;
• Individuals or entities with whom personal data may be shared;
• Potential cross-border transfers of personal data; 
• Period of data retention (if unknown, criteria for determining this period must be conveyed);
• Right to withdraw consent and the procedure to do so, existence of and procedure for exercising data principal rights (in the case of consent-based processing);
• Procedure for grievance redressal, existence of a right to file complaints to the Data Protection Authority;
• “Data trust scores” assigned to the data fiduciary;
• Other information specified by the Authority.

Later, in 2019 the Bill wanted of “consequences” on failing to provide such data. 

How lawful processing of data has changed over the years

The 2018 version of the Bill introduced a “lawful processing” provision without consent for personal data if it is necessary for the function of the Parlaiment of State legislature, compliance with court, prompt action or employment. However, the 2019 version, deleted this provision and instead said that consent is “necessary for processing of personal data”. It also stated that consent will be invalid unless it is free, informed, clear, specific, and capable of being withdrawn. These purposes were then completely revamped in the 2022 Bill that introduced ‘deemed consent’ for the first time in the Bill. The only significant departure of the 2023 version from this version was the exclusion of the following grounds for deemed consent under public interest:

“(a) prevention and detection of fraud;

(b) mergers, acquisitions, any other similar combinations or corporate restructuring transactions in accordance with the provisions of applicable laws;

(c) network and information security;

(d) credit scoring;

(e) operation of search engines for processing of publicly available personal data;

(f) processing of publicly available personal data; and

(g) recovery of debt;

(9) for any fair and reasonable purpose as may be prescribed after taking into consideration.”

Note: The headline was changed on August 3 at 6:50 PM for clarity.

STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!