While discussing privacy notices mandated under India’s new data protection law at PrivacyNama 2023, Renault’s Abha Tiwari made a strong case that entities cannot do away with sending out privacy notices to data subjects simply because they fall under the legitimate use categories of the Digital Personal Data Protection Act, 2023.

What are legitimate uses? Under the DPDP Act, ‘legitimate uses’ is a provision that lists eight conditions wherein an entity can process a user’s personal data. Many experts have stated that the provision is similar to ‘deemed consent’ in a previous version of the document that dismissed the need for user consent prior to the processing. Essentially, the enforcement of such use specifically depends on whether there is a ‘lack of objection’ against said processing of data. It takes an approach opposite to that of regular consent.

Taking the example of employment data, Tiwari pointed out that consent cannot be the basis of processing employee data since there is a global consensus that employers and employees do not have the same bargaining power.

“…Organizations have a legitimate interest in protecting their intellectual property rights, in providing security to the workforce, and in securing so many other things,” said Tiwari, the Legal Head and Data Protection Officer at Renault. “Does that mean that I can put a camera [in the office], and not tell the data subject that I’ve put a camera [there] and that I’m going to monitor them 24×7, or as long as they’re there in the office? …This has happened across many jurisdictions, we have seen this sort of conflict, and everywhere it says that whatever means and measures are deployed, you cannot have consent as the basis of processing employee data. This does not mean that you dispense the need to provide them [the employee] the notice. In this notice, whatever means and measures are being deployed, or whatever the purpose of processing, information on this has to be provided to the data subject. And, there has to be proportionality between the means that are deployed [for processing] and the objective that is sought to be achieved [by it]. This objective cannot override the right to privacy at all. It cannot, it will never stand the test of time…”

Tiwari spoke during the ‘Notice, Consent and Grounds for Processing’ session of MediaNama’s flagship event ‘PrivacyNama’ alongside other speakers such as Rajeev Sharma, Vice President of Tata 1 Mg, Richa Mukherjee, Director of Public Policy and Corporate Affairs at PayU, B. G. Mahesh, Co-Founder of DigiSahamati Foundation, and moderator Sreenidhi Srinivasan, Partner at Ikigai Law to discuss the various challenges various sectors may face in acquiring user consent.

The full conversation can be seen here:

Failing to provide notice defeats the data protection law’s purpose: “This is exactly what was echoed in the judgment of Puttaswamy, where it says that the right to privacy is inherent in the right to life in article 21 [of the Constitution],” Tiwari added. “So, any means or measure [of data processing] cannot override right to privacy or right to life, but it will not mean that a notice is not provided. When a notice is not provided, there is absolutely no transparency at all. And that will defeat the whole purpose of processing under this Act.”

Legitimate use vs legitimate interest: Tiwari said that ‘legitimate interest’ under the GDPR is a much broader concept than the legitimate uses mentioned in the DPDP Act. In the Indian case, legitimate uses are restricted to the eight situations mentioned in the Act. However, legitimate interest states that organisations can process data on the condition of proportionality, meaning they do an impact assessment to balance their commercial and economic interests versus the fundamental rights and freedoms of the data subject.

“What could be the playground that we might get under the DPDP Act [for legitimate uses]?” Tiwari asked. “It is going to be very restrictive. If we look at the illustrations that are given in the DPDP Act itself…if any organisation chooses to process this data on the basis of legitimate use, there has to be an inextricable link between the primary purpose and the secondary purpose, which is clear. [That is] Unless the rules [under the DPDP Act] come out and say that no, there could be some differences [in application], and this could be construed as legitimate use [instead].”

What are the secondary purposes for ‘legitimate use’ data processing? Secondary purposes are those that differ from the core purpose of data processing. They are incidental and require a distinction from the core purposes to avoid the abuse of provisions like legitimate uses.

Tiwari gave the example of the automotive industry where the car-selling company may draft a notice asking customers to allow them to process data for a specific purpose. Within this document, the company will have to then split marketing communication-related processing with reference to the vehicle, versus marketing communication with reference to all current and future products.

“[Suppose] The customer chooses not to mark the second option, [for communications regarding] future products. So, there is a loss that will happen to me. I cannot club it as a primary and a secondary purpose [under the notice], because it is the prerogative of the customer to choose whether he would want to be with me, or [if] he would choose another automotive…I surely cannot link these two,” she said.

Will requiring explicit consent for data processing mark the end of surprise deliveries?: Many people are known to send surprise deliveries to each other for various reasons. One speaker raised the question if this practice will end in light of the notice requirement for processing personal data like home address.

Tiwari answered that at least in the GDPR, consent for data collection via an indirect source is specifically addressed. As per European legislation, the data subject has to be notified about the processing in such a context right before the data is being used or as soon as possible. However, such a provision is not currently available in the DPDP Act.

So to resolve this question of when and how a notice should be sent, or consent should be asked, Tiwari suggested a cautionary message or a checkbox that asks the person placing the order on behalf of another to ensure that the recipient is informed that their data will be processed by the involved company. Further, she said that since the data subject, the person whose data is processed, must have the right to withdraw consent, the person will have to be sent a notice to inform them of their rights, and the lifecycle of the data processing.

“This will be in violation of the whole intent [of a surprise delivery], but from a data processing standpoint, this information or this authorization or this approval will have to be there,” said Tiwari.

A problem of vicarious consent: The question of consenting on behalf of another person also raises the problem of “vicarious consent,” said Nehaa Chaudhari, Partner at Ikigai Law during the ‘Obligations for Data Fiduciaries: What Next?’ session. She explained the nature of this problem by the following example:

“Say as an employer, I can rely on this [legitimate use] exception to process employee data. But if I’m asking you to give me emergency contact numbers, names, addresses of three other people that I can reach out to in case of an emergency, does that exemption also extend to me processing their personal data, or does it extend to only me processing your personal data if you are my employee?”

Moreover, the person providing such contacts will also have the additional burden of proving that they have taken consent from three other people to share their personal information. The alternative is that the organisation will have to reach out to emergency persons of thousands of employees and obtain consent from them.

Need for an umbrella consent: Predicting changes in contractual agreements between payment gateways like PayU and merchants, Mukherjee suggested that there be a provision in the rules under the DPDP Act for “a master consent” or “an umbrella consent.” This means that when one entity that has a direct interface with the consumer takes their consent, it becomes an overriding consent for all the other entities, specifically data fiduciaries, in that ecosystem. This master consent can be used in cases where the specific purpose of the various entities is the same.

Consent framework should have more parameters to improve consumer privacy literacy: Account aggregators function as consent managers for financial data. Mahesh said that as of October 26, 2023 the number of consents which are successfully delivered is about 1.6 lakh every day. Until March 2023, about a billion dollars of loans were given out, which were powered by the account aggregator.

To understand how much data can be permissibly processed for such transactions, Sahamati created “a library of the consent templates” that specified parameter values on a use-case basis. Mahesh talked about the need to show important parameters to users in the account aggregator system to “warn the user if the value of any of those parameters are outside the usual range” since most users do not know what the right values are. These parameters help users better manage their consent.

“We have ensured that these parameters in the very opening screen of the consent framework have to be clearly shown to the end user. And as we go forward, we have also seen many users have asked that the consent framework should not be in one language, the user should have a choice in which language it has to be shown,” he said, adding that the rules around the DPDP Act will “not go so deep” on the use-case and mapping activities.

Consent for creditworthiness: Mukherjee pointed out that fintech companies at times have to get customer data from third-party entities to carry out certain checks like user profiling, behavioural analysis,or risk analysis for a consumer requesting a buy-now-pay-later facility. She argued there needs to be a mechanism wherein the data sharing between the third-parties is made available to the fintech company who has to provide for that facility.

“In all of this there has to be a right amount of consent and notice, but again in the B2B space, that is kind of a challenge. So that kind of a framework has to be made provision for in the fintech space,” she said.

