India’s recently enacted Digital Personal Data Protection Act of 2023 requires all companies to obtain consent from users before collecting and processing their personal data except in a few cases. The Act also allows users to withdraw their consent at any time. However, there is no concept of deprecating consent, which refers to the automatic withdrawal of consent when a user hasn’t used the relevant feature for a certain period of time.
Google’s Android, for example, removes permissions if a user of the app hasn’t used those permissions for a while. Should the rules formed under the Act include deprecating consent as a requirement, MediaNama’s Founder and Editor Nikhil Pahwa asked the speakers at PrivacyNama 2023 held on October 26-27. “I mean that’s probably one of the the most important privacy-protecting frameworks that I have come across because you shouldn’t have to give consent for life,” Pahwa opined.
This discussion was organised with support from Meta, PhonePe, Google, and Salesforce, and in partnership with CUTS and the Centre for Communication Governance.
Abha Tiwari, Data Protection Officer at Renault Group, opined that the consent can only be for the specified purpose and the specified purpose cannot be an infinite purpose. The purpose should be measurable and identifiable, and data should be collected only for this purpose. “If the purpose is not specified or the purpose is too large then that may not fall or that may end up being in violation of the DPDP Act,” she said. The consent that organisations take can only be for that purpose and data cannot be collected forever. “This consent cannot be stretched beyond the purpose. And if it gets stretched then that is again a violation,” she added. Tiwari’s explanation implies that deprecating consent is not explicitly needed because the Act already only allows the consent to be used for specified purposes.
While not directly addressing the idea of deprecating consent, Jagannath PV, Chief Privacy Officer at LTIMindtree, spoke about how companies should delete any personal that doesn’t serve them a purpose. He shared the example of job applications. “Now, how long are you going to keep a resume? There is no point in having a resume for more than a year because a person would have learned something else and they would have updated their resume by the last year. So instead of keeping it for four or five years and going after an old resume, you would rather delete it in one year,” Jagannath elaborated. “I would apply that practical principle of data deletion to your question as well,” he added.
Vasudha Gupta, Chief Privacy Officer at Unlimit, suggested that companies build a consent preference centre where users can manage consent. “You bring in a centre where a person can log in and then they can be verified with that through an OTP or any other mechanism. And then they could choose to opt out of various services that you’re providing them. So that’s another way to handle this situation,” she explained. This response doesn’t address deprecating consent but rather an easier way for users to manage the consent they have given to platforms.
- How To Comply With India’s New Data Protection Law: Chief Privacy Officers Share Their Views
- A Complete Guide To India’s Digital Personal Data Protection Bill, 2023
- Who Should Be Asked To Give Consent On Behalf Of A Child? Speakers Debate During #PrivacyNama2023
- How Will The Data Protection Board Play A Key Role In Enforcing User Rights Through Grievance Redressal #PrivacyNama2023
STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!