On August 12, India enacted its first privacy legislation, the Digital Personal Data Protection Act. Given the scale of the economy, the size of the country, coupled with its ambitious, dynamic, and highly educated population, as well as its significant digital footprint, this law was long-awaited since privacy was declared a fundamental right in India in 2017. This stands to be an extremely important legislation for global companies and may set the tone for many economies across the region.
While there are various aspects of this Act which distinguish it from other privacy laws in the world, one that is particularly interesting is its approach towards consent. Until the present day, we mainly dealt with two forms of consent globally. One would be the GDPR model, where consent must be expressly given and cannot be presumed or implied, but there also exists legitimate interest so companies can process data without consent in various circumstances. Another would be as the one present in Canada, where consent is generally needed, except for some limited exceptions. Such consent can be, however, implied, unless for some high-risk scenarios, but there is no legitimate interest as a legal basis. As a result, implied consent in many countries would roughly correspond with EU’s legitimate interest, as individuals would simply need to be informed and allowed to opt-out. Thus, some standardization, which is by no means a simple exercise, was possible.
The Indian model seeks to establish an alternate model towards consent, which might bear some resemblance to the law in Singapore but is still distinct in its own sense. This approach, however, depending on how the law is interpreted, might become extra work for companies trying to unify and standardize their approach to the online privacy globally.
As per Section 4 of the Act, it is possible to process the personal data for a lawful purpose for which the individual has given her consent, or for certain legitimate uses. The consent as such, must be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose. This is quite like the GDPR, which says that consent means freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. An interesting aspect herein is that with regards to consent for processing of personal data that has already been provided before the commencement of this Act, it is only necessary to provide a privacy notice and not to re-collect consent. Another interesting aspect is that the Act indicates that consent is limited to such personal data as is necessary for such specified purpose, and seeks to specify legitimate uses as a second category, independent of one another, whereas under the GDPR theoretically you would often use consent for activities which are rather purely optional. How this difference will play out in real life remains to be seen. Both under the GDPR and under the Act it is important to provide all relevant information to the individuals and use clear and plain language when seeking consent. Under the Act, you have a right to withdraw your consent at any time, with the ease of doing so being comparable to the ease with which such consent was given, which is very similar to what we have under the GDPR. This shall, however, not affect the legality of processing of the personal data based on consent before its withdrawal, which is something a bit different under the Act and under the GDPR. Under the Act, as per examples provided therein, supply of the goods already ordered and paid is still covered by such consent, while under the GDPR firstly consent would not be an appropriate legal basis to process data for the purpose of ordering goods, but then withdrawal of consent only leaves past actions unaffected and not activities which are still underway, which would thus have to stop.
At the same time, As per Section 7(1) of the Act, a data fiduciary may process personal data of a data principal for a specified purpose for which the data principal has voluntarily provided, and in respect of which she has not indicated that she does not consent to the use of her personal data. This effectively puts the ball in the court of the organizations to process personal data even when they do not have consent of the data principal. This is where things get significantly more interesting. This provision corresponds neither with the EU’s legitimate interest, nor with the concept of implied consent recognized in some other parts of the world. When looking at the examples provided by the Act, it is easy to confuse when and where providing personal data is an indication of consent and when and where this is considered a legitimate use which does not require consent. An example of this would be a request or complaint form. While there are details marked as compulsory (which can be covered under consent), there is also a column provided to explain one’s case in detail, which is marked optional. Overall, this could be maybe the case for situations where consent would not be fully appropriate since the entire data is not strictly necessary and there is something purely optional. This would completely go across of how consent and legitimate interest are defined and perceived under the GDPR. Also, this does not fully correspond with the examples given under the Act either. Another interpretation would be that simply providing data would never amount to consent and/or that consent must be actively sought first and not only provided, whereas legitimate use described above could be when the data principal is providing more than necessary information to help delivery of solutions or execute a request faster, which would mean that they have not specifically consented for this information to be processed.
All in all, everything will depend on practice and how the Act is interpreted by relevant authorities and courts. Should providing personal data be sufficient evidence of legality of obtaining personal data in the context of standard business operations and online services, provided that appropriate privacy notice is in place, there is a chance that things will not be so complicated. In this circumstance, there would be no major gap between the EU, the India, and countries as Canada, with requirement to give notice to individuals in advance and to respect their autonomy being almost universal. There remain, however, many unknowns, and it can become much more complicated than that. For example, it may turn out into practice that explicit consent is always sought, even when data are necessary for providing goods and services, and this would mean a completely different approach is needed for India, for the EU, and for countries such as Canada with implicit consent. This would turn to be a real struggle for the global companies, especially for their online operations, and turn out to be even more complicated and onerous for ordinary consumers.