Updated: Apr 12
Vikram Jeet Singh, Kalindhi Bhatia and Prashant Daga
With great power comes great responsibility. In privacy terms, this can be translated to with consent comes protecting one's privacy. Today, we visit the primary basis that allows entities to process personal data i.e., consent. Presently, Indian privacy law requires an entity to inform an individual certain details of their processing activities (purpose, third-party sharing, security measures, etc.) and obtain express consent of the individual prior to collecting their data. In the proposed draft Digital Personal Data Protection Bill, 2022, this segway to processing personal data has largely been retained as is – but with an added obligation on entities to be able to provide the notice for consent in English or (specified) 20+ regional languages; the ambiguous language of this obligation has triggered concerns among stakeholders, in particular small-scale businesses.
One faction's view suggests that the consent notice should be maintained in English and twenty-two translated variants, always. This may not be (commercially and operationally) viable for small-scale overseas (and Indian) entities. Keeping in mind the linguistic diversity of India, entities should only be required to undertake such translations in specific cases, and not mandate providing these. Hopefully the tussle over translation is put to rest with language clarifying that such translations need to be carried out on ad-hoc basis, as and when requested by the data principal.
In addition to consent and in consonance with global privacy legislations, the new Bill also allows entities to process personal data on the basis of deemed consent. This provision has been a welcome addition but has room for improvement. Presently, this provision allows data fiduciaries to process personal data of a data principal without their consent, if the purpose for such processing satisfies any of the grounds set out under this provision. While a wide set of instances have been identified, there is scope of enhancing this. For instance, various scenarios such as processing for contractual obligations towards a data principal; complying with legal requirements, binding regulatory or administrative directions (including, for example, the obligation to report certain cybersecurity incidents to CERT In) (in addition to judicial or administrative orders), including for foreigners; internal transfers between group companies; processing by payment aggregators; engaging data processors etc., should be termed eligible for availing deemed consent permit. In fact, it would be prudent to leave this provision to be dynamic in nature i.e., grounds may be identified as and when a need is recognised by the data protection board.
Apart from this, some tricky elements also persist. Currently, certain grounds (like M&A, information security, etc.) are allowed only in the context of 'public interest'. Separately, processing of personal data has also been permitted for "fair and reasonable purposes", provided it meets certain factors, including "legitimate interests" of the data fiduciary. It is unclear why the government opted to not identify legitimate interests as a standalone ground, in conformity with global privacy laws. Instead of determining what is considered fair and reasonable, the law could replace it with the concept of legitimate interest and reserve the discretion to, on a continuing basis, identify activities that would be considered as a legitimate interest.