Data Protection Bill Series: Standard of consent and processing of data | Top Stories
Editor’s note: The Data Protection Bill series carefully examines the various sections of the draft Personal Data Protection Bill, 2018 as laid down by the Justice BN Srikrishna Commission and submitted to MEITY for approval. This is Part V of the series.
The Report accompanying the Personal Data Protection Bill, 2018, acknowledges that the notice and consent framework in use today is broken, considering the many click-wrap and browse-wrap agreements in use on the internet, which tie people up in binding legal contracts without actually acquiring meaningful consent. Further, these contracts are of a ‘take it’ or ‘leave it’ nature which does not provide a meaningful choice to the people.
The Bill attempts to resolve this issue by prescribing a largely consent-based framework as the ground on which a data fiduciary can process the data. The data fiduciary through this framework will not be able to demand more data than is necessary for the provision of the service in question. This framework will necessitate significant changes in the way companies and other actors currently process data.
Consent even for data necessary for contract
For non-state actors in particular, such as private companies and individuals, this consent-based framework will be a cause for concern. The Bill does prescribe exceptions and non-consent based grounds (these will be discussed in the next part of the series), but consent will be the primary ground applicable. This will also apply to any State activities that do not fall under the exceptions prescribed.
Data protection laws can prescribe several grounds for processing. Article 6 of the GDPR (General Data Protection Regulations), for instance, additionally allows processing of data for the performance of contract or for legitimate interests. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), on the other hand, does not allow processing for a purpose like the performance of contract.
As per the Report, the Bill does away with these separate grounds. It thus makes consent the only legal basis for processing data, even if it is necessary for the performance of the contract. This will avoid issues like the insertion of data processing clauses in a contract between the two parties, and the use of the contractual consent so obtained to justify the processing of data that is otherwise unnecessary to the performance of the contract.
High standard of consent
Further, the standard of consent itself as prescribed under the Bill is high—it must be free, informed, specific, clear, and capable of being withdrawn. This consent, moreover, must be given prior to the commencement of processing.
The Bill further, does not allow the data principal to make the provision of the goods/services or the performance of the contract in question conditional upon the provision of consent. This would, for instance, affect the practice in relation to cookies, of providing a lesser website experience to those who do not consent to certain categories of cookies.
Withdrawal of consent for data necessary for contract
The fact that consent must be capable of being withdrawn means that this can be withdrawn even for providing data that is necessary for the performance of the contract. For instance, for purchasing a product online and having it delivered, a data principal would need to provide his name, address, and payment details. Under this rule, the data principal can withdraw consent that he has provided, even for the use of this data.
Naturally, this will entail certain consequences for the party providing the services, such as an inability to make the delivery of the product in questions. The Bill seeks to protect a data fiduciary from such consequences. For this, it has used a confusing clause, which states that ‘all legal consequences for the effect of such withdrawal shall be borne by the data principal’. The phrase ‘all legal consequences’ is of very broad scope, making it a concern for the data principal in question about the extent of liability imposed on him for withdrawal of consent.
Clarity on this clause is then provided in the Report, which references Sections 39 and 53 of the Indian Contract Act, 1872, for the interpretation of this provision. These sections, in effect, state that the affected person, i.e., the data fiduciary can refuse to perform the contract on withdrawal of such necessary data. Further, the data fiduciary may be entitled to compensation for any loss he may have sustained. For example, if the seller had begun the delivery process and thus incurred a loss on account of the data principal’s withdrawal of consent, he will be entitled to compensation from the data principal.
A direct reference to these sections of the Contract Act in the Data Protection Bill, however, may have played a better role in limiting the effects of withdrawal of consent for necessary data by the data principal. Alternately, a specific mention that the data fiduciary will have the right to refuse performance of the contract which depends on the data that was withdrawn, or his entitlement to compensation for losses incurred, would have served the same purpose. Instead, framed as it has been, the current provision makes the possibilities of liability on the data principal for withdrawal of consent highly ambiguous.
Consent dashboards and product liability for consent forms
The Report also makes further suggestions with respect to consent. First, it recommends the creation of a consent dashboard on par with that created for account aggregators by the RBI, which can track the consent given by a data principal to multiple data fiduciaries from a single place.
Further, it states that product liability norms should be incorporated into consent forms. This means that the data fiduciary will continue to have liability for any harm caused to the data principal on account of the data being given to him, despite having obtained consent. This further means that greater liability is imposed on the data fiduciaries for ensuring that consent is properly obtained. The presence of pre-ticked boxes, non-appearance of the notice at the required time, or the use of the data for purposes not reasonably expected by the data principals are some of the harms outlined by the Report. These clauses definitely impose a much higher burden on the data fiduciaries.
Sensitive personal data and children’s data
For sensitive personal data, a higher standard of consent—explicit consent has been prescribed. This means, for instance, that the consent taken must be specific to the processing of the sensitive data, for the specific purpose in question, and must be unbundled with other consent taken. Further, data principals must be made aware of significant consequences for them. The Bill, however, also allows new categories of sensitive personal data as well as new grounds for processing it to be prescribed.
For children below the age of 18, appropriate age verification mechanisms and parental consent have been prescribed. Under laws like the GDPR, the need for parental consent has been dispensed with in the context of providing counselling services to the child. Under the Bill, however, this exception has been limited to ‘guardian data fiduciaries’ who exclusively provide counselling or child protection services to a child. A guardian data fiduciary is one who operates a commercial website or online service directed at children, or one who processes huge volumes of personal data of children. This is likely to be restrictive for protecting the child, for instance in the case of a school who hires a counsellor, or a counselling center which is not directed specifically at children.
Another factor here is the need for including a provision along the lines of the recommendation by the Save Our Privacy campaign’s Indian Privacy Code, which allows the minor to alter or rescind his consent, or to have his data with a data fiduciary deleted upon reaching the age of majority.
Non-consensual grounds of processing
The consent-based framework prescribed under the Bill is thus of a high standard, which is likely to impose significant responsibilities on the data fiduciaries. However, the numerous grounds for non-consensual processing of data undermine the efficacy of the consent framework prescribed by the Bill. These will be dealt with in the next part of the series.
The next part of the series deals with permitted grounds of non-consent based processing, including processing by the State. You can read the past parts of the series:
Part I: Quick overview of India’s draft data protection law
Part II: Understanding jurisdiction within and outside the country
Part III: The importance if defining personal data
Part IV: Data protection obligations on data fiduciaries
The author is a lawyer specializing in technology, privacy and cyber laws. She is also a certified privacy professional.