Deemed consent: DPDP Bill

India's Digital Data Protection Bill: Implications of deemed consent

Authors

5 minute read 16 Aug 2023

The novel concept of deemed consent, introduced in the Bill, can have significant impact on both employees and organizations.

In brief

  • Companies or data fiduciaries may process personal data only for the purpose for which the data has been voluntarily provided, unless using it has not been consented to.
  • Organizations must tread carefully, aligning their data collection practices with the principles of fairness, transparency, and accountability.
  • The Bill bolsters the right to withdraw consent, empowering individuals to retract their agreement at any juncture.

The Digital Personal Data Protection Bill, 2023, has set in motion a transformation in India's data privacy landscape. Among the pivotal alterations introduced is the concept of "deemed consent" and the reinforced right to withdraw consent. This paradigm shift carries significant implications for organizations collecting employee data, sparking discussions about corporate practices and the viewpoint of employees.

Exploring Deemed Consent, now referred to as ‘Certain Legitimate Uses’ under the DPDP Bill

The Digital Personal Data Protection Bill (2022) introduced a novel concept termed "deemed consent," In essence, this provision suggested that under specific circumstances, an individual's silence or inaction can be considered as a form of consent.

Section 7 of the Digital Personal Data Protection Bill (2023) has made a paradigm shift from the deemed consent process and narrowed it down to ‘Certain legitimate uses’ which includes the use of personal data for the specified purpose, for the State and any of its instrumentalities and for any of the legitimate uses as specified under section 17. 

As per section 7 of the DPDP, companies or data fiduciaries may be in a position to process the personal data of data principals for the specified purpose for which the Data Principal has voluntarily provided his/her personal data to the Data Fiduciary, unless he/she has specifically not consented to the use of such personal data. E.g., If we understand the provision in the above context, and we take the example of new employment, then all details shared by an employee and all data collected and processed in relation to his/her immediate employment may be covered by legitimate use, as the data is processed for the specified purpose for which the Data Principal has voluntarily provided his/her personal data to the Data Fiduciary. Unless the company intends to process the data for any other purpose other than in relation to the Data Principal’s employment, consent from the Data Principal shall not be required to process the data.

The concept of ‘Certain legitimate use’ is still relatively new and untested, and it will be interesting to see how it is interpreted and applied by organizations in practice. Some organizations may take a cautious approach and only rely on the legitimate use of personal data in very limited circumstances, while others may be more willing to use it more broadly. It is also possible that the courts will have to rule on the meaning of ‘Certain legitimate use’ in specific cases, which could further clarify its scope and application for organizations. 

Exceptions to consent under Section 17 of the Bill

There are certain exceptions, where consent may not be sought for data-processing, including but not limited to: investigation of offences, processing for scheme of compromise or merger or amalgamation, detecting financial frauds etc. 

Corporate ramifications

For entities routinely engaged in the collection and processing of employee data, the concept of ‘certain legitimate use’ ushers in both prospects and challenges. On one hand, the streamlining of consent processes may alleviate administrative burdens and heighten efficiency. Yet, it is imperative for organizations to tread carefully, aligning their data collection practices with the principles of fairness, transparency, and accountability enshrined in the bill.

Moreover, the Digital Personal Data Protection Bill bolsters the right to withdraw consent, empowering individuals to retract their agreement at any juncture. Organizations are now mandated to institute mechanisms that facilitate this withdrawal process, enabling employees to retain full control over their personal data. Failing to comply with this provision could result in legal consequences, emphasizing the need for organizations to establish robust consent management systems.

India Insights

Welcome to "Gateway to data privacy and protection," a cutting-edge podcast series that delves deep into the realm of data privacy and protection.

Know more

Employee perspective
 

From the vantage point of employees, the inception of  ‘legitimate use’ and the fortified right to withdraw consent signifies monumental strides in safeguarding personal data. Employees can now rest assured that their personal information won't be utilized without their explicit authorization, except for any purpose other than their employment; and they possess the prerogative to easily rescind/alter consent if they so desire. This newfound control emboldens employees to make informed choices regarding the sharing of their data, fostering a climate of trust between employers and their workforce.
 

However, employees may encounter challenges in grasping the intricacies of data protection statutes and comprehending how their data is utilized within the corporate arena. Organizations must invest in lucid communication, comprehensive data privacy training, and accessible resources to ensure employees are well-informed about their rights and options concerning their data, especially the concept of ‘legitimate use’ should be clearly explained in the context of their data.
 

Implication of consent taken under the context of  ‘legitimate use’ :
 

  • Consent may not be freely given, specific, informed, and unambiguous.
  • Such consent might lack the transparency necessary to inform individuals about how their data will be used.
  • Organizations using such consent need to be able to prove that it was for ‘certain legitimate use’ as per the DPDP Bill.
  • With consent for legitimate use as per the Bill, individuals might not be aware that they've consented in the first place, making it difficult for them to exercise the right of withdrawing consent.
  • Such consent might not be adequate for Sensitive Personal Data, Children’s Data and may attract regulatory scrutiny / legal action if non-complied as per the Bill.
  • Organisations may face reputational damage if such consent is questioned; it may be construed that organisation has not taken the privacy of data principals seriously.

In conclusion

As the Digital Personal Data Protection Bill advances through the legislative process, organizations and employees must actively engage with its nuances to ensure seamless integration of these novel principles into the corporate and personal data landscape. The concept of consent for ‘legitimate use’ and strengthened consent withdrawal rights not only offer opportunities for streamlined procedures and enhanced transparency but also mandate a profound commitment to upholding data protection standards. From an employee standpoint, these provisions empower individuals with greater autonomy over their personal information, highlighting the urgency for organizations to foster an environment of trust and transparent dialogue.

The article was first published on The Economic Times

Summary

The Digital Personal Data Protection Bill 2023 marks a pivotal point in India’s data privacy journey. Understanding the finer nuances of the novel concepts enshrined in the Bill and implementing adequate mechanisms for compliance will help companies make strides toward setting exemplary data privacy standards. 

About this article

Authors

Related topics
Cybersecurity
Forensics
Technology
Workforce

How EY can help

Related articles

How responsible adoption of Generative AI can transform legal functions

EY highlights how Generative AI can revolutionize legal functions, but the ethical and regulatory risks must be evaluated before implementation.

Arpinder Singh

Why there is a need for more data privacy and protection in healthcare

Understand why more data privacy & protection is needed in healthcare with EY's podcast. Prioritize patient data security. Tune in now!

17m 56s

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.