7. Consent
(1) Consent of the Data Principal means any freely given, specific, informed and unambiguous indication of the Data Principal’s wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of her personal data for the specified purpose.
For the purpose of this sub-section, “specified purpose” means the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal in accordance with the provisions of this Act.
(2) Any part of consent referred in sub-section (1) which constitutes an infringement of provisions of this Act shall be invalid to the extent of such infringement.
Section 7 deals with the concept of consent, which is an essential aspect of data protection. Let’s break down the section into its different components:
- Consent of the Data Principal means any freely given, specific, informed and unambiguous indication of the Data Principal’s wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of her personal data for the specified purpose.
This subsection sets out the requirements for valid consent. Consent must be freely given, which means that the Data Principal must have a real choice and not be coerced into giving consent. Consent must also be specific, meaning that it must relate to a particular processing activity. It must be informed, which means that the Data Principal must have been given adequate information about the processing activity, and unambiguous, which means that the Data Principal’s intention to give consent must be clear. Finally, consent must be given by a clear affirmative action, which could be ticking a box, clicking a button or signing a document.
For example, if a Data Fiduciary wants to process a Data Principal’s personal data for marketing purposes, they would need to obtain the Data Principal’s explicit consent. This means that the Data Principal must be informed about what personal data is being processed, how it will be used, and the duration of the processing, and they must have freely given their consent by taking an affirmative action such as clicking a button.
- Any part of consent referred in sub-section (1) which constitutes an infringement of provisions of this Act shall be invalid to the extent of such infringement.
This subsection provides that if any part of the consent obtained infringes the provisions of the Act, that part of the consent will be invalid to the extent of the infringement. In other words, if the Data Fiduciary processes personal data for a purpose that is not specified in the notice or if they process the data in a way that is not authorized by the Data Principal, that part of the consent will be invalid.
For example, if a Data Fiduciary obtains the consent of a Data Principal to process their personal data for a specific purpose and then processes that data for a different purpose, this would be an infringement of the Act. In such a case, the part of the consent relating to the unauthorized processing would be invalid.
Counterpoints to this section might include concerns that it could be difficult to determine whether consent was freely given and that Data Principals may not fully understand the information they are given about the processing of their personal data. Additionally, some may argue that the requirement for explicit consent may be burdensome for businesses and could hinder innovation. However, the purpose of this section is to ensure that Data Principals have control over their personal data and that their rights are protected, which is a crucial aspect of data protection.
(3) Every request for consent under the provisions of this Act shall be presented to the Data Principal in a clear and plain language, along with the contact details of a Data Protection Officer, where applicable, or of any other person authorised by the Data Fiduciary to respond to any communication from the Data Principal for the purpose of exercise of her rights under the provisions of this Act. The Data Fiduciary shall give to the Data Principal the option to access such request for consent in English or any language specified in the Eighth Schedule to the Constitution of India
Section 3 of the bill pertains to the request for consent from a data principal. The data fiduciary must present this request in clear and simple language to the data principal, along with contact details for a data protection officer (if applicable) or an authorized person who can help the data principal exercise their rights under the act. Additionally, the data fiduciary must provide the option to access the request in either English or any language specified in the Eighth Schedule to the Constitution of India.
This provision is intended to protect the data principal’s right to understand and provide informed consent. By requiring that the request be presented in a clear and plain language, the data principal can understand what they are consenting to. Additionally, by providing contact details for a data protection officer or authorized person, the data principal has a resource they can turn to if they have questions or concerns.
(4) Where consent given by the Data Principal is the basis of processing of personal data, the Data Principal shall have the right to withdraw her consent at any time. The consequences of such withdrawal shall be borne by such Data Principal. The withdrawal of consent shall not affect the lawfulness of processing of the personal data based on consent before its withdrawal. The ease of such withdrawal shall be comparable to the ease with which consent may be given.
Section 4 of the bill addresses the data principal’s right to withdraw their consent at any time. If the data fiduciary is processing personal data based on the data principal’s consent, then the data principal has the right to withdraw that consent at any time. However, the data principal must bear the consequences of such withdrawal. Additionally, any processing of personal data that occurred prior to the withdrawal of consent will still be considered lawful.
This provision is intended to give the data principal control over their personal data. By allowing them to withdraw their consent at any time, they can prevent further use of their personal data if they change their mind or if they believe that the data fiduciary is not using their data appropriately. However, it is important to note that the data principal must bear the consequences of such withdrawal. For example, if they withdraw their consent for a service that they rely on, they may no longer be able to use that service.
- What exactly constitutes “clear and plain language” for the purposes of presenting requests for consent to data principals? Are there any specific guidelines or standards that data fiduciaries should follow to ensure they are meeting this requirement?
- Can you provide more detail on what the consequences are for a data principal who withdraws their consent under this law? Are there any specific scenarios where withdrawing consent might have a more significant impact than in others?
- How quickly must a data fiduciary stop processing personal data once a data principal has withdrawn their consent? Is there any grace period allowed, or must processing stop immediately upon notification of withdrawal?
- What is the process for data principals to access consent requests in languages other than English? Are there any requirements for data fiduciaries to provide translations, or must data principals arrange for their own translations if they prefer to access requests in a different language?
- Are there any specific situations where the right to withdraw consent does not apply under this law? For example, is it possible that certain types of processing might be exempt from the withdrawal requirement, or is the right absolute in all cases?
(5) If a Data Principal withdraws her consent to the processing of personal data under sub-section (4), the Data Fiduciary shall, within a reasonable time, cease and cause its Data Processors to cease processing of the personal data of such Data Principal unless such processing without the Data Principal’s consent is required or authorised under the provisions of this Act or any other law.
This provision of the Digital Personal Data Protection Bill outlines the requirement for data fiduciaries to cease processing the personal data of a data principal if they withdraw their consent to that processing. Here are some points and counterpoints to help explain the provision in more detail:
If a data principal withdraws their consent to the processing of their personal data, the data fiduciary must stop processing that data within a reasonable amount of time. The data fiduciary must also ensure that any data processors they have engaged to help process the data also stop processing it. However, there may be situations where processing without the data principal’s consent is required or authorized under this law or other laws. In those cases, the data fiduciary may be able to continue processing the data even if consent has been withdrawn.
It is not entirely clear what constitutes a “reasonable time” for the data fiduciary to cease processing the data. Depending on the circumstances, what is reasonable in one situation may not be in another. The provision does not specify what happens to the personal data that has already been processed before the data principal withdrew their consent. It is unclear whether that data must also be deleted or whether it can be retained and used for other purposes. The provision also does not specify what happens if the data fiduciary or data processors fail to stop processing the data within the required timeframe. It is unclear what penalties or enforcement mechanisms exist to ensure compliance with this requirement.
6) The Data Principal may give, manage, review or withdraw her consent to the Data Fiduciary through a Consent Manager.
(7) The Consent Manager specified in this section shall be an entity that is accountable to the Data Principal and acts on behalf of the Data Principal. Every Consent Manager shall be registered with the Board in such manner and subject to such technical, operational, financial and other conditions as may be prescribed.
(8) The performance of any contract already concluded between a Data Fiduciary and a Data Principal shall not be made conditional on the consent to the processing of any personal data not necessary for that purpose
The Consent Manager is an entity that acts on behalf of the data principal and is accountable to them. To operate as a Consent Manager, an entity must register with the Board and comply with prescribed technical, operational, financial, and other conditions. The use of a Consent Manager allows data principals to more easily manage their consent across multiple data fiduciaries. The provision ensures that data fiduciaries cannot make the performance of a contract conditional on the data principal’s consent to the processing of unnecessary personal data.
It is not clear what technical, operational, financial, and other conditions will be required for entities to register as Consent Managers. Depending on the specifics, these conditions could create barriers to entry for some entities or limit the functionality of the Consent Manager. It is also not clear how the Board will enforce the registration and compliance requirements for Consent Managers, or what penalties may be imposed for non-compliance. While the use of a Consent Manager can help data principals manage their consent more easily, it may also add an additional layer of complexity to the consent process, which could be confusing for some users.
(9) Where consent given by the Data Principal is the basis of processing of personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall be obliged to prove that a notice was given by the Data Fiduciary to the Data Principal and consent was given by the Data Principal to the Data Fiduciary in accordance with the provisions of this Act
This provision ensures that data fiduciaries cannot rely on consent without having to prove that they obtained it lawfully. The obligation to prove consent helps ensure that data fiduciaries are taking the necessary steps to obtain and document consent in accordance with the provisions of the Act. By placing the burden of proof on data fiduciaries, this provision can help prevent the abuse of personal data by data fiduciaries who may not have obtained consent in accordance with the Act.
It is not clear what constitutes sufficient proof of consent. Depending on the specifics, this could create additional burdens for data fiduciaries and add complexity to legal proceedings. It may be difficult for data fiduciaries to prove consent in cases where the data principal disputes having given consent, particularly if there are no clear records of the consent having been obtained. There may be cases where data fiduciaries obtained consent in accordance with the Act, but the consent was obtained through misleading or coercive means. In such cases, the burden of proof may not provide sufficient protection for data principals.