Categories: DPDPAIndia

Digital Personal Data Protection Bill (DPDPB): Chapter 2 – Deemed Consent

  1. Deemed consent
    A Data Principal is deemed to have given consent to the processing of her personal data if such processing is necessary:
    (1) in a situation where the Data Principal voluntarily provides her personal
    data to the Data Fiduciary and it is reasonably expected that she would
    provide such personal data;

Points:

Deemed consent can be useful in situations where obtaining explicit consent is impractical or impossible, such as when a data principal voluntarily provides personal data to a data fiduciary. This provision ensures that data fiduciaries can process personal data in certain circumstances without having to obtain explicit consent, which can save time and resources. By providing clarity around when deemed consent applies, this provision can help prevent confusion and disputes between data principals and data fiduciaries. For example,

  1. When a user provides their name and contact information while signing up for a service, it can be reasonably expected that the data will be processed for the purpose of providing that service.
  2. When a customer provides their shipping address to an e-commerce website, it can be reasonably expected that the data will be processed for the purpose of delivering the product.
  3. When a patient provides their medical history to a healthcare provider, it can be reasonably expected that the data will be processed for the purpose of providing medical care.

In all of these situations, the data principal voluntarily provides personal data to the data fiduciary and it is reasonable to assume that they expect their data to be processed for the specified purpose. In such cases, obtaining explicit consent may not be necessary, and deemed consent may be appropriate.

There is a risk that deemed consent may be interpreted too broadly, which could result in data fiduciaries processing personal data without adequate protections for data principals. Data principals may not understand the implications of providing personal data in certain circumstances, and may not realize that they are giving consent. The use of deemed consent may create a perception that data fiduciaries are taking advantage of data principals by using personal data without their explicit consent.

(2) for the performance of any function under any law, or the provision of
any service or benefit to the Data Principal, or the issuance of any certificate,
license, or permit for any action or activity of the Data Principal, by the State
or any instrumentality of the State;

This provision allows for the processing of personal data without the explicit consent of the data principal in certain situations where it is necessary to provide a service or benefit or for the performance of a function under any law.The use of personal data in these situations may be necessary to comply with legal obligations or to provide essential services to the data principal. This provision also allows for the issuance of certificates, licenses, or permits to the data principal without their explicit consent, which may be necessary for them to carry out certain actions or activities.

The language in this section is quite broad, which may raise concerns about the scope of the provision and how it will be interpreted and implemented. It is important to ensure that the processing of personal data without consent is only done in situations where it is truly necessary, and that there are adequate safeguards in place to protect the privacy and security of the data. There may be concerns about the potential for misuse of personal data in these situations, particularly if it is used for purposes beyond what is necessary or expected.

(3) for compliance with any judgment or order issued under any law;

(4) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual;

(5) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health;

Subsection (3) mentions that processing of personal data can be done without consent for compliance with any judgment or order issued under any law. This means that if a court of law or any other legal authority orders the processing of personal data of a data principal, it can be processed without their consent.

Subsection (4) allows the processing of personal data without consent in case of a medical emergency involving a threat to the life or immediate threat to the health of the data principal or any other individual. This means that if there is a medical emergency, and processing of personal data is necessary to provide medical assistance or to save a life, it can be done without the data principal’s consent.

Subsection (5) allows the processing of personal data without consent during an epidemic, outbreak of disease, or any other threat to public health. This means that if there is a health crisis or an epidemic, processing of personal data may be necessary to take measures to provide medical treatment or health services, and it can be done without the data principal’s consent.

While these provisions allow for the processing of personal data without consent in certain circumstances, it is important to note that such processing must be necessary and proportionate to the purpose for which it is being carried out. The government or any other authority cannot use these provisions to process personal data for purposes other than those mentioned in the Bill.

(6) for taking measures to ensure safety of, or provide assistance or services to any individual during any disaster, or any breakdown of public order;

Sub-section (6) allows the processing of personal data without the consent of the data principal in order to ensure safety or provide assistance or services during a disaster or a breakdown of public order. This means that if there is an emergency situation, such as a natural disaster or a terrorist attack, and personal data needs to be processed to ensure the safety of individuals or to provide assistance, the data fiduciary can do so without seeking explicit consent from the data principal.

While this provision allows for the processing of personal data in emergency situations, there is a risk that the data fiduciary may abuse this power and use it to process personal data for other purposes. This can be a concern, especially since there may be a lack of oversight during emergency situations.


(7) for the purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by a Data Principal who is an employee, verification of attendance and assessment of performance;

Sub-section (7) allows for the processing of personal data without the consent of the data principal for the purposes related to employment, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information, recruitment, termination of employment, provision of any service or benefit sought by a Data Principal who is an employee, verification of attendance and assessment of performance. This means that if personal data needs to be processed for the purpose of maintaining confidentiality, preventing corporate espionage or to ensure the smooth functioning of the organization, the data fiduciary can do so without explicit consent from the data principal.

While this provision allows for the processing of personal data for the purpose of maintaining confidentiality and the smooth functioning of the organization, it can also be used to process personal data without the consent of the data principal, which can be a cause of concern. The data fiduciary must ensure that the processing of personal data is limited to the purposes specified in the sub-section and is not abused for other purposes. Additionally, employees should be made aware of the data that is being processed and how it is being used to ensure transparency and trust.

(8) in public interest, including for:
(a) prevention and detection of fraud;
(b) mergers, acquisitions, any other similar combinations or corporate restructuring transactions in accordance with the provisions of applicable laws;
(c) network and information security;
(d) credit scoring;
(e) operation of search engines for processing of publicly available personal data; (f) processing of publicly available personal data; and
(g) recovery of debt;

Subsection (8) lists various situations where processing of personal data is allowed without explicit consent from the data principal, as long as it is necessary for a particular purpose. Let’s break down each of the purposes listed:

(a) Prevention and detection of fraud: This allows companies to use personal data to investigate and prevent fraudulent activities.

(b) Mergers, acquisitions, any other similar combinations or corporate restructuring transactions in accordance with the provisions of applicable laws: This allows companies to use personal data during mergers, acquisitions, or corporate restructuring transactions, as long as it is in accordance with applicable laws.

(c) Network and information security: This allows companies to use personal data to ensure the security and integrity of their network and information systems.

(d) Credit scoring: This allows companies to use personal data to assess a person’s creditworthiness.

(e) Operation of search engines for processing of publicly available personal data: This allows search engines to process publicly available personal data.

(f) Processing of publicly available personal data: This allows companies to use publicly available personal data for processing.

(g) Recovery of debt: This allows companies to use personal data to recover debts owed to them.

While some of the purposes listed in subsection (8) may be in the public interest, such as fraud prevention and network and information security, others may be more questionable. For example, credit scoring and debt recovery may be seen as serving the interests of financial institutions more than the public interest. Processing publicly available personal data may raise privacy concerns, especially if the data is used for purposes other than the original purpose of its publication.


(9) for any fair and reasonable purpose as may be prescribed after taking into consideration:
a. whether the legitimate interests of the Data Fiduciary in processing for that purpose outweigh any adverse effect on the rights of the Data Principal;
b. any public interest in processing for that purpose; and
c. the reasonable expectations of the Data Principal having regard to the context of the processing.

Subsection (9) allows for the processing of personal data for any fair and reasonable purpose as prescribed, but with a few conditions. The conditions are as follows:

(a) The legitimate interests of the Data Fiduciary in processing for that purpose outweigh any adverse effect on the rights of the Data Principal.

(b) Any public interest in processing for that purpose.

(c) The reasonable expectations of the Data Principal having regard to the context of the processing.

In other words, companies can process personal data for a fair and reasonable purpose as long as the interests of the data fiduciary outweigh any negative impact on the rights of the data principal, there is a public interest in processing the data, and the data principal could reasonably expect their data to be used for that purpose based on the context of the processing.

There is a risk that the language of “fair and reasonable purpose” in subsection (9) could be interpreted too broadly, allowing for data processing for purposes that are not truly in the public interest or do not outweigh the rights of the data principal. There may be a lack of clarity in how the factors listed in subsection (9) are weighed in practice, leading to inconsistent application of the law and potential abuses of data processing.

Megha Agrawal

Recent Posts

Draft Rules for Digital Personal Data Protection Act, 2023

The Digital Personal Data Protection Act (DPDPA), 2023, represents a major step forward in India's…

5 months ago

What is PHI (Protected Health Information)?

The concept of Protected Health Information (PHI) has gained significant importance in the modern digital…

10 months ago

What is PII (Personally Identifiable Information)?

The growing number of digital tools such as mobile phones, the Internet, e-commerce, and social…

10 months ago

RBI’s New Directive on DPDPA for Banks

Regulatory bodies are important for determining the path of banking in an evolving financial environment.…

10 months ago

DPDPA Compliance: Why Companies Must Seek Your Consent

In today's digital world, our personal information is incredibly valuable. It shapes our online experiences,…

10 months ago

DPDPA Compliance requirements for Businesses

The recent implementation of the Digital Personal Data Protection Act (DPDPA) has ushered in a…

10 months ago