5. Grounds for processing digital personal data
A person may process the personal data of a Data Principal only in
accordance with the provisions of this Act and Rules made thereunder, for a
lawful purpose for which the Data Principal has given or is deemed to have
given her consent in accordance with the provisions of this Act.
For the purpose of this Act, “lawful purpose” means any purpose which is not
expressly forbidden by law.
A person can only process the personal data of a Data Principal (an individual whose data is being processed) if it is in accordance with this Act and any Rules made under it. The processing must be for a lawful purpose, for which the Data Principal has given or is deemed to have given consent in accordance with the provisions of this Act. This means that the Data Principal must have given explicit and informed consent for their data to be processed, or there must be a legal basis for the processing. “Lawful purpose” refers to any purpose that is not explicitly forbidden by law. This means that if the processing of personal data is explicitly prohibited by law, it cannot be done.
This section emphasizes the importance of obtaining informed consent before processing personal data, which can help protect individuals’ privacy. The requirement that the processing must be for a lawful purpose ensures that personal data is not misused or abused for illegal activities. The definition of “lawful purpose” provides some flexibility for organizations to process personal data for legitimate purposes, as long as they are not explicitly prohibited by law.
Obtaining informed consent from Data Principals can be difficult, particularly in cases where the processing of personal data is complex or technical. There may be instances where organizations could argue that their use of personal data is for a “lawful purpose” even if it may not be in the best interest of the Data Principal. The definition of “lawful purpose” may not provide sufficient guidance for organizations on what types of processing are allowed, which could lead to confusion and potential misuse of personal data.
6. Notice
(1) On or before requesting a Data Principal for her consent, a Data
Fiduciary shall give to the Data Principal an itemised notice in clear and plain
language containing a description of personal data sought to be collected by
the Data Fiduciary and the purpose of processing of such personal data.
(2) Where a Data Principal has given her consent to the processing of her
personal data before the commencement of this Act, the Data Fiduciary must
give to the Data Principal an itemised notice in clear and plain language
containing a description of personal data of the Data Principal collected by the
Data Fiduciary and the purpose for which such personal data has been
processed, as soon as it is reasonably practicable.
For the purpose of this section: –
(a) “notice” can be a separate document, or an electronic form, or a part of
the same document in or through which personal data is sought to be
collected, or in such other form as may be prescribed.
(b) “itemised” means presented as a list of individual items.
Before requesting consent to collect personal data, a Data Fiduciary must provide an itemized notice in clear and plain language to the Data Principal. This notice must describe the personal data that will be collected and the purpose of processing that data. If the Data Principal has already given consent before the Act came into force, the Data Fiduciary must provide an itemized notice as soon as it is reasonably practicable. The notice can be provided as a separate document, an electronic form, or as part of the same document in which personal data is being collected, or in any other form that may be prescribed. The term “itemized” means that the notice must be presented as a list of individual items.
Some people may argue that the requirement to provide an itemized notice could be burdensome and time-consuming for Data Fiduciaries, especially if they are collecting a large amount of personal data from multiple individuals. Others may argue that the notice requirements should be more specific about what constitutes “clear and plain language.” Some people may have difficulty understanding complex legal language, and it may be important to ensure that the notice is written in a way that is accessible to a wide range of individuals. There may also be questions about whether the notice requirements will be effective in practice. For example, even if a Data Fiduciary provides a clear and detailed notice, a Data Principal may still not fully understand how their personal data will be used or may not have the time or resources to read the notice carefully.
Illustration: ‘A’ contacts a bank to open a regular savings account. The bank asks ‘A’ to furnish photocopies of proof of address and identity for KYC formalities. Before collecting the photocopies, the bank should give notice to ‘A’ stating that the purpose of obtaining the photocopies is completion of KYC formalities. The notice need not be a separate document. It can be printed on the form used for opening the savings bank account.
(3) The Data Fiduciary shall give the Data Principal the option to access the information referred to in sub-sections (1) and (2) in English or any
language specified in the Eighth Schedule to the Constitution of India.
This section of the Digital Personal Data Protection Bill deals with the requirement for a Data Fiduciary to provide notice to a Data Principal before collecting their personal data, and the option for the Data Principal to access this information in a language of their choice.
The first subsection (1) states that before requesting consent from a Data Principal, the Data Fiduciary must provide a clear and itemized notice in plain language that explains the personal data that is being collected and the purpose for which it will be processed.
The second subsection (2) explains that if a Data Principal has already given their consent before the Act came into force, the Data Fiduciary must still provide a notice as soon as reasonably practicable that explains the personal data collected and the purpose for which it is being processed.
In both cases, the notice can be provided in various forms, such as a separate document, an electronic form, or as part of the same document in which personal data is being collected.
The third subsection (3) requires that the Data Fiduciary must provide the Data Principal with the option to access the information contained in the notice in English or any language specified in the Eighth Schedule to the Constitution of India.