By Anubhav Das [1]
INTRODUCTION
In the aftermath of Justice K. S. Puttaswamy v. Union Of India decision (2017) by the Supreme Court of India – that held that the right to privacy is a fundamental right – India recently unveiled the much-awaited draft of the data protection law called ‘The Digital Personal Data Protection Bill, 2022’[2] (“DPDPB 2022”). This is the fourth iteration (once in 2018, then in 2019, then in 2021, and now in 2022) of the draft law, and it is currently under public consultation. The DPDPB 2022 contains many important ingredients of a (good?) data protection law, such as (i) the grounds for processing personal data, (ii) the rights of individuals with respect to their personal data, (iii) the establishment of a data protection board to oversee compliance with the law, and (iv) penalties/fines for violation or non-compliance with the law.[3]
Given the above, an aspect that has been consistent with the Indian government’s approach towards data protection law is the reliance on ‘consent’ as the only practical ground for processing personal data. While there are other grounds under the DPDPB 2022 for processing personal data that are categorised as ‘deemed consent’ (Section 8), however, they are limited to public interest grounds or for employment purposes.[4] On the other hand, the counterpart of DPDPB 2022 – the European General Data Protection Regulation (“GDPR”)[5] – has identified other grounds (Article 6) for processing personal data, such as performance of a contract, legitimate interest, etc.
A key question concerning the discussion above is – what exactly is consent in the context of processing personal data? Is it clicking the ‘I agree’ checkbox while installing an application or accessing a website? But generally, that ‘I agree’ checkbox is accompanied by a line stating that “by clicking on ‘I agree,’ you also agree to the terms and conditions and the privacy policy.” But won’t this be regarded as processing personal data under a contract that is not recognised as a ground for processing personal data under the DPDPB 2022? Considering the above, this article attempts to answer the questions above in the context of DPDPB 2022.
CONSENT: TAKEN OR NOT?
The DPDPB 2022 contemplates consent under Section 7 by stating that it must be ‘freely given, specific, informed, and unambiguous’ and it must be obtained with a clear affirmative action for a specific purpose.[6] With respect to clear affirmative action, it means that organisations cannot use pre-ticked boxes for ‘I agree’ (to get an individual’s consent). Further, to comply with the specific purpose requirement, organisations must provide written digital notice to the individuals in itemised format in plain language containing the description of personal data sought to be collected along with the purpose of processing such personal data.[7] In addition, organisations are also required to inform the individuals about the contact details of the data protection officer (if applicable) or the grievance redressal officer.[8]
While the above approach can be complied with by small companies/organisations who undertake processing for limited and specified purposes, the problem is that it does not contemplate those companies/organisations that process personal data for many and varied purposes. For example, a social media company may process personal data for (i) targeted advertisement, (ii) improving its services, (iii) enabling communication for its users, (iv) enabling the ease of logging in, and (v) various other purposes. Effectively, such companies (e.g., social media companies) will be required to display a long notice detailing every purpose for which it is processing personal data and will be required to seek individual consent.[9] Now, it is unclear if such consent can be obtained from individuals for all such purposes (as a whole) at once or if organisations will be required to seek consent for each of these purposes separately. If such consent can be obtained for all such purposes (as a whole) at once, then that would mean that individuals by clicking on ‘I agree’ are basically agreeing to the privacy policy and/or the terms and conditions of the website or application. This may raise the question of whether such a consent obtained from the individuals is actually consent or whether such personal data is being processed under a contract. Going with this approach, if it is regarded as processing under a contract, then the entire processing of personal data by such companies will be deemed unlawful under the DPDPB 2022.
Consequently, consent as a ground for processing personal data can only be complied with if individuals agree and consent to each of the purposes for which personal data is processed by such organisation, e.g., by clicking on each of the checkboxes corresponding to the specific purposes.[10] This could of course, dissuade individuals due to such complexity in onboarding from ever taking the services or accessing the websites/application of the organisations, thereby hampering business.
Another consequence of establishing a purely consent-based regime (other than its practical ambiguity) is that it will end data scrapping as a form of business.[11] Data scrapping is an operation wherein data is not extracted from the source (that is from the individual).[12] Instead, it is generally extracted from websites where data is displayed or is in open access. The extracted data may contain personal data, and in such circumstances, consent cannot be obtained by organisations. The DPDPB 2022 neither foresees such a situation nor provides any guidance on obtaining consent on an ex-post facto basis.
PERFORMANCE OF A CONTRACT AS A GROUND FOR PROCESSING PERSONAL DATA
On the one hand and from a business perspective, recognising performance of a contract as a ground for processing personal data will provide an easy solution to the problems (as mentioned above) faced in a purely consent-based regime. Under a contract-based regime, individuals will have to click the ‘I agree’ checkbox, which will bind them to the terms and conditions and privacy policy of the website or the application. However, on the other hand, due to the usually lengthy and complex language used in the terms and conditions and privacy policy of a website/application, individuals may agree to such processing purposes that may be detrimental to their privacy. Therefore, a balance needs to be struck between a contract-based regime and a consent-based regime.
A balanced approach in this regard will be to detail and outline the applicability of processing personal data under a contract and consent for different types of businesses. For example, small to mid-sized businesses with less processing complexity may process personal data under consent. However, large-sized businesses that undertake complex processing activity may rely on contract as a ground for processing personal data. This should be subject to the sensitivity of the personal data processed by such organisations, e.g., financial data must be processed via consent only.
CONCLUSION
While the DPDPB 2022 is a much-required step towards establishing a comprehensive data protection legal framework, however, it does contain a few structural inefficacies. Given that it is still in the draft form, one can hope to get some respite concerning the grounds of processing with the inclusion of additional grounds, such as contractual processing. If granting additional grounds is an inconvenient approach, then the Indian government must issue clarificatory notes and/or a compliance guide for the ease of business as well as for the protection of individual privacy.
[1] Anubhav Das is an Associate at Saraf and Partners in Delhi (NCR), focusing on IP and Technology Law. He regularly advises businesses on legal issues with respect to data privacy and intellectual property. LinkedIn.
[2] The Digital Personal Data Protection Bill, 2022 (India).
[3] Id.
[4] The Digital Personal Data Protection Bill, 2022, Section 8 (India).
[5] European General Data Protection Regulation, 2016 (Europe).
[6] The Digital Personal Data Protection Bill, 2022, Section 7 (India).
[7] The Digital Personal Data Protection Bill, 2022, Section 6 (India).
[8] The Digital Personal Data Protection Bill, 2022, Section 9(7) (India).
[9] The Digital Personal Data Protection Bill, 2022, Section 7, (India).
[10] Id.
[11] Fiona Campbell, Data Scrapping – Considering the Privacy Issues, Fieldfisher (Jan. 04, 2023, 12:46 PM), https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/data-scraping-considering-the-privacy-issues.
[12] Id.
Image Source: https://unsplash.com/photos/JFk0dVyvdvw