By Anubhav Das 
In the aftermath of Justice K. S. Puttaswamy v. Union Of India decision (2017) by the Supreme Court of India – that held that the right to privacy is a fundamental right – India recently unveiled the much-awaited draft of the data protection law called ‘The Digital Personal Data Protection Bill, 2022’ (“DPDPB 2022”). This is the fourth iteration (once in 2018, then in 2019, then in 2021, and now in 2022) of the draft law, and it is currently under public consultation. The DPDPB 2022 contains many important ingredients of a (good?) data protection law, such as (i) the grounds for processing personal data, (ii) the rights of individuals with respect to their personal data, (iii) the establishment of a data protection board to oversee compliance with the law, and (iv) penalties/fines for violation or non-compliance with the law.
Given the above, an aspect that has been consistent with the Indian government’s approach towards data protection law is the reliance on ‘consent’ as the only practical ground for processing personal data. While there are other grounds under the DPDPB 2022 for processing personal data that are categorised as ‘deemed consent’ (Section 8), however, they are limited to public interest grounds or for employment purposes. On the other hand, the counterpart of DPDPB 2022 – the European General Data Protection Regulation (“GDPR”) – has identified other grounds (Article 6) for processing personal data, such as performance of a contract, legitimate interest, etc.
CONSENT: TAKEN OR NOT?
The DPDPB 2022 contemplates consent under Section 7 by stating that it must be ‘freely given, specific, informed, and unambiguous’ and it must be obtained with a clear affirmative action for a specific purpose. With respect to clear affirmative action, it means that organisations cannot use pre-ticked boxes for ‘I agree’ (to get an individual’s consent). Further, to comply with the specific purpose requirement, organisations must provide written digital notice to the individuals in itemised format in plain language containing the description of personal data sought to be collected along with the purpose of processing such personal data. In addition, organisations are also required to inform the individuals about the contact details of the data protection officer (if applicable) or the grievance redressal officer.
Consequently, consent as a ground for processing personal data can only be complied with if individuals agree and consent to each of the purposes for which personal data is processed by such organisation, e.g., by clicking on each of the checkboxes corresponding to the specific purposes. This could of course, dissuade individuals due to such complexity in onboarding from ever taking the services or accessing the websites/application of the organisations, thereby hampering business.
Another consequence of establishing a purely consent-based regime (other than its practical ambiguity) is that it will end data scrapping as a form of business. Data scrapping is an operation wherein data is not extracted from the source (that is from the individual). Instead, it is generally extracted from websites where data is displayed or is in open access. The extracted data may contain personal data, and in such circumstances, consent cannot be obtained by organisations. The DPDPB 2022 neither foresees such a situation nor provides any guidance on obtaining consent on an ex-post facto basis.
PERFORMANCE OF A CONTRACT AS A GROUND FOR PROCESSING PERSONAL DATA
A balanced approach in this regard will be to detail and outline the applicability of processing personal data under a contract and consent for different types of businesses. For example, small to mid-sized businesses with less processing complexity may process personal data under consent. However, large-sized businesses that undertake complex processing activity may rely on contract as a ground for processing personal data. This should be subject to the sensitivity of the personal data processed by such organisations, e.g., financial data must be processed via consent only.
While the DPDPB 2022 is a much-required step towards establishing a comprehensive data protection legal framework, however, it does contain a few structural inefficacies. Given that it is still in the draft form, one can hope to get some respite concerning the grounds of processing with the inclusion of additional grounds, such as contractual processing. If granting additional grounds is an inconvenient approach, then the Indian government must issue clarificatory notes and/or a compliance guide for the ease of business as well as for the protection of individual privacy.
 Anubhav Das is an Associate at Saraf and Partners in Delhi (NCR), focusing on IP and Technology Law. He regularly advises businesses on legal issues with respect to data privacy and intellectual property. LinkedIn.
 The Digital Personal Data Protection Bill, 2022 (India).
 The Digital Personal Data Protection Bill, 2022, Section 8 (India).
 European General Data Protection Regulation, 2016 (Europe).
 The Digital Personal Data Protection Bill, 2022, Section 7 (India).
 The Digital Personal Data Protection Bill, 2022, Section 6 (India).
 The Digital Personal Data Protection Bill, 2022, Section 9(7) (India).
 The Digital Personal Data Protection Bill, 2022, Section 7, (India).
 Fiona Campbell, Data Scrapping – Considering the Privacy Issues, Fieldfisher (Jan. 04, 2023, 12:46 PM), https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/data-scraping-considering-the-privacy-issues.
Image Source: https://unsplash.com/photos/JFk0dVyvdvw