India ready for privacy laws.

India’s long wait for personal data protection laws finally came to an end with the publishing of the much-awaited draft of “Digital Personal Data Protection Bill, 2022” (“2022 Bill”) on November 18, 2022 by the Ministry of Electronics and Information Technology for public consultation.
23 Mar 23 | India
Dua Associates
Anish Ghoshal

Right to privacy can be traced back to the year 2012 with the judgment of the Hon’ble Supreme Court of India in the case of Justice K.S. Puttuswamy (Retd.) and Anr. v. Union of India and Ors.[1]. In this case, it was remarked that the right to privacy was a fundamental right all people enjoyed and was integral to a person’s right to life and personal liberty. The Hon’ble Supreme Court held the opinion that an individual had the right to control their life with respect to their own personal data.

The 2022 Bill is a much simpler and more refined legislation than its previous iteration. The 2022 Bill replaces the Data Protection Bill, 2019.

Let’s take a look at how consent is dealt with under the 2022 Bill.

The 2022 Bill applies to the processing of digital personal data in India wherein such data is either collected (a) online or (b) offline but is then digitised. The Bill defines personal data as “any data about an individual who is identifiable by or in relation to such data”. The individual to whom such data relates is termed a data principal (“Data Principal”). In the event the Data Principal is a child less than eighteen years of age, the Data Principal includes parents or lawful guardians of such a child. At this juncture, one should note that processing of personal data herein refers to an automated operation or a set of automated operations performed on digital personal data as defined in the Bill.

A data fiduciary is a person (natural or entity) who either singularly or with another person determines the purpose and means of processing personal data (“Data Fiduciary”).

In the 2022 Bill, the grant of consent by a Data Principal is a vital prerequisite for the collection of personal data. In the 2022 Bill “consent” of a Data Principal is defined as “any freely given, specific, informed and unambiguous indication of the Data Principal’s wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of her personal data for a specified purpose”. This consent-based mechanism for the collection of personal data in the 2022 Bill demonstrates the right of privacy of a Data Principal in exercising control over their personal data.

The 2022 Bill provides that the personal data of a Data Principal can only be processed for a lawful purpose for which the Data Principal has given express or deemed consent. Data Fiduciaries are required to obtain verifiable consent from a Data Principal before processing the personal data of the Data Principal. The consent shall be (i) freely given; (ii) specific; and (iii) demonstrate a clear and unambiguous indication of the Data Principal’s willingness and affirmative action to allow the processing of personal data.

The Data Fiduciary shall obtain consent by supplying an itemized notice which presents in clear and plain language a description of the personal data sought to be obtained and the purpose for processing such data.

The 2022 Bill also deals with the concept of “deemed consent” to cover situations where consent is essential for grounds such as performing any function under law, medical emergencies, or cases where data processing is necessary for a specific public interest purpose. Deemed consent may also be applicable in cases where a Data Principal is reasonably expected to provide personal data, for example, for employment-related purposes, or provision of benefits or services by the State, etc. Hence, deemed consent primarily encompasses situations where the collection of data from the Data Principal has a direct correlation with the purpose for its processing by the Data Fiduciary.

Lastly, in the event the Data Fiduciary is a child less than eighteen years of age, verifiable parental consent shall be taken by the Data Fiduciary before processing any personal data.

The 2022 Bill sets the tone that the Data Principal can withdraw consent at any point in time. Once consent is withdrawn by a Data Principal, the Data Fiduciary shall cause data processors i.e., person(s) who processes data on behalf of the Data Fiduciary to cease processing of the data within a reasonable period of time. The consequences of such withdrawal shall be borne by such Data Principal. The Data Fiduciary must ensure that the ease of such withdrawal shall be comparable to the ease with which consent may be given.

The Bill was open for consultation until December 17, 2022 and comments were to be submitted on website

Justice K.S. Puttuswamy (Retd.) and Anr. v. Union of India and Ors., Writ Petition (Civil) No. 494 of 2012.