By Ananya Moncourt
Editor’s note: This blog is a part of our ongoing Data Protection Blog Series, titled Navigating the Indian Data Protection Law. This series will be updated regularly, and will explore the practical implications and shortcomings of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), and where appropriate, suggest suitable safeguards that can be implemented to further protect the rights of the data principals.
For a detailed analysis of the Indian data protection legislation, the comprehensive comments provided by the Centre for Communication Governance on the 2022 DPDP Bill and the 2018 DPDP Bill can be accessed here. For a detailed comparison between the provisions of the DPDP Act and the 2022 Bill, our comparative tracker can be accessed here. Moreover, we have also provided an in-depth analysis of individuals’ rights under the DPDP Act in the Data Protection 101 episode of our CCG Tech Podcast.
India’s Digital Personal Data Protection Act 2023 (“DPDPA”) uses the concept of “specified purpose” as a legal basis for collection of users’ personal data. One of the key principles that underpins data protection laws across the world is purpose specification. The principle requires that users or data principals are informed why their personal data is being collected, for what purpose(s) it will be processed, and the amount of time it will be retained for by the collecting entity among other things. The DPDPA incorporates certain elements of this principle via the concept of “specified purpose”, which is defined squarely as the specific information that is provided to a data principal by a data fiduciary in the form of a notice. However, there are certain inconsistencies in the usage of the term “specified purpose” within the DPDPA that could have negative implications for the enforceability of individual rights. This blog will highlight and explain a key contradiction in the DPDPA regarding the understanding and application of the concept of “specified purpose”.
Legitimate Grounds for Processing Personal Data
Section 4 of the DPDPA provides the legal grounds for processing of personal data in India. There are two clear conditions and the law requires either one of these to be fulfilled, for a data fiduciary to legally collect and process a user’s personal data. First, the law states that personal data can be processed when the data principal has given their consent. Second, personal data can be processed for any of the “certain legitimate uses” that the law articulates in Section 7. While the former clearly mandates user consent for personal data processing, Section 7 of the DPDPA carves out certain circumstances in which data fiduciaries may be exempted from requirements of the law’s consent mechanism (i.e, provision of notice to users). Some of the purposes for processing within Section 7 include those relating to public health, threat to life, and disaster management. However, the exemption of consent requirements also extend to other purposes such as employment, welfare provision, and collection of personal data by the government. These together with other exemptions under Section 17 in the law have raised concerns in context of the fundamental right to privacy of Indian citizens. Over the next few months, delegated legislation is expected to lay out safeguards for several provisions in the DPDPA. It is important that such supporting legislation ensures protection of citizen’s personal data and their rights, in this context, of access to information and withdrawal of consent.
Voluntary Sharing of Personal Data as a Legitimate Use
Section 7(a) of the DPDPA in particular relates to voluntary provision of personal data, where a data principal affirmatively shares their personal information for a “specified purpose”. The law further qualifies voluntary provision such that a data principal “does not, in any manner, indicate that they do not consent” to the use of their personal data for the specified purpose. Since each sub-section under Section 7 relates to a “legitimate use”, for which the data principal’s consent is not required, Section 7(a) suggests that processing of personal data that is voluntarily disclosed by an individual is also a “legitimate use” for which their consent is effectively not required. The illustrations set out under Section 7(a) also reinforce this understanding by emphasising actions taken by a data principal to “electronically message”, “voluntarily provide(s)” or “share” their personal information with a data fiduciary for a certain purpose. However, the definition of specified purpose as per Section 2(z)(a) “means the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal”. The use of the term “specified purpose” in Section 7(a) can be read in accordance with this definition to necessitate the provision of a notice containing information about the specific purpose for which their data is being collected.
While the aim of “certain legitimate uses” in the DPDPA is to carve out exceptions to the obligations of notice and consent, there is a lack of clarity on the legal basis for processing personal data that is voluntarily disclosed. The use of the term “specified purpose” in Section 7(a) thus creates ambiguities for cases in which the provision of notice by a data fiduciary is necessary. Further, there are currently no legal obligations that prevent data fiduciaries from using personal data that is voluntarily disclosed for other purposes.
Implications of Removal of Notice & Consent Requirements for Voluntary Disclosure of Personal Data
The lack of clarity from a data principal’s perspective about whether their express consent is required or not in certain circumstances also impacts their ability to meaningfully invoke their rights under Section 11 (right to access information about personal data), Section 12 (right to correction and erasure of personal data) and Section 13 (right to grievance redressal). While Sections 11 and 12 both explicitly preserve these rights for cases in which consent is inferred in accordance with Section 7(a), the clause itself contains no clear avenues for individuals to practically negotiate or invoke their rights with the data fiduciary. As such, the rights prescribed under Sections 11, 12 and 13 of the DPDPA will remain theoretical, without any practical applicability, since individuals are not informed or aware of instances in which their consent has been inferred and the stated purposes for which their personal data could be used.
A significant trend in user behaviour is the lack of awareness or control over how much of their personal data they voluntarily share online. The provision of a notice not only serves to inform users about the movement of their personal data online but also enables both data fiduciaries and data principals to have a mutual understanding of what the “specified purpose” for processing of personal data includes. In the 2022 draft version of the DPDPA, Section 8(9)(c) included considerations of whether the legitimate interests of the data fiduciary in processing for a ‘fair and reasonable’ purpose outweigh any adverse effect on the rights of the data principal. The Draft DPDPA also included considerations for the “reasonable expectations” of the data principal with respect to the context of processing of their personal data. The absence of this concept of “reasonable expectations” in the DPDPA weakens safeguards for the rights of data principals by exempting data fiduciaries from all legal obligations for the use and processing of voluntarily shared personal data.
Even in the absence of consent, the obligation of a data fiduciary to provide notice is a significant safeguard for users to know when their personal data is being processed, who is collecting it and for what purpose. The current framing of section 7(a) will make it difficult for users to know or be aware of instances in which their consent has been considered deemed.
The DPDPA provides the following illustration alongside section 7(a) to aid in understanding of the scope of enactment of the law:
“X, an individual, makes a purchase at Y, a pharmacy. She voluntarily provides Y her personal data and requests Y to acknowledge receipt of the payment made for the purchase by sending a message to her mobile phone. Y may process the personal data of X for the purpose of sending the receipt.”
The voluntary provision of personal information by users is not always as intentional and specific as illustrated in the DPDPA. The law assumes not only that X is fully aware of all potential consequences of sharing their personal data with Y, but also that X is fully aware of the data protection implications of an everyday transaction. However, digitisation of goods and services has made users predisposed to sharing their personal information without active or conscious consideration for the exact purpose of its use. The likelihood that X is informed or aware of the fact that Y can only process their personal data for a particular purpose is limited in the absence of notice and consent requirements.
Further, since there is no mutually agreed upon understanding between X and Y regarding the specific purpose, Y is not obligated to comply with any best practices that will ensure X’s data privacy and prevent its misuse. There are also no legal obligations that prevent Y from sharing X’s personal data (with pharmaceutical manufacturers or government agencies for instance) or retaining X’s personal data to improve Y’s service provision etc. The DPDPA leaves scope for misuse of personal data that is voluntarily disclosed because of the vacuum of safeguards for the processing of X’s personal data by Y in this context.
Consider a situation in which X has a rare health condition and goes to a pharmacy to purchase medication. X shares their prescription with Y and asks them to deliver the medication to their home. Y now has access to X’s personal profile including their name, phone number, personal details contained in the prescription (such as age) and home address. After Y delivers the medication to X’s home, they will continue to have access to X’s entire personal profile. There will be no way for X to know if Y has subsequently used their personal information for any other purpose. Further, the absence of any sub-classifications of personal data under the DPDPA render cases in which users undertake voluntary disclosure of sensitive personal data particularly vulnerable to harms, misuse and cybercrime.
(Infographic by Ananya Moncourt)
Conclusion & Recommendations
In today’s digital ecosystem, we know that users share their personal data online such as names, contact numbers and addresses without hesitation despite privacy concerns. Given these existing trends in user behaviour, what academics refer to as the “privacy paradox”, our legal frameworks need to be designed to ensure protection of user privacy online. Since the DPDPA will significantly narrow the scope of cases in which users are allowed to give their informed and express consent, it can be argued that the exemption of consent and notice requirements for voluntary disclosure of personal data is a means to alleviate consent fatigue. Yet, in India, users do not understand the value of their online consent or privacy, and are often willing to trade them for convenience. Our data protection laws need to be cognisant of the realities of user behaviour and tendencies, and their awareness levels regarding personal data processing in the digital ecosystem.
The lack of guardrails for the use of voluntarily disclosed information by both the government and data fiduciaries is concerning and requires explicit limitations. Section 7(a) of the DPDPA also raises questions around the balance of individuals rights against the interest of data fiduciaries. It is unlikely that Section 7(a) will pass all four thresholds of legitimate aim, suitability, necessity and balance in accordance with the doctrine of proportionality as established in Puttaswamy v. Union of India. The role of delegated legislation in defining these limits is critical. Additionally, clarity regarding notice and consent requirements in cases of voluntary disclosure of personal data can ensure greater legal certainty and uphold the internal consistency of the DPDPA.
The CCG Blog 