From newspaper to Instagram, from cash to UPI, India has witnessed a change and rather has been a part of this drastic change. With the advancement in technology. The government of India launched various projects like passports Seva, AADHAR, health, education, taxes etc. These projects required the collection of data of citizens of this country. Rather, one's fingerprint scan, and iris scan were also required for AADHAR. Concern over personal data increased among the citizens and the need for specific laws was felt. India never had a specific legislation to tackle the issue of privacy. Though there was section 43-A of the Information and Technology Act,2000, but that didn't cover every aspect.

The major change was brought in the domain of privacy by the judgement of Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors[1] , where 9 judge bench unanimously held that the Right to privacy is a fundamental Right under the constitution of India. The Bench determined unanimously that "the right to privacy is protected as a part of the freedoms guaranteed by Part III of the Constitution and as an intrinsic part of the right to life and personal liberty under Article 21."

In doing so, it overturned earlier rulings by the Supreme Court in the cases of M.P. Sharma vs. Satish Chandra, District Magistrate, Delhi[2] and Kharak Singh vs. State of Uttar Pradesh[3], wherein the latter concluded that the Indian Constitution did not acknowledge the right to privacy. Post Puttaswamy judgement, India finally came up with a specific legislation to address the issue by enacting "THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023" (herein after referred as "Act"), which has already received the assent of the president on 11th August, 2023, but Central Government is yet to decide the date on which it would come into force.

The new law was passed after more than five years of discussion and is the first cross-sectoral law on personal data protection in India. Though it needs time to mature and cover the loop holes, but the very enactment of the legislation is a first step to tackle the issues. This article would be restricted to the domain of "Consent" as provided in the act and its ancillary provision.

As per section 6 (1) of the Act, it lays down 7 criteria to be fulfilled by data fiduciary[4] while taking consent from the data principal[5]. The criteria are mentioned below:-

1. Free
2. Specific
3. Informed
4. Unconditional and unambiguous
5. Clear affirmative action
6. Specific purpose
7. Data minimization

The section clearly puts certain guidelines as to how the privacy notice needs to be drafted while taking the consent from the data principal. While collecting the data, it has to be use for the purpose for which it has been collected. It cannot be further used for any other purpose. But the question would be, how does anyone keep the track of their personal data? One would come to know about it, whenever there is a leak of data, but till then, the chances of the data getting processed for various use is high.

The act defines digital personal data in section 2 (n) of the act, which says that any personal data in the digital form will be termed as digital personal data. This might be an issue for the vlogging community as while recording a vlog in public space, they tend to record other public too, without their consent. Now any individual who would have been in a vlog, could always file a complaint that his/her privacy has been breached. This would also extend to the photographs uploaded on various platforms with public in the background. How do we deal with a situation where a public consent is needed on a larger scale? Nothing has been mentioned in the act to address the issue.

Section 3 of the act, deals with the applicability and as per section 3(ii) of the act, it is applicable to the non-digital form, subsequently digitised. For instance, in an Auto expo, a company collects the information of individual by a form (non-digitised) and subsequently it will be digitised. Now, at what point the data fiduciary would take the consent? As once the data is uploaded in a system, it falls under the purview of the act. Meaning thereby the data has been digitised without the consent. How do we address this issue? One solution would be to draft a privacy notice while collecting the data and take the consent, but would that be possible in a large scale? The other option would be to send a privacy notice to the emails of the data principal and then digitise the data, subject to the acceptance by the data principal.

Section 6(4) of the act talks about the right to withdraw the consent[6]. The provision is similar to Article 7 of the General Data Protection regulation[7]. In the case of Google Inc., v Commission nationale de l'informatique et des libert�s (CNIL)[8], the European court of justice ruled against Google stating that European Union residents can always exercise their right to remove personal information or delete it from the search engine and public records. Right to be forgotten has been covered under Article 17 of the GDPR. Right to be forgotten has been recognised in the Puttaswamy judgement (Supra) as a part of the right to life and personal liberty under Article 21 of the constitution of India. Section 6(4) also talks about the ease of withdrawing consent, meaning thereby.

The withdrawal of consent should be hassle-free and should be made easy for the data principal as it was while collecting the consent. It might sound ambiguous but it lays a burden on the website designer to design the withdrawal in a manner which would comply with the provision of the act. One way could be to Place the withdrawal button in a different colour and bigger than the rest of the tabs which would ensure the ease of access. As the phrase in the provision, i.e. " ease of doing" can be interpreted in various ways. What may be an ease in the opinion of data fiduciary, that might not be for the data principal. Maybe one the rules are drafted, the grey areas might be answered.

Even though the act has not come into force, but its impact is going to be immense on a lot of companies. The IT companies need to be more diligent while constructing the websites, the companies need to run workshops for the employees to make them aware about the law. Every foreign company who wishes to work or are currently working in India, needs to understand the law and make their compliances. Agreeing to the fact that a lot of loopholes do exist in the act, but that can be resolved once the rules are drafted, subsequent rounds of litigations and subsequent amendment. The act would certainly need time to develop but the enactment of legislation and taking a step in protecting the privacy of the data individual is a major step by the government.

End-Notes:

• (2017) 10 SCC 1
• (1954) SCR 1077
• (1964) 1 SCR 332
• S. 2 (i) "Data Fiduciary" means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
• S. 2 (j) "Data Principal" means the individual to whom the personal data relates and where such individual is� (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf;
• (4) Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given.
• The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
• Case C-507/17

Written By: Advocate Romeet Panigrahi