From newspaper to Instagram, from cash to UPI, India has witnessed a change and
rather has been a part of this drastic change. With the advancement in
technology. The government of India launched various projects like passports
Seva, AADHAR, health, education, taxes etc. These projects required the
collection of data of citizens of this country. Rather, one's fingerprint scan,
and iris scan were also required for AADHAR. Concern over personal data
increased among the citizens and the need for specific laws was felt. India
never had a specific legislation to tackle the issue of privacy. Though there
was section 43-A of the Information and Technology Act,2000, but that didn't
cover every aspect.
The major change was brought in the domain of privacy by the judgement of
Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors[1]
, where 9 judge bench unanimously held that the Right to privacy is a
fundamental Right under the constitution of India. The Bench determined
unanimously that "the right to privacy is protected as a part of the freedoms
guaranteed by Part III of the Constitution and as an intrinsic part of the right
to life and personal liberty under Article 21."
In doing so, it overturned
earlier rulings by the Supreme Court in the cases of
M.P. Sharma vs. Satish
Chandra, District Magistrate, Delhi[2] and
Kharak Singh vs. State of Uttar
Pradesh[3], wherein the latter concluded that the Indian Constitution did not
acknowledge the right to privacy. Post Puttaswamy judgement, India finally came
up with a specific legislation to address the issue by enacting "THE DIGITAL
PERSONAL DATA PROTECTION ACT, 2023" (herein after referred as "Act"), which has
already received the assent of the president on 11th August, 2023, but Central
Government is yet to decide the date on which it would come into force.
The new law was passed after more than five years of discussion and is the first
cross-sectoral law on personal data protection in India. Though it needs time to
mature and cover the loop holes, but the very enactment of the legislation is a
first step to tackle the issues. This article would be restricted to the domain
of "Consent" as provided in the act and its ancillary provision.
As per section 6 (1) of the Act, it lays down 7 criteria to be fulfilled by data
fiduciary[4] while taking consent from the data principal[5]. The criteria are
mentioned below:-
- Free
- Specific
- Informed
- Unconditional and unambiguous
- Clear affirmative action
- Specific purpose
- Data minimization
The section clearly puts certain guidelines as to how the privacy notice needs
to be drafted while taking the consent from the data principal. While collecting
the data, it has to be use for the purpose for which it has been collected. It
cannot be further used for any other purpose. But the question would be, how
does anyone keep the track of their personal data? One would come to know about
it, whenever there is a leak of data, but till then, the chances of the data
getting processed for various use is high.
The act defines digital personal data in section 2 (n) of the act, which says
that any personal data in the digital form will be termed as digital personal
data. This might be an issue for the vlogging community as while recording a
vlog in public space, they tend to record other public too, without their
consent. Now any individual who would have been in a vlog, could always file a
complaint that his/her privacy has been breached. This would also extend to the
photographs uploaded on various platforms with public in the background. How do
we deal with a situation where a public consent is needed on a larger scale?
Nothing has been mentioned in the act to address the issue.
Section 3 of the act, deals with the applicability and as per section 3(ii) of
the act, it is applicable to the non-digital form, subsequently digitised. For
instance, in an Auto expo, a company collects the information of individual by a
form (non-digitised) and subsequently it will be digitised. Now, at what point
the data fiduciary would take the consent? As once the data is uploaded in a
system, it falls under the purview of the act. Meaning thereby the data has been
digitised without the consent. How do we address this issue? One solution would
be to draft a privacy notice while collecting the data and take the consent, but
would that be possible in a large scale? The other option would be to send a
privacy notice to the emails of the data principal and then digitise the data,
subject to the acceptance by the data principal.
Section 6(4) of the act talks about the right to withdraw the consent[6]. The
provision is similar to Article 7 of the General Data Protection regulation[7].
In the case of Google Inc., v Commission nationale de l'informatique et des
libertés (CNIL)[8], the European court of justice ruled against Google stating
that European Union residents can always exercise their right to remove personal
information or delete it from the search engine and public records. Right to be
forgotten has been covered under Article 17 of the GDPR. Right to be forgotten
has been recognised in the Puttaswamy judgement (Supra) as a part of the right
to life and personal liberty under Article 21 of the constitution of India.
Section 6(4) also talks about the ease of withdrawing consent, meaning thereby.
The withdrawal of consent should be hassle-free and should be made easy for the
data principal as it was while collecting the consent. It might sound ambiguous
but it lays a burden on the website designer to design the withdrawal in a
manner which would comply with the provision of the act. One way could be to
Place the withdrawal button in a different colour and bigger than the rest of
the tabs which would ensure the ease of access. As the phrase in the provision,
i.e. " ease of doing" can be interpreted in various ways. What may be an ease in
the opinion of data fiduciary, that might not be for the data principal. Maybe
one the rules are drafted, the grey areas might be answered.
Even though the act has not come into force, but its impact is going to be
immense on a lot of companies. The IT companies need to be more diligent while
constructing the websites, the companies need to run workshops for the employees
to make them aware about the law. Every foreign company who wishes to work or
are currently working in India, needs to understand the law and make their
compliances. Agreeing to the fact that a lot of loopholes do exist in the act,
but that can be resolved once the rules are drafted, subsequent rounds of
litigations and subsequent amendment. The act would certainly need time to
develop but the enactment of legislation and taking a step in protecting the
privacy of the data individual is a major step by the government.
End-Notes:
- (2017) 10 SCC 1
- (1954) SCR 1077
- (1964) 1 SCR 332
- S. 2 (i) "Data Fiduciary" means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
- S. 2 (j) "Data Principal" means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf;
- (4) Where consent given by the Data Principal is the basis of processing of personal data, such Data Principal shall have the right to withdraw her consent at any time, with the ease of doing so being comparable to the ease with which such consent was given.
- The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
- Case C-507/17
Written By: Advocate Romeet Panigrahi
Please Drop Your Comments