While the current draft of India’s Digital Personal Data Protection Bill, 2022 (“DPDP”) is partly similar to the EU’s General Data Protection Regulation (“GDPR”) with respect to ‘notice’ and ‘consent’ requirements, the former introduces certain unique elements – such as ‘deemed consents’ under Section 8, involving nine subsections.
While a consent under subsection (1) may be considered ‘deemed’ when a person voluntarily provides their data and it is reasonably expected that they would provide it in such a situation (similar to Section 15 of Singapore’s Personal Data Protection Act, 2012 (“PDPA”)), sub-sections (2) to (9) deal with circumstances where data may be non-consensually processed on account of a necessity or a prescribed purpose (similar to Article 6 of the EU’s GDPR). Although both such categories have been included under the same provision, they are inherently different.
While Singapore’s PDPA specifically imposes purpose limitations and requires reasonable necessity (e.g., contractual performance) with regard to deemed consents, DPDP’s Section 8(1) does not. It is also unclear if ‘notice’ requirements apply to deemed consents under the latter provision. Further, unlike the EU’s GDPR, subsections (2) to (9) of DPDP’s Section 8 do not permit non-consensual processing by non-state and/or private entities other than in a few limited circumstances.
At the same time, a wide variety of human activity could lead to deemed consents under Section 8(1). For instance, during interface with a new technology or platform, an individual may inadvertently (albeit ‘voluntarily’) make their personal data available without actually agreeing to its collection or use. In that regard, DPDP is ambiguous about the possibility of withdrawing a deemed consent –although it allows consent withdrawals in general. Since data processing is required to stop in such cases – unless non-consensual processing is authorized by law (or is otherwise necessary), the final draft of DPDP could clarify this point.
The post Daring to Deem? ‘Deemed’ Consents Under India’s Proposed Data Protection Law appeared first on S&R Associates.
