P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
“Consent” is an important aspect of establishing the “Lawful basis” in Data Protection Laws. PDPB 2019 suggested that “Consent” is “Mandatory” and should meet the requirements of the Section 14 of Indian Contract Act.
Section 14 of the Indian Contract Act requires consent to be “Free” which means that there should be no “Coercion”, “Undue Influence”, “Fraud”, “Misrepresentation” or “Mistake”.
The term “Informed Consent” should be interpreted as equivalent to “Free” consent and it has to be achieved through a properly designed “Notice”. The reason why we say that “Notice” has to be “Clear” and “Precise” and rendered in such a manner that the data subject “Understands” it is because it has to stand the test of “Free Consent”.
For the “Consent” to be legally admissible, it has to meet the requirement of law that applies to “Authentication” of Electronic Documents.”. In India the law applicable to authentication of electronic documents is Section 3,3A of ITA 2000 and Section 65B of Indian Evidence Act.
While Section 3 and 3 A speak of Digital and Electronic Signatures that can be used by the Data Subject/Principal to authenticate the electronic notice, Section 65B renders a document admissible in a Court of Law if it is properly certified and hence serves the purpose of authentication through third party witnessing.
Where it is not feasible to obtain electronic or digital signature of the executant, the document can only be a “Deemed Consent”. “Deemed Consent” is supported by some electronic evidence which will be admissible provided it is Section 65 B(IEA) certified.
Hence a valid consent in Indian law in electronic form requires either an online electronic signature in the form of e-sign or collection of meta data about the transaction that can be Section 65B certified by an independent witness. The Supreme Court in its enthusiasm to uphold Privacy has stated that Aadhaar cannot be used for authentication by private sector though there is a system of “Pseudonymised Aadhaar” (Virtual Aadhaar) that could be used for authentication without adversely affecting the privacy of the individuals. Unfortunately despite the authorization to use “Virtual Aaadhar ID” for KYC purpose in the Aadhaar Amendment Act its use has not been universal.
Alternatively, authentication can be obtained through collection of meta data of the consent transaction and archiving it with Section 65B certification as may be necessary.
At present “Online Consents” are obtained as “Click Wrap Contracts” where the data subject clicks on a button to “Agree” a document which is more a “Standard form of contract”. This form of contract does not have validity in India as a “Documentary Contract” and the industry is getting mislead by considering that such online acceptance is legally valid.
At the same time, industry has not been using “Section 65B certified Archiving” to supplement its documentation of consent which is the responsibility of the Data Fiduciary/Controller.
In this context, it is necessary for the New Data Protection Act of India to provide appropriate clarity on whether online click wrap contracts are acceptable and if so under what conditions.
Additionally, “Consent” even if authenticated can only apply to the information that the data subject provides during the collection process.
“Consent” for some information which a person is not aware of fails the test of “Meeting of Minds” which is essential for a valid contract since what the data subject thinks he is agreeing to and what the data controller thinks he is getting the consent to may be different. A Data Analytics company may be using the collected personal data and may be able to create useful “Profiles” which are “Discovered Uses” of supplied data. While we may prescribe that consent should be obtained after discovery and before the first use of the discovered personal data, the “Discovery Process” itself may be construed as “Processing for a purpose not authorized in the initial consent”.
Hence we need to distinguish “Consent” for personal data about which the data subject is aware of and provides for a stated purpose (Shared Data Consent) is different from “Consent for Discovery of Personal Data”. This situation is analogous to the sale/lease of land with a consent for mining and discovery of minerals about which neither party is aware of at the time of sale/lease of land.
We therefore suggest that “Discovery Consent” has to be defined in the new law.
We have already discussed the need of “Witnessed Consent” while discussing the coverage of “Neuro Rights” and this will be another form of consent to be defined in the law.
We have also discussed the need to consider different kinds of profiles such as “Health Profile”, “Financial Profile” or “Advertising Profile” as “Sensitive personal data” and correspondingly the need to get “Explicit/Special consent” in such cases.
We have also discussed “Monetization” as a concept in law for which also a special “Monetization Consent” can be defined.
Hence we suggest that the NDPAI (New Data Protection Act of India) can define following different types of consent as explanations under Section 11 of PDPB 2019 or elsewhere in the definition section.
Additionally in view of the concept of “Consent Managers” as envisaged in the PDPB 2019, there will be a need to define “Consent for giving Consent” or “Authorizing another person to provide consent on behalf of the data principal. This will also be relevant when the data principal is in a state where his contractual capacity is suspended as in the case of Minors, Insolvent persons, or mentally incapacitated persons or persons in inebriated conditions or even those who are physically challenged.
An attempt is made in the following paragraphs to define these types of consent. It may be refined suitably through further discussions.
Authorization Consent
Authorization Consent means consent provided by a data principal to an authorized agent to disclose, share, and consent to further processing of the personal data of the data principal.
Shared Data Consent
Shared Data Consent means consent provided by a data principal or his authorized agent to a Data Manager for personal data which the data provider is aware of and for the legitimate purpose of processing and disclosed uses of data that he has been made aware of by the Data manager and he has agreed to.
Profiling Consent
Profiling consent means consent provided by the Data Principal or his authorized agent to the Data manager for use the data about the data principal whether collected directly or otherwise for profiling of the data principal and conditions if any of the use, disposal and portability of such profiles.
Monetization Consent
Monetization consent means consent provided by the data principal or his authorized agent to the Data manager for use of personal data or profile created out of the personal data of the data principal for generating revenue with or without consideration being paid to the data principal.
Witnessed Consent
Witnessed Consent means consent provided by a data principal which is witnessed by independent third parties who donot have conflicting interest in the processing of the personal data under circumstances that the data principal may not be reasonably expected to provide a free consent, and includes sharing of neuro data or sharing of personal data when the data principal is not in a medical condition to provide informed consent.
Discovery Consent
Discovery Consent means consent provided by the data principal or his authorized agent for a purpose of processing which is speculative in nature and could discover personally identifiable data or new uses not otherwise envisaged in the consent.