“Consent” and “Explicit Consent” under PDPA

Time has come now to analyze the draft PDPA 2018 bill in depth so that when the final version of the bill is passed, contradictions can be minimized.

One aspect that needs discussion in this regard is the distinction between “Consent” and “Explicit Consent”.

” Consent” is defined under Section 12 of the Act and “Explicit Consent” is defined under Section 18.

Consent as per Section 12 is defined as under.

12. Processing of personal data on the basis of consent.—

(1) Personal data may be processed on the basis of the consent of the data principal, given no later than at the commencement of the processing.

(2) For the consent of the data principal to be valid, it must be

(a) free, having regard to whether it meets the standard under section 14 of the Indian Contract Act, 1872 (9 of 1872);

(b) informed, having regard to whether the data principal has been provided with the information required under section 8;

(c) specific, having regard to whether the data principal can determine the scope of consent in respect of the purposes of processing;

(d) clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and

(e) capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given.

(3) The data fiduciary shall not make the provision of any goods or services or the quality thereof, the performance of any contract, or the enjoyment of any legal right or claim, conditional on consent to processing of any personal data not necessary for that purpose.

(4) The data fiduciary shall bear the burden of proof to establish that consent has been given by the data principal for processing of personal data in accordance with sub-section (2).

(5) Where the data principal withdraws consent for the processing of any personal data necessary for the performance of a contract to which the data principal is a party, all legal consequences for the effects of such withdrawal shall be borne by the data principal.

Under Section 18, Explicit Consent is defined as:

18. Processing of sensitive personal data based on explicit consent. —

(1) Sensitive personal data may be processed on the basis of explicit consent.

(2) For the purposes of sub-section (1), consent shall be considered explicit only if it is valid as per section 12 and is additionally:

(a) informed, having regard to whether the attention of the data principal has been drawn to purposes of or operations in processing that may have significant consequences for the data principal;

(b) clear, having regard to whether it is meaningful without recourse to inference from conduct in a context; and

(c) specific, having regard to whether the data principal is given the choice of separately consenting to the purposes of, operations in, and the use of different categories of sensitive personal data relevant to processing.

It appears that the sections make little distinction between “Consent” and “Explicit Consent”. Both need to be valid under the Indian Contract Act and have to be informed, clear and specific.

Further Section 12 itself suggests that the data fiduciary shall bear the burden of proof to establish that consent has been given by the data principal for processing .Hence the Data Fiduciary has to collect appropriate proof both for Section 12 and Section 18. Additionally, the burden of proof under Section 18 for “Explicit” consent has to be stronger than what is necessary for Section 12.

Presently the business practice is to take a consent through an electronic document presented online to which the data subject expresses his approval by clicking the “I Agree” button.

This “Click Wrap” contract is only considered a “Implied Contract” under ITA 2000/8 since there is no “Signature” for the electronic document as approved under ITA 2000/8. If such an implied contract is acceptable for Section 12, then the higher degree of authentication for Section 18 has to be with the application of the approved “Digital Signature” such as through an “eSign”. Unfortunately due to the Supreme Court decision on Aadhaar, eSign cannot be used by private parties. (unless the eKYC system is modified for the use of Virtual Aadhaar ID). Hence it is practically difficult or impossible to obtain an online digital signature to make an “Explicit Consent” an effective authentication under law.

There is also another problem that needs resolution. The “Consent” under Section 12 of PDPA makes a reference to Section 14 of the Indian Contract Act making it look like a process to be compliant with the Indian Contract Act. At the same time, under Section 4 of PDPA 2018, it is stated that the “Data Fiduciary” “owes a duty” to the “data principal”. The use of the words “Fiduciary” and “Duty” indicate that what PDPA envisages as the role of the Data Fiduciary is that of a “Trustee” and not as a “Contractor of the Data Subject”.

Hence the nature of the document that creates the Data Principal-Data Fiduciary relationship should be considered as one that creates a “Trustee relationship where the data subject/Principal is the beneficiary”.

If the online consent document has to be considered as a document that is equivalent to a “Trust deed”, there is a conflict with Section 1(4) of the ITA 2000/8 according to which an electronic document purporting to be a Trust deed is not recognized under Section 4 of ITA 2000/8.

Hence the online consent which is a purported click wrap contract is not valid and even if considered as an “Implied Contract”, it cannot create the “Fiduciary” relationship as envisaged. Such a contract would also be treated as a standard form contract and the onerous clauses need to be specially highlighted.

Considering the conflicts arising out of the PDPA 2018 and ITA 2000/8 and the Indian Contract Act, there is a need to take some special care when the PDPA bill is finalized.

Firstly, through PDPA 2018, an exception has to be provided to Section 1(4) specifically to state that Section 1(4) of ITA 2000/8 does not apply to a “Document Creating a Data Fiduciary Relationship” as per Section 12/18 of PDPA 2018.

Secondly, “Explicit Consent” should be defined as a “Consent” which is authenticated by a digital/electronic signature under Sections 3/3A of ITA 200/8. Simultaneously, exemption should be provided by a reference to the Supreme Court if necessary that “Explicit Consent” can be provided with the use of eSign. If however the CCA re-notifies its eSign notification by substituting the use of Virtual Aadhaar ID  or offline verification for eKYC , no reference is required to be made to Supreme Court.

These issues need to be addressed when the PDPA Bill is discussed in the Parliament.

Naavi

 

This entry was posted in Cyber Law. Bookmark the permalink.

One Response to “Consent” and “Explicit Consent” under PDPA

  1. suma Suma says:

    Sir,
    As we say rules are there to guide us not to rule us. Hence explicit consent or consent many times user provides without knowledge. If possible, user should be provided an option to withdraw the consent at any point of time with breach without breach, claim for loss if any.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.