According to DPDPA 2023, consent is to be obtained even for applicable personal data collected by a Data Fiduciary before the commencement of the Act as per the notification. Hence identifying such data and issuing notices to such data principals is one of the key activities of data fiduciaries.
The proposed rules is expected to indicate for this purpose,
Notice to inform of Processing done where the Data Principal has given consent before commencement of Act:
(1) Where a Data Principal has given her consent for the processing of her personal data before the commencement of the Act, the data fiduciary shall as soon as it is reasonably practicable, give to the Data Principal a notice, in the following manner, namely:-
(a) The notice shall be made in like manner as is provided for a notice to seek consent and shall be understandable independently of any other information that has been made available by such data fiduciary; and
(b) The notice shall inform, in clear and plain language, the details necessary to enable her to exercise the Rights of the Data Principal, including-
(i) Such minimum details as are required in respect of a Notice to seek consent; and
(ii) description of the goods or services (including the offering of any service) that were provided or the users that were enabled, as a result of such processing
(2) A Data Fiduciary may use a Consent Artifact for thee purpose of giving the notice to inform of processing done.
The rule is silent about how the Data Fiduciary has to handle situations where the notice cannot be given for lack of contact information, or when the notice is returned undelivered or when the recipient is silent on whether the processing can continue.
Under DGPSI, we prescribe that appropriate measures should be built into the Consent artifact itself to meet these contingent possibilities.
It would be interesting to see how other frameworks (if any) address this issue.
Naavi