Indian PDPB2019 has made “Consent” as a mandatory requirement unless it is exempted. On the other hand GDPR considers Consent as only one of the legal basis under which personal data may be processed. The six different recognized ways by which personal data can be processed under GDPR are,
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
On the other hand, at first glance it appears as if Indian PDPB has tied itself up by the “Non Scalable Consent” as a mandatory basis by stating under Section 11(1)
“The personal data shall not be processed, except on the consent given by the data principal at the commencement of its processing.”
However, Indian PDPB has considered a broad set of cases in which consent may be exempted.
For example the exemptions can be available
a) Performance of the functions of the State
b) for enforcing judicial orders
c) medical emergency and medical treatment (like Vital interest in GDPR)
d) for Disaster management
e) Related to employment for recruitment, termination, assessment etc (only non sensitive personal information)
f) Reasonable purposes (for non sensitive personal data) in respect of legitimate interest, public interest, detection of unlawful activity, information security, whistle blowing, mergers and acquisitions, recovery of debt, Credit scoring, search engine operations etc.
From the above, it is clear that Indian PDPB 2019 has thought more in depth to provide essential exemptions which GDPR has forced Data Controllers to interpret under the “Legitimate Interest” argument.
However, apart from these exemptions which dilute the argument that “Consent Dependency” may make it “Unscalable”, Indian PDPB 2019 has provided for “Consent Manager” and “Sand Box” arrangements which can be used in appropriate occasions and also made the Data Controller a “Fiduciary” so that he has a duty to care and not merely go blindly by the consent which might have been obtained by clever misrepresentations.
Thus though India depends on consent and rigidity in consent could cause some issues for the processors, PDPB 2019 has addressed the issue through alternate means. This is a welcome feature of the Indian law and makes it better than GDPR.
Naavi