DPDPA 2023 expects that “Consent” is the legal basis for processing of personal data. Consent requires a contract between the data principal and the data fiduciary. A Contract is a combination of an “Offer” and an “Acceptance”.
What we normally find on websites today are “Privacy Policy” which is a declaration of the organization that this is what we do to protect your privacy. This is in the form of a “Disclosure”.
When the disclosure is presented as a “Offer” and is confirmed as “Accepted”, the “Consent” is actualized. This leads to the action of the data principal in providing the necessary information, for the data processor to process the data as per the consent.
Perhaps to put the DPDPA 2023 into proper compliance framework, we need to change the “Disclosure Format” of Privacy policy to an “Offer” format of a Notice.
One of the implementation challenges is to make the consent contract non repudiable with proper authentication. The ITA 2000 indicates that the authentication of an electronic document is valid only if it is supported by a digital/electronic signature. As a result to enable a “Perfect Consent”, the Privacy Notice has to be accepted with an electronic signature. Since all data principals donot have a digital signature, the Aadhar based E-Sign is an option to explore. If however, e-sign has to be used for every consent, withdrawal of consent, modification of consent etc. it will be an expensive proposition for the data fiduciary.
How does DGPSI try to address this? or how should MeitY facilitate this? is a point of debate…
….Let us discuss your views on this in IDPS 2024 at Bengaluru, on November 30 and December 1…
Register today..at www.idps2024.in
