In one of the versions of the draft DPDPA rules which is under circulation, it is expected that the Government may provide a template for notice for consent.
Accordingly a model notice as follows is expected to be part of the notification.
It is suggested that the above model notice could be part of a “Consent Artifact” as per rule 3(4) and hence it is likely to be adopted mutatis mutandis by data fiduciaries and used for automation of consent. This could lead to inadequate consent and should be subject to some human oversight. It may also be necessary that the above format given as a “model” needs to be fine tuned by users.
One observation is that this model is not following the principle of “Purpose Segregation” in the sense it suggests one notice and one consent for multiple purposes such as “Registration”, “receiving of payments” etc. It does not take into account the need of a data principle who only wants to register today but is not ordering anything or making any payments.
The notice however suggests the segregation of data elements with different retention requirements as has been the suggestion of DGPSI. This needs to be factored into the consent management system.
The model notice suggests a hyperlinked form for withdrawal of consent and for filing a grievance with the Data Fiduciary as well as the DPBI and for saving a copy of the notice.
The model suggests the notification of right to right to “Nominate” ignoring the provision of ITA 2000 [Section 1(4)].
The model form suggests “Erasure” as a right without a clarity that it is “Subject to other legal requirements to preserve the data” which is mentioned in the rule.
The lack of integration of the rule in this regard to the ITA 2000 as it exists now appears to show up.
Under DGPSI framework, we also recommend that one line on reminding the “Duties” of the data principal is also added to the notice and this is missing in the model notice.
It is apparent that the model notice is designed as a web form and has to end with a “Click” which should state say “I accept” converting the notice into a consent contract. The need for proper authentication of the consent needs to be addressed by the Data Fiduciary. There is no mention of how the notice needs to be authenticated in the rule 3
Regarding the rule of erasure, the rule 3(5) is ambiguous as it states
“ The Data Fiduciary shall maintain every notice relating to processing of personal data on the basis of consent given by the Data Principal till the expiry of such period, beyond the date of erasure of such personal data, as may be applicable by law to limitation on the institution of any suit, filing of any appeal or making of any application in relation to such personal data”.
It should be noted that the consent along with the data collected for consent needs to be retained both for the legal rights of the data fiduciary and also the legal obligation as per laws like ITA 2000 where some information has to be kept for 6 months or 5 years. It would not suffice if only the notice is preserved. Even the data has to be preserved. The rules as available misses this point.
Under rule 3(1), it is stated as follows:
3. Notice to seek consent of Data Principal: (1) Every request for consent made to the data principal shall be accompanied oor preceded by a notice given by the Data Fiduciary to such Data Principal shall be accompanied or preceded by a notice given by the Data Fiduciary to such Data Principal, in the following manner, namely:-
(a) The notice shall be so made that it is –
(i) an electronic record or document presented independently of any other information that is or may be made available by such data fiduciary;
(ii) understandable independently of any other information that is or may be made available by such data fiduciary
(iii) storable by the data fiduciary independently of the personal data to which such notice pertains; and
(iv) easily storable or preservable by the data principal for future reference and
(b) The notice shall inform , in clear and plain language, the details necessary to enable her to give specific and informed consent for the processing of her personal data, which shall include, at the minimum,
(i) an itemised description of such personal data
(ii) the specific purpose of such processing
(iii) a declaration that only such personal data is proposed to be processed as is necessary for the purpose
(iv) a description of the goods or services (including the offering of any service) to be provided, or the uses to be enabled, as a result of such processing:
(v) the specific duration or point in time till which such personal data shall be processed
(vi) a list of the Rights of the Data Principal
(vii) the particular communication link for accessing the website or app, or both, of such data fiduciary using which such data principal may withdraw her consent, exercise the rights of the data principal or make a complaint to the Board, and a description of other means, if any , using which she may so withdraw, exercise such rights or make a complaint.
It is clear from the above that the notice and consent is expected to be obtained in electronic form. The possible legal conflict with ITA 2000 regarding validity of digitally signed electronic contracts or the cancellation of the mandate on the death of an individual on nomination has been ignored as was expected.
Though the Data Fiduciary which is a State has the right to use “Legitimate use” basis for processing personal data in situations like provision of subsidy, benefit or service etc., there is a mention under rule 3(2) about the need for notice and consent. This could introduce a needless conflict between “Consent” and “Legitimate use” as two different aspects of establishing the legal basis.
In summary the rule regarding “Notice and Consent” will continue to offer some challenges in implementation which needs to be addressed by the Data Fiduciaries. It is notable that these have already been anticipated and factored into the DGPSI framework in its detailed implementation manual.
More discussions will follow….
Naavi
