Will ‘deemed consent’ be part of the new data protection bill?
DEEMED CONSENT WOULD MEAN DATA GIVEN FOR ONE PURPOSE CAN BE USED FOR OTHERS TOO, AN APPROACH EXPERTS SAID DEFIED THE AIMS OF A PRIVACY LAW
NEW DELHI: The government is contemplating adding a clause regarding “deemed consent”, or providing of personal data voluntarily that may be used for purposes other than that it was provided for, in a new version of the data protection bill, that may or may not make it to the final draft, HT has learnt.
For example, the concept, which forms section 8 of the proposed Bill, it equates deemed consent to a data principal providing their personal details — name and mobile number— to a restaurant to reserve a table. In this case, the proposal adds, the data principal has agreed to the use of their personal details “for the performance of any function of the state under any law including a provision by the state or any instrumentality of the state of any service or benefit of the data principal, issuance of any certificate, license or permit for any action or activity of the data principal.”
In another illustration, the draft Bill proposes that if a data principal shares their name, mobile number and personal bank account number with a government department for direct credit for an agriculture scheme, the user will also be deemed to have shared the data for purposes that can include credit of fertilizer subsidy, compliance with a judgment or order issued under any law, responding to a medical emergency and for taking measures to provide medical service.
In a third example, it states that if a data principal shares biometric details with their employer, they shall be understood to have given their consent “in public interest for prevention and detection of fraud, whistle blowing, network and information security, credit scoring, operation of search engines for processing of publicly available data, and recovery of debt”.
This manner of determining consent is reflected in other sections of the draft law which dealt with conditions under which personal data can be processed. As part of the 2019 draft bill, personal data could be processed and accessed for “the purpose consented to by the data principal or which is incidental to said purpose”.
The new version of the draft said that the data may be accessed for a “lawful purpose” or an “incidental lawful purpose in a privacy preserving manner”, seemingly doing away with the “said” purpose, the one for which the data was sought.
“If indeed deemed consent is part of the latest draft Data Protection Bill, it in effect would negate the very purpose of the law. It would give free rein to one and all to collect data through the Hobson’s Choice of ‘take it or leave it’ and militates against the letter and spirit of Puttaswamy privacy judgment,” said Supreme Court lawyer and founder of Cybersaathi, NS Nappinai.
According to people aware of the matter, a version of the bill has also removed the categorisation of sensitive, personal and critical data, referring only to digital personal data, that could be used as an umbrella classification. Previously, sensitive and critical personal data had some elevated protections.
But, there seemed to be some inconsistency, with a separate section on cross-border transfer of personal data mentioning sensitive personal data as needing to require to be stored in the country, but without elaborating on what the classification included.
“The current law has a delineation mandating stricter rules for sensitive personal data. If categorisations are being removed, then rights of data subjects even to their personal data would have to be raised to that of sensitive personal data. It cannot be that existing rights qua SPD will stand diluted,” said Nappinai.
On Wednesday, there was strong speculation that the Union ministry of electronics and information technology (Meity) was about to introduce the latest version of the data protection bill, being referred to as the Digital Personal Data Protection Bill, 2022. But the government cancelled IT minister Ashwini Vaishnaw’s press conference at the last minute, an official familiar with the matter said, asking not to be named.
When asked about why the press conference was cancelled, Vaishnaw told reporters at the Rail Bhawan that the data protection bill was a work in progress. “It’s like building a temple, you have to build it one block at a time,” he said.
Union minister of state for electronics and information technology Rajeev Chandrasekhar on Wednesday also shared his past tweets with the hash tag# Personal data protection bill, triggering conversation about the changes in the new draft that was expected to be out on Wednesday.
The bill is being redrawn after being withdrawn in Parliament by the government during the Monsoon session. HT reported in August that government was planning to replace the data protection authority with a new appellate body, now being referred to as the Data Protection Board. It also reported that initially the ambit of the Bill will apply only to digitised data, with legacy provisions being introduced in the Bill.
Nappinai added that the purported proposal to remove the data protection authority and convert it to “a Board substantially diluted the powers originally vested with such authority. This is not on par with GDPR”. Her reference is to the General Data Protection Regulation, the EU law on privacy and security that is universally considered the benchmark for such laws.