This is the seventh note of S&R Data+, a multipart series focused on distinguishing between personal and non-personal data in the context of India's proposed digital data regime. Our previous note addressed certain aspects of notice and consent associated with informational processing by referring to the current draft of the Digital Personal Data Protection Bill, 2022 ("DPDP") and the EU's General Data Protection Regulation ("GDPR"). In this note, we address the idea of 'deemed consents' under DPDP.
Introduction
As a general principle, both knowledge and consent with respect to an individual are required for the collection, use, or disclosure of personal information.
However, in certain circumstances, personal information may be collected, used, or disclosed without the knowledge and consent of the individual concerned. For example, legal, medical, or security reasons may make it impossible or impractical to seek appropriate consent. Further, when information is being collected for the detection and prevention of fraud, or for law enforcement reasons, seeking the consent of the person related to such data might defeat the purpose of collecting that information. Further, seeking consents may be inappropriate when the individual is a minor, terminally ill, or mentally incapacitated. In addition, entities that do not have a direct relationship with the individual concerned may not always be able to seek their consent. For example, seeking consent may not be feasible for a direct-marketing company that wishes to acquire a mailing list from another company. In such cases, the company providing the list would be expected to obtain all relevant consents before sharing the underlying personal information with a third party.
Thus, obtaining consents is necessary both for: (i) the collection of personal information, and (ii) the subsequent use or disclosure of such information. Typically, a 'data fiduciary' (entities which determine the purpose and means of personal data processing) is required to seek such corresponding consents at the time of data collection itself. In certain circumstances, such consents (with respect to use or disclosure) may be sought after the information has been collected, but before using it (for example, when a company wants to use the collected personal data for a purpose not previously identified). To make this consent meaningful, the purposes for which the information will be used must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
While obtaining consents, the reasonable expectation of the concerned individual is relevant. For example, a person buying a subscription to an online magazine should reasonably expect that the website, in addition to using the individual's name and address for mailing and billing purposes, may also contact the person to solicit the renewal of such subscription. In this case, the website can assume that the person's request to subscribe for the magazine constitutes their consent for certain specific purposes. On the other hand, an individual would not reasonably expect that their personal information given to a hospital or a doctor would be shared with a pharmaceutical company that sells healthcare products, unless consent was expressly obtained for this purpose (as long as it was not obtained through deceptive means).
A data fiduciary should generally seek explicit consent when the information is likely to be considered 'sensitive'. Implied consents would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a parent, a legal guardian, or a person holding a power of attorney).
In general, individuals may provide their consent in several ways. For example:
- Either of a separate document, an electronic form, or a part of the same document through which personal data is sought to be collected (g., see Section 6(2)(a) of DPDP) might be used by a data fiduciary to seek a person's consent and to inform them about the use that will be made of their data (e.g., see Section 7(1) of DPDP). Thus, an individual may give their consent to the collection of data, as well as to the specified use of such collected data, by completing and signing the document or form;
- A check box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box may be assumed to have consented to the transfer of their data to third parties (in this regard, see Section 12(2) of Singapore's Personal Data Protection Act 2012, as amended ("PDPA"));
- Consent may be given orally (g., when information is collected over the telephone) (e.g., see Article 12(1) of the EU's GDPR); or
- Consent may be given at the time that individuals use a product or service, as long as the data fiduciary does not make the provision of such product or service conditional upon the individual's consent – especially when the data processing to which such consent relates is not necessary and/or reasonable for the performance of the underlying contract (g., see Section 14(2)(a) of PDPA and Article 7(4) of GDPR).
Nevertheless, an individual may withdraw their consent at any time (e.g., see Section 7(4) of DPDP), subject to legal or contractual restrictions and reasonable notice. The data fiduciary should inform the individual of the implications of such withdrawal (e.g., see Article 13(2)(c) of GDPR).
Deemed Consent Under Section 8: Background
Pursuant to Section 8 of DPDP, a 'data principal' (i.e., the individual related to the underlying information) will be deemed to have given consent to the processing of their personal data if such processing is necessary under certain specified conditions – including in a situation where the data principal voluntarily provides their personal information to a data fiduciary, and it is reasonably expected that they would provide such information under such circumstances (see Section 8(1) of DPDP).
Earlier iterations of DPDP – such as the Personal Data Protection Bill, 2018 ("PDP 18") and the Personal Data Protection Bill, 2019 ("PDP 19"), respectively, did not address the concept of 'deemed consent', at least not in the way it exists in the current draft of DPDP. While PDP 18 contained no reference to deemed consents whatsoever, Clause 23(4) of PDP 19 spoke about it in the context of a 'consent manager', stating that: "Where the data principal gives or withdraws consent to the data fiduciary through a consent manager, such consent or its withdrawal shall be deemed to have been communicated directly by the data principal" (emphasis supplied). In turn, Section 7(6) of present-day DPDP defines a 'consent manager' as a data fiduciary that enables a data principal to give, manage, review, and withdraw their consent through an accessible, transparent, and interoperable platform.
A revised iteration of PDP 19 called the 'Data Protection Bill, 2021' ("ProposedDP Act") – which formed part of a joint parliamentary committee's report on PDP 19 (see handwritten p. 463 onwards) – had dealt with the concept of consent managers too. Further, while not dealing with deemed consents per se – at least not in the form envisaged under Section 8(1) of DPDP – the Proposed DP Act did introduce the idea of non-consensual processing, thereby allowing both personal and 'sensitive' personal data to be processed in the absence of consent under certain specified grounds (similar to subsections (2) – (8) of DPDP's Section 8). Nevertheless, unlike DPDP, the Proposed DP Act had included 'sensitive' personal data as a separate category, and accordingly, specified that such data could only be processed in general with the explicit consent of data principals.
Nevertheless, the current DPDP's provisions on deemed consent list out certain conditions under which a data fiduciary is not required to secure the standard set out in Section 7(1) involving specific, unambiguous, and withdrawable consent (similar to Article 4(11) of the EU's GDPR). Instead, in such cases, a data fiduciary can process personal data on a lower standard of implied (or deemed) consent. Nevertheless, even while DPDP contains references to various situations where the concept of deemed consent may apply (see Section 8(2) – (9)), GDPR contains no similar provision with respect to deemed consents.
PDPA (Singapore)
Nevertheless, Sections 15 and 15A of Singapore's PDPA explicitly deal with situations of deemed consent. For instance, Section 15(1) of PDPA states that an individual will be deemed to have consented to the collection, use, or disclosure of their personal data by an organization for a certain purpose if: (i) the individual, without actually giving consent, voluntarily provides their personal data to the organization for such purpose; and (ii) it is reasonable that the individual would voluntarily provide the data. As such, it appears that Section 8(1) of DPDP has been inspired by the wording (and intent) of Section 15(1) of PDPA.
Nevertheless, provisions on deemed consent under PDPA clearly envisage a 'purpose limitation' – an important element found absent in DPDP's Section 8(1). In fact, Section 15(2) of PDPA goes on to suggest that cases of deemed consent with respect to the disclosure of personal data by one organization to another for a particular purpose will be limited to the collection, use, or disclosure of such data by the other organization for that particular purpose alone.
Like Section 25 of PDPA, Section 9(6) of India's DPDP require data fiduciaries to stop retaining personal data, or to remove the means through which such personal data can be associated with particular data principals, as soon as it is reasonable to assume that: (i) the purpose for which such personal data was collected is no longer being served by its retention; and (b) retention is no longer necessary for legal or business purposes. Further, in cases where a data principal's consent has been expressly obtained, Section 9(9) of DPDP allows a data fiduciary to share, transfer, or otherwise transmit the underlying data to any other fiduciary or processor – as long as such transmission occurs pursuant to a valid contract. However, it is unclear whether such requirements extend to instances of deemed consent under Section 8(1) of DPDP.
Further, the spirit of deemed consents under Singapore's PDPA is captured by its Section 15(3), which specifies that an individual who provides personal data to an organization with a view to entering into a contract with the latter is deemed to consent to certain activities which are reasonably necessary for the conclusion of such a contract. In addition, Section 15(6) of PDPA states that an individual who enters into a contract with an organization and thereby provides personal data to it with respect to such contract will be deemed to have consented to disclosures of that personal data when reasonably necessary for contractual performance. Somewhat similarly, Article 6 ('Lawfulness of processing') of the EU's GDPR states that in the absence of a data subject's consent (a 'data subject' under GDPR is the equivalent of a data principal under India's DPDP), processing will be lawful only if it is necessary for certain reasons, such as to perform or enter into a contract (see Article 6(1)(b) of GDPR). Although illustrations under Sections 7(2), 7(4), 7(5) and 7(8) of DPDP, as well as the text of the latter ("performance of any contract already concluded between a Data Fiduciary and a Data Principal shall not be made conditional on the consent to the processing of any personal data not necessary for that purpose") do contemplate circumstances similar to ones envisaged under Singapore's PDPA and the EU's GDPR, they nevertheless apply to consents in general, and not to situations of either deemed consent or non-consensual processing.
Deemed Consent vis-à-vis Notice
Importantly, it is unclear whether DPDP's 'notice' requirements under Section 6 apply to situations of 'deemed consent' under Section 8 (for a general discussion on notice requirements under DPDP, see the previous note of this series). Under Section 6 of DPDP, during or prior to requesting a data principal for consent, a data fiduciary is required to give them an itemized notice in clear and plain language that contains a description of the personal data sought to be collected, along with the purpose of processing such data. This is similar to GDPR's Article 7 (dealing with 'Conditions for consent').
Indeed, Article 7(1) of the EU's GDPR clarifies that when processing is based on consent (as opposed to being non-consensual or 'deemed'), the 'controller' (i.e., the equivalent of a data fiduciary) is required to demonstrate that the data subject had consented to the processing of their personal data. Meanwhile, Section 7(9) of India's DPDP specifies that in such situations, when a question about the giving of consent arises in a proceeding, the data fiduciary will be required to prove that it had given a notice to the data principal, and that a corresponding consent had indeed been provided in accordance with relevant provisions of DPDP.
In its current formulation, it appears that there is no notice requirement for instances of deemed consent under DPDP. However, such notice requirements could be made mandatory in certain cases of non-consensual processing under Section 8 – particularly when deemed consents under subsection (1) are involved, as opposed to instances of non-consensual processing under subsections (2) – (8). This distinction (between subsection (1) of Section 8, on the one hand; and subsections (2) – (8) of Section 8, on the other hand) is discussed in the next segment of this note.
Further, extending a notice obligation to instances of deemed consent under Section 8(1) of DPDP may ensure a 'purpose limitation' with respect to the data collected. Alternatively, an additional requirement could be introduced under Section 8(1) such that a data fiduciary is required to provide a new notice when the purpose of data processing undergoes a change. In addition, if and when notice requirements are extended to instances of deemed consent under Section 8(1) in the future, instances of non-consensual processing under Section 8(2) – (8) may be exempted from notice requirements. Accordingly, future exemptions (over and above those listed under Section 18 of DPDP) could be limited by conditions of necessity, or by circumstances where the legitimate purpose of data processing is rendered impossible or stands frustrated on account of such notice requirements.
Section 8: Subsection (1) vs. Sub-sections (2) – (8)
Each of DPDP's sub-sections (1) to (9) under Section 8 have been included under the heading of 'deemed consent'. However, strictly speaking, while a deemed consent to data processing under sub-section (1) applies in situations where a data principal voluntarily provides their personal data to a data fiduciary and it is reasonably expected that they would provide such data, sub-sections (2) to (8) provide for instances under which personal data may be legitimately processed without any legal requirement to obtain consent from the data principal. Although both such categories have been included under the ambit of 'necessity' (the lead-in to Section 8 of DPDP states: "A Data Principal is deemed to have given consent to the processing of her personal data if such processing is necessary..."), they are inherently different.
While the language of sub-section (1) appears to specifically indicate situations of implicit consent (as opposed to explicit consent, as required under Section 7(1) of DPDP), sub-sections (2) to (8) deal with conditions of necessity similar to the ones listed under sub-articles (b) to (e) of Article 6(1) under the EU's GDPR. Further, sub-section (9) of India's DPDP deals with necessity stemming from a 'fair and reasonable purpose' including considerations of legitimate interest, similar to Article 6(1)(f) of GDPR.
Sub-sections (2) – (8)
To elaborate, sub-sections (2) to (8) of DPDP's Section 8 include instances where processing is necessary for the following reasons: (i) for the state to perform its functions, provide services, issue permits, etc. with respect to the data principal; (ii) for compliance with judgments or orders; (iii) for responding to medical emergencies, or threats to public health and order; (iv) for employment-related purposes, including with respect to intellectual property rights; and (v) in public interest.
Article 6 of the EU's GDPR
Somewhat similarly, Article 6 ('Lawfulness of processing') of the EU's GDPR states that in the absence of the data subject's consent, processing will be lawful only if it is 'necessary' for certain reasons, such as the following: (i) contractual performance; (ii) legal compliance; (iii) protection of individual vital interests; and (iv) public interest.
Why is sub-section (1) different from the rest?
Among other things, sub-section (1) is different from other sub-sections of DPDP's Section 8 because it is capable of involving the question of consent withdrawals (although it is unclear whether, and how, such deemed consents may be subsequently withdrawn by the data principal, given the current design of DPDP). On the other hand, sub-sections (2) to (8) deal with situations of data processing where it is necessary to perform such processing irrespective of whether a data principal voluntarily provides their personal data (as envisaged under subsection (1)) or not. Accordingly, to put situations corresponding to sub-sections (2) to (8) under the ambit of 'consent' is not a useful legislative exercise, including on account of the fact that such situations do not even require or contemplate 'consent' – whether explicit (under Section 7(1)) or deemed (under Section 8(1)). Accordingly, these situations could be distinguished from sub-section (1) in the future, including through modified legislation.
Processing by the State vs. Processing by Private Companies
Section 8(2) of DPDP provides for the non-consensual processing of personal data by the state in certain situations, including for "the provision of any service or benefit to the Data Principal, or the issuance of any certificate, license, or permit for any action or activity of the Data Principal." It is not clear whether state instrumentalities may be allowed to process personal data under this sub-section in the absence of consent even when they do not act in a sovereign capacity. Thus, government companies providing goods or services may be able to process personal data without consent even when they pursue purely commercial activities – i.e., operate like any other private business.
On the other hand, unlike Article 6 of the EU's GDPR, India's DPDP does not contain any provision that provides for the non-consensual processing of personal data by non-state and/or private entities – even when necessary for contractual and/or legal compliance. For instance, under GDPR, even in the absence of consent, Article 6(1)(b) - (d) permits processing when it is necessary for: (i) the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract; (ii) compliance with a legal obligation to which the controller is subject; and (iii) in order to protect the vital interests of the data subject or of another natural person.
Further, certain provisions in previous iterations of DPDP – such as Clause 14(a) of PDP 18 and Clause 12(b) of PDP 19, respectively – had stated that personal data may be processed if such processing is necessary or mandated under any law. However, although the current draft of DPDP permits non-consensual processing for compliance with a judgment or an order (Section 8(3)), it contains no provision for the processing of personal data when it is necessary to do so for any general legal compliance. Thus, when a private entity is required to process personal data to comply with a sectoral law or regulatory requirement – strictly speaking, such processing may not be permitted under DPDP.
Nevertheless, the wording of Section 7(5) of DPDP does suggest that this may not be the case. Although applicable in the specific context of consent withdrawals, Section 7(5) clarifies that in the event of such a withdrawal, both the data fiduciary and its data processors are required to cease processing within a reasonable time, unless non-consensual processing is required or authorized under DPDP or any other law. Accordingly, the final draft of DPDP may issue a clarification on this point.
Fair and Reasonable Purpose
Section 8(9) of DPDP allows non-consensual data processing when it is necessary to do so for a prescribed fair and reasonable purpose, based on considerations involving the data fiduciary's legitimate interests and the data principal's reasonable expectations, among other things.
Specifically, Section 8(9)(a) of DPDP involves the question of whether the legitimate interests of the data fiduciary in processing for a 'fair and reasonable' purpose outweigh any adverse effect on the rights of the data principal. Further, Section 8(9)(c) involves a consideration of the reasonable expectations of the data principal with respect to the context of processing.
In this regard, Recital 47 of the EU's GDPR provides some indicative guidance. For example, it suggests that such 'legitimate interest' may exist in situations when there is a relevant and appropriate relationship between the data subject and the controller, such as where the data subject is a client or is in the service of the controller. Nevertheless, the existence of a legitimate interest needs to be carefully assessed, including with regard to the question of whether a data subject can reasonably expect at the time and in the context of personal data collection that a corresponding processing of such data may be undertaken for a specified purpose. Accordingly, the interests of the data subject could override the interest of the controller when the former's personal data is processed in circumstances where – for example – a data principal does not reasonably expect further processing. However, such processing for direct marketing purposes may be regarded as being carried out for a legitimate interest.
Final Thoughts
The language of Section 8(1), DPDP suggests that upon the occurrence of some voluntary action on the part of a data principal, whereby they willingly 'provide' their personal data, a corresponding consent with respect to the processing of such data may be deemed to have been provided as well (unless it is not reasonable to expect that the concerned individual would do so under similar circumstances). Accordingly, a wide variety of actions and activities could lead to situations of deemed consent, where the data principal may end up making their personal information available, or become subject to observation, or make the collection of their personal data possible – without any affirmative action on their own part. Thus, merely by dint of having an interface with a certain technology or a web-based platform, an individual might make their personal data available without actually agreeing to its collection or use.
Further, the 'reasonable expectation' requirement under Section 8(1) only refers to the provision and collection of data – as opposed to the purpose of using or processing such data. Strictly speaking, a limitation on the provision or collection of data is not a limitation on its use. Thus, this provision – as it currently stands – could be interpreted to mean that there is no limitation on the purpose for which personal data can be processed in the future.
Relatedly, Section 8(1) appears to disregard the possibility of the data principal wanting to withdraw their (deemed) consent. This seems to suggest that – although withdrawing consents is permitted under DPDP even after a consent has been explicitly provided (under Section 7(1)) – it is not possible to do so when the consent is implicit or deemed. However, it is not unlikely that a data principal will understand the implications of processing with respect to their personal information only later – although they may have 'voluntarily' provided their data earlier. If and when these implications are properly understood, data principals may want to withdraw such deemed consent. However, Section 8(1), in its present formulation, does not appear to accommodate this possibility.
PIPED (Canada)
Section 6.1 of Canada's Personal Information Protection and Electronic Documents Act, 2000 ("PIPED") contains a 'reasonable expectation' reference – like India's DPDP – with respect to valid consents. However, the Canadian legislation extends such expectation to the purpose and consequences of the use of personal information. For example, Section 6.1 of PIPED states: "...The consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting."
Further, Section 7.1(a) and (b) of PIPED clarifies that an organization may collect personal information without the knowledge or consent of the individual only if: (i) the collection is clearly in the interests of the individual, and consent cannot be obtained in a timely way; or (ii) it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information, and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of national/local laws.
Moreover, Section 7.2 of PIPED lists out a separate set of conditions for using the personal information collected by an organization, when such information has been collected without the knowledge or consent of the individual concerned. As a result, situations similar to those of 'deemed consent' under India's DPDP have adequate protections built into PIPED.
This insight/article is intended only as a general discussion of issues and is not intended for any solicitation of work. It should not be regarded as legal advice and no legal or business decision should be based on its content.