The Digital Personal Data Protection Bill, 2023, has set in motion a transformation in India's data privacy landscape. Among the pivotal alterations introduced is the concept of "deemed consent" and the reinforced right to withdraw consent. This paradigm shift carries significant implications for organizations collecting employee data, sparking discussions about corporate practices and the viewpoint of employees.
Exploring Deemed Consent, now referred to as ‘Certain Legitimate Uses’ under the DPDP Bill
The Digital Personal Data Protection Bill (2022) introduced a novel concept termed "deemed consent," In essence, this provision suggested that under specific circumstances, an individual's silence or inaction can be considered as a form of consent.
Section 7 of the Digital Personal Data Protection Bill (2023) has made a paradigm shift from the deemed consent process and narrowed it down to ‘Certain legitimate uses’ which includes the use of personal data for the specified purpose, for the State and any of its instrumentalities and for any of the legitimate uses as specified under section 17.
As per section 7 of the DPDP, companies or data fiduciaries may be in a position to process the personal data of data principals for the specified purpose for which the Data Principal has voluntarily provided his/her personal data to the Data Fiduciary, unless he/she has specifically not consented to the use of such personal data. E.g., If we understand the provision in the above context, and we take the example of new employment, then all details shared by an employee and all data collected and processed in relation to his/her immediate employment may be covered by legitimate use, as the data is processed for the specified purpose for which the Data Principal has voluntarily provided his/her personal data to the Data Fiduciary. Unless the company intends to process the data for any other purpose other than in relation to the Data Principal’s employment, consent from the Data Principal shall not be required to process the data.
The concept of ‘Certain legitimate use’ is still relatively new and untested, and it will be interesting to see how it is interpreted and applied by organizations in practice. Some organizations may take a cautious approach and only rely on the legitimate use of personal data in very limited circumstances, while others may be more willing to use it more broadly. It is also possible that the courts will have to rule on the meaning of ‘Certain legitimate use’ in specific cases, which could further clarify its scope and application for organizations.
Exceptions to consent under Section 17 of the Bill
There are certain exceptions, where consent may not be sought for data-processing, including but not limited to: investigation of offences, processing for scheme of compromise or merger or amalgamation, detecting financial frauds etc.
Corporate ramifications
For entities routinely engaged in the collection and processing of employee data, the concept of ‘certain legitimate use’ ushers in both prospects and challenges. On one hand, the streamlining of consent processes may alleviate administrative burdens and heighten efficiency. Yet, it is imperative for organizations to tread carefully, aligning their data collection practices with the principles of fairness, transparency, and accountability enshrined in the bill.
Moreover, the Digital Personal Data Protection Bill bolsters the right to withdraw consent, empowering individuals to retract their agreement at any juncture. Organizations are now mandated to institute mechanisms that facilitate this withdrawal process, enabling employees to retain full control over their personal data. Failing to comply with this provision could result in legal consequences, emphasizing the need for organizations to establish robust consent management systems.
