The Digital Personal Data Protection Act, 2023 (“DPDPA”) contemplates that consent be obtained for processing personal data of the Data Principal (“user”) but that the consent should be of a certain quality.
The quality of the consent is determined by the following elements:
- Limited to the personal data required for the specific purpose
- Free
- Specific
- Unambiguous
- Unconditional
- Clear affirmative action signifying consent for the processing activity
Each of these requirements is to be satisfied for a consent to be valid. It is a settled rule of interpretation that words should normally be given their ordinary meaning. The word ‘and’ is conjunctive i.e. all the words connected by and must be read together. An alternative meaning is possible but it can be interpreted so only if such an interpretation is to be adopted to give effect to the intent of the legislation. Cumulatively read, the Act allows little room for any ‘funny business’ to entities processing personal data of the user.
Each element determining the quality of consent can be interpreted independently. I will attempt an analysis of each of the elements independently and synthesise them together in the end to get an idea of how consent requirement may play out.
Consent under DPDPA must be:
Free
Free consent has statutory backing. The Indian Contract Act, 1872, defines free consent in a negative manner. Free consent is consent that does not have the following elements: coercion, undue influence, fraud, misrepresentation or mistake. So, consent is free if none of these elements played a role in the user making up their mind to allow the entity to process their personal data.
Quite simply, no element of the data processing operation should be hidden from the user.
Specific
The DPDPA does not provide any guidance as to what would constitute the threshold for consent to be ‘specific’.
Draft Rules notified by the government contemplate that for consent to be specific, it must be obtained after the following information has been provided to the user: (a) itemised description of the personal data processed, (b) specified purpose of the processing and (c) itemised description of the goods and services enabled by such processing.
This is the bare minimum information that the user must have for their consent to be specific. Therefore, the aim of specific consent appears to make the user aware the purpose for which the personal data is processed.
Unconditional, Unambiguous
These conditions do not generally entail any obligation on part of the entity processing the personal data. In an online setup, it is unlikely that the user has the means to provide consent that is conditional.
For consent to be unambiguous, the standard under law is that the specific word or phrase should be capable of only one meaning in the context.
Clear affirmative action signifying consent for the processing activity
The consent must be obtained by an action that clearly shows the the consent was given for the processing activity. European Data Protection Board’s guidance suggests that this requirement is fulfilled when the action that confirms the consent of the user is not the same motion as accepting the terms and conditions or any other such action. This requirement also entails that the consent is not obtained through pre-ticked boxes or actions such as browsing through the consent notice.
These conditions will likely be fleshed out in the DPDP Rules similar to the Draft Rules which require the notice should be presented to the user. Likely that once it is presented, it is not the same motion giving consent than others.
Limited to personal data required for specified purposes
This consent requirement integrates the principle of data minimisation. EDPB guidance covers the following elements:
- Scope of data collected
- Extent of processing
- Storage period
- Limited access
These elements can help structure an inquiry into whether the data processing accounts for the data minimisation requirement. The standard for this inquiry as set by the European Court of Justice is a ‘strictly necessary” test. This requirement is so strict that the ECJ did not allow the collection of prefixes such as Mr/Ms in rail ticketing systems as it was not strictly necessary.
Therefore, for a valid consent under DPDPA, these requirements must be fulfilled. Merely obtaining consent is not the adequate standard that the entity processing personal data has to comply with.
