1/2/23, 8:47 PM DPDP Bill 2022: ‘Deemed’ Consent, to users’ detriment :: Reader View

www.medianama.com /2022/12/223-dpdp-bill-2022-deemed-consent-to-users-detriment-views/

DPDP Bill 2022: ‘Deemed’ Consent, to users’ detriment

ByGuest Author Published December 12, 2022 ⋮ 6-8 minutes ⋮ 12/12/2022

By Vinay Narayan

While the release of the Digital Personal Data Protection Bill, 2022 (DPDPB) is welcome, given that India
does not have a data protection law at all as yet, the DPDPB carries forward some concerning provisions
from the previous Personal Data Protection Bill, 2021 (PDP). One such provision is that of ‘Deemed
Consent’ (S. 8 of the DPDPB), that sets out situations where the consent of the data principal for processing
of her data is assumed, and does not need to be explicitly sought. Deemed consent is usually determined
by courts based on the circumstances of a case and the actions of parties involved.

At the outset, it must be noted that the reliance on the notice and consent framework within the DPDPB,
similar to the EU GDPR, is problematic. Even when provided a notice, users are typically unaware of the
actual uses their data is put to. Moreover, the flood of consent notices leads to consent fatigue, wherein
users consent to everything by default as they are constantly bombarded with consent notices. Admittedly,
the DPDPB has sought to mitigate this issue by recognising ‘consent managers’ – data fiduciaries who will
help users manage their consent. One hopes that this is the first step towards a broader legal recognition in
India of data stewards – trusted intermediaries who engage and negotiate with stakeholders to represent
the best interests of data principals.

Section 8 of the DPDPB carries within it provisions from the PDP that were contained in Sections 12 – 14.
While the DPDPB has been commended for being a shorter and more concise legislation than the PDP, in
the case of ‘deemed consent’, brevity comes at the cost of clarity and user protection. Three instances that
stand out are deemed consent for situations involving reasonable expectation, employment relationships,
and credit scoring.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter
delivered daily before 9 AM in your inbox.

Section 8(1)

The first subsection under the ‘deemed consent’ provision notes that consent is deemed to be given in a
situation where a data principal voluntarily provides the data and it is reasonably expected that she would
provide such personal data. However, the provision makes no mention of the consent being limited to the
purpose for which data was provided. Further, the standard of reasonableness (set out in sub-section 8(9)),
will only serve to cause problems as it includes the reasonable expectation of the data principal. Setting
aside the fact that most people do not understand the consequences of the sharing of their data,
determining what is a ‘reasonable expectation’ for an individual is extremely complex in a country like India
where digital literacy rates vary widely between rural (25%) and urban areas (61%), between States (60-
80% in rural Kerala while 0-20% in rural UP), between sectors, and within sectors themselves.

Employment relationship

file:///C:/Users/Poornashree/AppData/Local/Microsoft/Windows/INetCache/IE/1LUYF1IC/DPDP Bill 2022 ‘Deemed’ Consent, to users’ detriment[1… 1/3

1/2/23, 8:47 PM DPDP Bill 2022: ‘Deemed’ Consent, to users’ detriment :: Reader View

1.13 of the PDP, which dealt with deemed consent in employment situations, laid out four scenarios where
an employer could process an employee’s data without her consent. This was further caveated by noting
that such processing could be done when consent would not be appropriate given the nature of an
employer-employee relationship, or if obtaining consent would involve disproportionate effort on the
employer’s part. S. 8 of the DPDPB has done away with this. Consent will now be deemed to have been
given if the processing is necessary for the purposes of employment. This opens the door for non-
consensual processing of an employee’s data by her employer seriously violating an employee’s privacy.
Such a provision will now enable the further use of surveillance technologies that allow employers to take
screenshots and video monitoring – without the consent of employees. This can have deleterious
consequences for employees’ privacy. The employer already exercises a great degree of power in the
employer-employee relationship dynamic, and such provisions will only deepen the imbalance and give
employers greater control and leverage over their employees.

Credit Scoring

While non-consensual processing for ‘public interest’ (DPDPB S. 8(8)) was allowed in the PDP (S. 14), it
was safeguarded by the need for explicit regulations allowing for non-consensual processing in these
circumstances. Furthermore, the Data Protection Authority was also empowered to lay down additional
safeguards in such situations. The DPDPB however does away with these requirements. This is especially
concerning in the area of credit scoring, with the use of AI-based systems that find empirical relationships
between new factors. This can be done through analysis of a range of data from social media profiles to
activities such as what is eaten and worn. This has serious implications for privacy and the financial
wellbeing of individuals, and the DPDPB has now expanded the scope of data that can be processed for
this without an individual’s explicit consent.

Conclusion

Section 8 serves to aid the processing of an individual’s data without their explicit consent, without
adequately safeguarding their rights and interests. What is also critical is that while the DPDPB recognises
the right to withdraw consent (Section 7(4)), it would appear that this right does not apply to situations of
deemed consent, thus further weakening the rights of a data principal in such an instance.

While it is important for data protection legislation to account for the futility of obtaining consent in certain
cases, allowances for non-consensual data processing must not reach a level that threaten individuals’ right
to privacy and open the door for further harms. Given that the DPDPB is still in the public consultation
phase, one hopes that allowances for data processing in the DPDPB where consent has been ‘deemed’ to
be given are read down.

Vinay Narayan is a researcher at Aapti Institute

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with
attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

file:///C:/Users/Poornashree/AppData/Local/Microsoft/Windows/INetCache/IE/1LUYF1IC/DPDP Bill 2022 ‘Deemed’ Consent, to users’ detriment[1… 2/3

1/2/23, 8:47 PM DPDP Bill 2022: ‘Deemed’ Consent, to users’ detriment :: Reader View

Also Read

DPDP Bill 2022: A Balance Of Opportunities And Data Protection Objectives

How Does The New Data Protection Bill Affect Platform Gig Workers?

What’s Missing From The Consent Manager Framework In The Data Protection Bill, 2022

Protecting Personal Data: Where Grievance Redressal Falls Short

file:///C:/Users/Poornashree/AppData/Local/Microsoft/Windows/INetCache/IE/1LUYF1IC/DPDP Bill 2022 ‘Deemed’ Consent, to users’ detriment[1… 3/3