Introduction
As the use of digital technology and the internet continues to grow rapidly, the protection of personal data has become a pressing concern. The Ministry of Electronics and Information Technology (“MeitY”) recently published a new draft of the long-awaited data protection bill to ensure the privacy and security of personal data. The Digital Personal Data Protection Bill (“DPDP Bill”) is the latest in the series of draft legislations that were introduced (and withdrawn) since mid-2018. The DPDP Bill was published on 18 November 2022.
One of the notable features of the DPDP Bill is the concept of ‘deemed consent,’ which allows data fiduciaries to process data without explicit consent from the data principals. However, this provision has raised concerns about whether it provides an adequate level of protection for data principles and whether it is comparable to the ‘legitimate interest’ provision under the General Data Protection Regulation (“GDPR”). This article discusses the provision of deemed consent under the DPDP Bill and compares it with the legitimate interest provision under the GDPR to understand the similarities and differences between the two. Finally, the article also provides an opinion on whether the former is at par with the latter.
What is Deemed Consent?
Deemed consent is a legal concept that allows for the processing of personal data without explicit consent when certain conditions are met. Under the DPDP Bill, deemed consent is one of the lawful ways of processing data. It can be used in situations where processing is necessary for providing a service and it can be ‘reasonably expected’ that the data principal would provide such data[1].
What is Legitimate Interest?
Under the GDPR, businesses must have a lawful basis for processing personal data. One of the six of these lawful bases is legitimate interest as defined in Article 6(1)(f) of the GDPR. Legitimate interest can be applied when an organization has a genuine and legitimate reason for processing personal data, and the processing is necessary for that reason. It is based on the principle that some processing is necessary for the legitimate interests of an organization, or a third-party, and that these interests are not outweighed by the rights and freedoms of the data principal.
Table 1.1 provides a comparison of the provisions of deemed consent under the DPDP Bill and the provision of legitimate expectations under the GDPR.
Table 1.1
| S. No | GDPR | DPDP Bill | |
| 1. | Deemed consent | No provision of deemed consent. | Deemed consent is a lawful basis for processing data under section 8 of the Bill. |
| 2. | Legitimate interest | Legitimate interest is a lawful basis for processing data. | Legitimate interest under deemed consent is a lawful basis for processing data for a ‘fair and reasonable purpose as may be prescribed.’ |
| 3. | Exceptions to consent | Data can be processed without consent under some circumstances[2]. | Data can be processed with ‘deemed consent.’ Additionally, under section 18 of the Bill, the central government may exempt from the application of certain provisions of the Bill. |
| 4. | Is it absolute? | Legitimate interest cannot be applied absolutely in any circumstance. The data fiduciary or a third-party need to prove purpose, necessity, and balance[3]. | Deemed consent cannot be applied in absolute, the Bill lists the purpose for which deemed consent is to be used. Additionally, certain reasonable safeguards are also required. |
| 5. | Underlying assumption | Legitimate interest does not presume that both parties’ interests are balanced and hence the three-part test is mandated. | At the outset, deemed consent may appear as a broad provision, however, the DPDP Bill clearly lays down the instances where deemed consent applies. Section 8(9) hints the requirements of the three-part test with an addition of public interest as a basis.
‘Fair and reasonable purpose’; ‘legitimate interests outweighing any adverse effects on the rights of the Data Principle; ‘reasonable expectations of the data principle[4]’ seem to borrow from the GDPR which also proposes that the organizations balance legitimate interests and the necessity of processing the personal data against the interests, rights and freedoms of the individual considering the circumstances[5]. |
Observations based on Table 1.1
1. The DPDP Bill’s deemed interest provision is at par with the GDPR standards. Although the GDPR is more exhaustive as compared to the DPDP Bill, it should be noted that the provisions under the DPDP Bill provide obligations that are in tandem with the GDPR. Legitimate interest under both the laws aim are certain relaxations for the data fiduciary to prevent ‘consent fatigue[6].’ However, it should be noted that under both the laws, there are restrictions posed on the instances where legitimate interest[7] / deemed consent can be applied[8]. The reason for this is to preserve the sanctity of the privacy laws while also balancing the interests of the data fiduciaries.
2. The GDPR provides a more comprehensive understanding of where legitimate interest can be used and mandates a three-part test based on three key elements given in article 6(1)(f)[9]. However, it should be noted that the current draft of the DPDP Bill does not dilute the standard of requirements set forth by the GDPR; rather it stands in tandem with it by imposing necessary restrictions on the usage of deemed consent.
3. Under the DPDP Bill, deemed consent also lists legitimate interest as a basis for processing data provided the legitimate interest outweighs any adverse effects on the rights of the data principal. Under the GDPR, legitimate interest can be used by the data fiduciary as well as by a third party if the interests are not overridden by interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Hence, if we look at this particular provision, the DPDP Bill is more restrictive than the GDPR as it does not state that the legitimate interest exception can be used by a third-party as well.
4. Like the UK GDPR, the DPDP bill also states usage of legitimate interest in the interest of the public[10]. The GDPR also lists activities that may require the usage of legitimate interest exception[11]. These are not binding and there can be other instances where this exception can be used provided it clears the three-part test. The DPDP Bill does not, at the moment, provide a direction as to where this exception can be used, however, much like the GDPR it does include ‘reasonable purpose.’ Reasonable purpose can be deduced to mean a reasonable expectation of a rational person[12].
What do businesses need to do?
1. GDPR
a. Conduct a legitimate interest assessment: The organization must conduct a legitimate interest assessment (“LIA”) to determine whether the processing is necessary, proportionate, and in line with the expectations of the concerned data principal.
b. Document the LIA: This ensures that there is a clear audit trail of the decision-making process.
c. Inform the data principal: This should be done in a clear and transparent way such as through a privacy note[13].
d. Provide an opt-out: The organization must provide data principles with the right to object to the processing of their personal data for legitimate interests[14]. If an individual objects, the organization must stop processing their personal data, unless they can demonstrate compelling legitimate grounds for the processing that override the data principal’s rights, interests, and freedoms[15].
2. DPDP Bill
It should be noted that the provision of deemed consent does not change the nature of the consent obtained but rather the mechanism. Deducing logically, even though the Bill does not provide an opt-out provision under deemed consent, it does provide a general right to correction and erasure of data under chapter III of the Bill. This means that organizations need to invest in opt-out mechanisms even if they process data under deemed consent. Many countries, including India are moving towards a common privacy ground where data and privacy can be governed by similar set of principles. The EU’s GDPR is widely regarded as the most comprehensive data protection law currently in effect. The DPDP Bill incorporates provisions that align with the GDPR, such as requirement of free and clear consent for processing data, right to correction and erasure of personal data and legitimate interest as a lawful basis for processing data. As the GDPR has become a global standard for data protection, it is crucial to view the DPDP Bill in the context of this broader framework, highlighting the importance of ensuring that the provisions of the DPDP Bill align with the principles and standards of the GDPR.
Conclusion
After comparing and analyzing the provisions in both the laws, it can be concluded that deemed consent under the DPDP Bill is at par with the legitimate interest provision under the GDPR. Both provisions aim to balance the interests of the data principle and data fiduciary. Although both the laws aim at protecting the personal data of citizens, it is also important that certain relaxations such as discussed above be granted to avoid ‘consent fatigue.’
While deemed consent provision allows for data to be processed without explicit consent, it does pose certain limitations (‘reasonable expectations’) and safeguards. The provision only applies in certain situations and the data fiduciary must comply with accountability requirements. Section 8(9) also hints at the purpose, necessity and balance test required under the GDPR to claim legitimate expectations.
Undeniably, the GDPR provides a more comprehensive framework for the usage of legitimate interest as a basis for processing data, however, overall, the DPDP bill does not seem to diminish the framework of privacy. It will be interesting to see how the deemed consent provision will be implemented in practice and the approach that the judiciary will take[16].
[1] The scope has been defined in section 8.
[2] Listed in article 6(1) of the GDPR.
[3] The three-part test, https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/what-does-grounds-legitimate-interest-mean_en#:~:text=Your%20company%2Forganisation%20has%20a,security%20of%20your%20IT%20systems.
[4] Section 8(9).
[5] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/.
[6] Consent fatigue can arise from the stringent requirements imposed by data protections laws. Under the DPDP Bill, consent must be free, specific, informed, and unambiguous. Additionally, the contact information of a Data Protection Officer must be made available.
[7] Rotschild GmbH v. Land Baden-Wurttemberg, Germany 2019.
[8] Section 8.
[9] Purpose, necessity and balance, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/.
[10] The scope has been defined in section 8.
[11] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/
[12] https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/.
[13] Fashion ID gmbH & Co. KG v. Verbraucherzentrale NRW e.V., C-40/17.
[14] Wirtschaftsaksdemie Schleswig-Holstein GmbH v. Unabhangiges Landeszentrum fur Datenschutz Schleswig-Holstein, C-210/16.
[15] One such case is of ICO v. The Royal Free NHS Foundation Trust [2017] UKFTT 2017_0268 (GRC).
[16] Whether it will be in line with the approach taken by the EU courts.
Author Bio
