The past as a compass for the future

The past as a compass for the future

SMEs and the startup ecosystem in India share concerns about the (retracted) draft Data Protection Bill, 2021 - and the way forward for businesses

Sweta Dash

@sd93

Consent Management

Submitted Aug 15, 2022

The DPB has had several additions that increase non-consensual processing of data, and thereby displace consent from the foundation of a bill that is ostensibly designed for data protection law.

Clause 13 of the DPB notes that non-consensual processing of data “can reasonably be expected by the data principal.”1 Clause 14 also disregards user consent for measures like search engine operation and credit scoring. In fact, Section 13 (Processing of personal data necessary for purposes related to employment etc.), provides an employer (the data fiduciary here) access to the personal data of an employee (data principal) without consent if the employer makes a determination that it is “not appropriate” or involves “disproportionate effort” to request consent from an employee or a potential employee.

Respondents found the absence of a clear definition of “reasonable purposes” to be another factor for causing ambiguities and increasing compliance burdens.

They also remain unsure of how to properly take stock of informed user consent in ways that explains to them what are the possibilities for their data storage, transfer, and processing. One of the respondents said, “Now, the problem is (that) consent is a legal language, more or less in terms of how it is going to be (materialised and therefore implemented). So when the Bill talks about explicit consent, now, translating that into a localised format is going to be a major challenge. And that needs some level of creativity to solve.”

The DPB expects businesses to have multiple levels of consent mechanisms and also operate with consent managers. Respondents found this to be a cumbersome addition to doing compliance.

A founder of an agritech business said, “I’m not sure of what it is that the government entails from us from a regular, you know, from a day, from a monthly perspective? Are they asking us for a report? It’s not clear to me right now.” She added that while they value user consent and privacy, “we don’t think you have to have multiple steps and multiple things of consent, and we don’t believe in making the process very cumbersome for the companies.” 2

For her, a good middle path would be to have “basically just one sign off or one waiver that says - hey, I’m going to use this data for this, this is for our purposes only, and it’s not going to be shared with any third party. And I think that pretty much should be okay, because it covers everything. Just this instead of having to engage with the data protection officer and different levels of compliance. Then, if the company is found in violation of that, then action might be taken.”

Another architect from a FinTech business said users are used to a one click system for all. “So the more steps you create into your journey, the more friction it trades for the end consumers.” For their business, one that connects across different verticals, consent has to be taken from “not only from the end consumer, but from the lenders, merchants, and so on.”


  1. See Who Needs Consent Anyway? The JPC’s Suggestions Worryingly Expand the Scope of Processing Non-Consensual Data: The Bastion Feb 21, 2022 ↩︎

  2. A consistent pattern in the recent policies, including IT Rules 2021, CERT-In guidelines, businesses are required to produce monthly/periodic reports which contain data about compliance and non-compliance, and other information related to the business and the users. Such reporting increases burdens on businesses in that personnel has to be allocated to get the reporting data; reports have to be compiled and reviewed by either a dedicated staff member or someone does in addition to their role in the organization. And someone has to sign-off on the report by assuming responsibility in case there is questioning in future. See Nadika Nadja’s review of the IT Rules 2021 - Information Technology - Guidelines For Intermediaries and Digital Media Ethics Code - Rules, 2021: - specifically the recommendations section on monitoring and reporting. Also see Nadika Nadja, Anand Venkatnarayanan and Kiran Jonnalagadda’s analysis on “maturity and intent” of privacy in organizations at Privacy practices in the Indian technology ecosystem: A 2020 survey of the makers of products and services ↩︎

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hosted by

Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more

Supported by