P.S: This series of articles is an attempt to place some issues before the Government of India which promises to bring a new Data Protection Law that is futuristic, comprehensive and Perfect.
“Consent” is an important aspect of establishing the “Lawful basis” in Data Protection Laws. PDPB 2019 suggested that “Consent” is “Mandatory” and should meet the requirements of the Section 14 of Indian Contract Act.
Section 14 of the Indian Contract Act requires consent to be “Free” which means that there should be no “Coercion”, “Undue Influence”, “Fraud”, “Misrepresentation” or “Mistake”.
The term “Informed Consent” should be interpreted as equivalent to “Free” consent and it has to be achieved through a properly designed “Notice”. The reason why we say that “Notice” has to be “Clear” and “Precise” and rendered in such a manner that the data subject “Understands” it is because it has to stand the test of “Free Consent”.
For the “Consent” to be legally admissible, it has to meet the requirement of law that applies to “Authentication” of Electronic Documents.”. In India the law applicable to authentication of electronic documents is Section 3,3A of ITA 2000 and Section 65B of Indian Evidence Act.
While Section 3 and 3 A speak of Digital and Electronic Signatures that can be used by the Data Subject/Principal to authenticate the electronic notice, Section 65B renders a document admissible in a Court of Law if it is properly certified and hence serves the purpose of authentication through third party witnessing.
Where it is not feasible to obtain electronic or digital signature of the executant, the document can only be a “Deemed Consent”. “Deemed Consent” is supported by some electronic evidence which will be admissible provided it is Section 65 B(IEA) certified.
Hence a valid consent in Indian law in electronic form requires either an online electronic signature in the form of e-sign or collection of meta data about the transaction that can be Section 65B certified by an independent witness. The Supreme Court in its enthusiasm to uphold Privacy has stated that Aadhaar cannot be used for authentication by private sector though there is a system of “Pseudonymised Aadhaar” (Virtual Aadhaar) that could be used for authentication without adversely affecting the privacy of the individuals. Unfortunately despite the authorization to use “Virtual Aaadhar ID” for KYC purpose in the Aadhaar Amendment Act its use has not been universal.
Alternatively, authentication can be obtained through collection of meta data of the consent transaction and archiving it with Section 65B certification as may be necessary.
At present “Online Consents” are obtained as “Click Wrap Contracts” where the data subject clicks on a button to “Agree” a document which is more a “Standard form of contract”. This form of contract does not have validity in India as a “Documentary Contract” and the industry is getting mislead by considering that such online acceptance is legally valid.
At the same time, industry has not been using “Section 65B certified Archiving” to supplement its documentation of consent which is the responsibility of the Data Fiduciary/Controller.
In this context, it is necessary for the New Data Protection Act of India to provide appropriate clarity on whether online click wrap contracts are acceptable and if so under what conditions.
Additionally, “Consent” even if authenticated can only apply to the information that the data subject provides during the collection process.
“Consent” for some information which a person is not aware of fails the test of “Meeting of Minds” which is essential for a valid contract since what the data subject thinks he is agreeing to and what the data controller thinks he is getting the consent to may be different. A Data Analytics company may be using the collected personal data and may be able to create useful “Profiles” which are “Discovered Uses” of supplied data. While we may prescribe that consent should be obtained after discovery and before the first use of the discovered personal data, the “Discovery Process” itself may be construed as “Processing for a purpose not authorized in the initial consent”.
Hence we need to distinguish “Consent” for personal data about which the data subject is aware of and provides for a stated purpose (Shared Data Consent) is different from “Consent for Discovery of Personal Data”. This situation is analogous to the sale/lease of land with a consent for mining and discovery of minerals about which neither party is aware of at the time of sale/lease of land.
We therefore suggest that “Discovery Consent” has to be defined in the new law.
We have already discussed the need of “Witnessed Consent” while discussing the coverage of “Neuro Rights” and this will be another form of consent to be defined in the law.
We have also discussed the need to consider different kinds of profiles such as “Health Profile”, “Financial Profile” or “Advertising Profile” as “Sensitive personal data” and correspondingly the need to get “Explicit/Special consent” in such cases.
We have also discussed “Monetization” as a concept in law for which also a special “Monetization Consent” can be defined.
Hence we suggest that the NDPAI (New Data Protection Act of India) can define following different types of consent as explanations under Section 11 of PDPB 2019 or elsewhere in the definition section.
Additionally in view of the concept of “Consent Managers” as envisaged in the PDPB 2019, there will be a need to define “Consent for giving Consent” or “Authorizing another person to provide consent on behalf of the data principal. This will also be relevant when the data principal is in a state where his contractual capacity is suspended as in the case of Minors, Insolvent persons, or mentally incapacitated persons or persons in inebriated conditions or even those who are physically challenged.
- Authorization Consent (Consent to appoint an agent for disclosure of personal data which may apply to Consent Managers and Heads of families)
- Shared Data Consent (Similar to current practice of Free/Informed Consent applicable for data about the data subject collected directly or through an authorized third party)
- Profiling Consent (New thought)
- Monetization Consent (New thought)
- Witnessed Consent (New thought)
- Discovery Consent (New thought)
An attempt is made in the following paragraphs to define these types of consent. It may be refined suitably through further discussions.
Authorization Consent means consent provided by a data principal to an authorized agent to disclose, share, and consent to further processing of the personal data of the data principal.
Shared Data Consent
Shared Data Consent means consent provided by a data principal or his authorized agent to a Data Manager for personal data which the data provider is aware of and for the legitimate purpose of processing and disclosed uses of data that he has been made aware of by the Data manager and he has agreed to.
Profiling consent means consent provided by the Data Principal or his authorized agent to the Data manager for use the data about the data principal whether collected directly or otherwise for profiling of the data principal and conditions if any of the use, disposal and portability of such profiles.
Monetization consent means consent provided by the data principal or his authorized agent to the Data manager for use of personal data or profile created out of the personal data of the data principal for generating revenue with or without consideration being paid to the data principal.
Witnessed Consent means consent provided by a data principal which is witnessed by independent third parties who donot have conflicting interest in the processing of the personal data under circumstances that the data principal may not be reasonably expected to provide a free consent, and includes sharing of neuro data or sharing of personal data when the data principal is not in a medical condition to provide informed consent.
Discovery Consent means consent provided by the data principal or his authorized agent for a purpose of processing which is speculative in nature and could discover personally identifiable data or new uses not otherwise envisaged in the consent.
P.S: These discussions are presently for a debate and is a work in progress awaiting more inputs for further refinement. It is understood that the Government may already have a draft and may completely ignore all these recommendations. However, it is considered that these suggestions will assist in the development of “Jurisprudence” in the field of Data Governance in India and hence these discussions will continue until the Government releases its own version for further debate. Other professionals who are interested in participating in this exercise and particularly the Research and Academic organizations are invited to participate. Since this exercise is too complex to institutionalize, it is being presented at this stage as only the thoughts of Naavi. Views expressed here may be considered as personal views of Naavi and not that of FDPPI or any other organization that Naavi may be associated with.
Consent in PDPB was envisaged as a contract. PDPB also envisaged a role of a Consent Manager who could provide consent and exercise rights on behalf of a data principal.
Whether we call it as an assignment or contract, Consent transfers certain rights from the data subject to the data controller.
There does not seem to be any prohibition that the Right to give a consent cannot be delegated.
GDPR also accepts consent directly or indirectly in the form of a contract.
I understand why there could be a doubt.
We say right of privacy is a right of choice. If so, the doubt is whether some body else can exercise a choice for me.
Remember, it happens now in the case of medical instances when relatives exercise rights for a patient who may be unconscious or a person who is insane.
Hence the possibility that X can exercise the choice for Y is not unheard of.
This is compatible with the fact that what we protect in GDPR or PDPB is not “Privacy” per-se but “Information Privacy”.
Information privacy consists of a set of personal data that is disclosed by the data subject to the data controller under a contractual document and the receiver acting as per the contract.
Hence either with a power of attorney or a similar deemed contract, the consent giving right can be transferred….This is my view.
There are other issues such as ITA 2000 does not permit a Power of attorney document in electronic form and that the data fiduciary has to act beyond the contractual obligations because of the trusteeship obligations.
I am therefore suggesting the use of the term data manager instead of either data fiduciary or data controller. Also the Data protection act may itself be considered as providing legal recognition for transfer of rights of consent through an agent.
Similar problem was there in the Nomination aspect included in PDPB 2019.
Further even the click wrap contract can be recognized under the Data protection act itself to override the current ITA 2000 or added as an exception in the new Digital India Act which may replace ITA 2000.