Union Cabinet has cleared the Digital Personal Data Protection (DPDP) Bill, 2023, to be tabled before the Parliament in the upcoming monsoon session. This is the revised version of the DPDP Bill, 2022, published in November last year.

The 2023 Bill covers all online and offline data in India under its ambit. It obliges the data fiduciaries to maintain accuracy, secrecy and delete the data upon completion of the purpose.

Under this Bill, personal data can be processed only if an individual has consented to it. Exemptions are applicable only to the government on grounds of national security and law and order, thereby doing away with the blanket exemptions of the 2022 Bill, but the ‘consent’ may be deemed in certain cases.

‘Deemed consent’ is consent that will be deemed to have been given for processing the personal data, if it is necessary, under certain specified conditions.

When is consent ‘deemed’?

As a rule, both knowledge and consent, with respect to an individual, are required for the collection, use or disclosure of personal information. However, in certain circumstances, personal information may be collected, used or disclosed without the knowledge and consent of the individual concerned. This is called ‘deemed consent’. For example, legal, medical or security reasons may make it impossible/impractical to seek appropriate consent. When information is being collected for the detection and prevention of fraud, or for law enforcement reasons, seeking the consent of the person related to such data might defeat the purpose of collecting that information.

Therefore, one can see that a wide variety of actions and activities could lead to situations of using the ‘deemed consent’ provision under the 2022 Bill. The data principal (the individual to whom the personal data relates) would have ended up making their personal information available without any affirmative action on their own part. Thus, merely by having an interface with certain technology, an individual might make their personal data available without actually agreeing to its collection or use. This is now hopefully restrained under the 2023 Bill.

It also appears that there is no notice requirement for instances of deemed consent under the Bill. It could be made mandatory in certain cases of non-consensual processing particularly when deemed consents are involved. Also, the possibility and provision for the data principal wanting to withdraw their deemed consent is unclear.

Deemed consent in other countries

Somewhat similarly, Article 6 (‘Lawfulness of processing’) of the EU’s Global Data Protection Regulation (GDPR) states that in the absence of the data subject’s consent, processing will be lawful only if it is ‘necessary’ for certain reasons, such as contractual performance, legal compliance, protection of individual vital interests, and public interest.

Singapore’s Personal Data Protection Act, 2012, too similarly envisages explicit situations of deemed consent.

Canada’s Personal Information Protection and Electronic Documents Act, 2000, lists out a separate set of conditions for using the personal information collected without the knowledge or consent of the individual concerned.

These regimes might come across as adequate guidance for policymakers to hopefully resolve concerns about ‘deemed consent’ under the 2023 Bill.

(Trisha Shreyashi is an Advocate. Aman Priyadarshi is a law & policy researcher)