However, there are instances where the bill assumes that your consent is already received by the company for using your personal data and they do not have to specifically ask for consent.
Here is a look at the concept of ‘deemed consent’ in the proposed data bill that will allow organisations to use an individual’s personal data.
How permission is to be obtained for using personal data
The proposed bill permits processing personal data when consent of an individual has been obtained. Such consent has to be obtained for a specific and lawful purpose. Consent may be obtained after a notice (e.g., a privacy policy) is given to an individual in clear and plain language, specifying personal data sought to be collected, purpose of processing along with contact details of an officer designated by the company for answering questions of individuals relating to personal data. Such request or notice must be provided to an individual with an option to access such request in English or another Indian language.
What is Deemed Consent
Consent may either be express or implied. An express consent must be freely given, specific, informed and unambiguous and should be obtained by a clear action signifying agreement to processing of personal data. On the other hand, the proposed bill also permits an implied consent referred to as ‘deemed consent’ under the bill.
Individuals are deemed to have provided consent in situations where personal data is voluntarily provided to a company by the individual. Such a reasonable expectation from the voluntarily provided personal data as indicated, may vary depending on the situation under which the personal data is provided. When personal data is voluntarily provided by an individual for a specific purpose such as for using certain services, it is reasonably expected that it would not be used for any other purpose such as for marketing communications.For example, when ordering any item from an e-commerce website, deemed consent may be assumed for personal data (such as name, address, contact number and payment details) where it is reasonably expected to be provided for paying for a product and facilitating delivery of the same to the individual’s specified address. The purpose for collecting such information is equally important.
It is important to note that companies are not permitted to collect personal data unrelated to the purpose for which data is collected and cannot share personal data with any other organisation without informing about the same to the individual and obtaining consent.
For example, when an individual installs an app of a cab-hailing company, the company cannot collect medical history and other un-related data. The collection of such details can be done only after the company has informed individuals as to which personal data is being collected, the purposes of collection and then obtain consent expressly without relying on deemed consent.
Therefore ‘Deemed consent’ is limited to the usage of personal data for specific purposes.
What situations may involve Deemed Consent
The proposed bill has mentioned instances and situations where deemed consent concept is used. This would mean that companies, organisations or the government would use an individual’s personal data without explicitly asking for consent in the kind of situations mentioned as examples.
1. Deemed consent by the government for issuing certificates
Consent is deemed to have been given when the personal data of individuals is used to perform functions under law or for provision of any service or benefit to individuals. Consent is also deemed to have been given when personal data is used for issuing certificates, licenses or permits by the government or its agencies.
For example, when personal data of an individual is collected as part of an application for issuing driving license by the State Transport Department, then such processing of personal data would not require express consent, as the government would process the same relying on deemed consent for issuing the license.
2. Medical emergencies or processing during disasters or epidemics
Consent for processing of personal data is also deemed to have been given when data is used in case of medical emergencies which involve threat to life or health of any individual. This is intended to enable hospitals, medical institutions, and first-aid respondents to use personal data necessary for protecting the life and health of persons, without the need to obtain consent specifically.
Deemed consent for use of personal data is also permitted for taking measures in cases of public health emergencies, epidemics, disasters or in case of breakdown of public order.
For example, the use of personal data of individuals was necessary during the COVID-19 pandemic for contact-tracing and management of the pandemic response. It may also be used by other departments during disasters, such as fire or other natural disasters for coordinating and targeting disaster response action.
3. For employment purposes
Companies may use personal data of their employees without explicitly asking for consent in certain cases. Some of these cases are – company wanting to prevent corporate espionage or maintaining confidentiality in respect of trade secrets, intellectual property or other classified information.
For regular employment purposes such as recruitment, termination, attendance verification, performance assessment and for provision of services such as health insurance, consent need not be obtained specifically. Instead, an employer may rely on deemed consent to process personal data in such cases.
4. Public Interest and Reasonable Purposes
The proposed law also enables the assumption of deemed consent for usage of personal data for certain public interest purposes and other reasonable purposes. These include:
(a) Preventing and detecting fraud: This is relevant when personal data of users is used before onboarding them, for preventing fraud and complying with law. For example, collection of basic identity and KYC documents. Personal data may also be processed for detecting fraudulent activities.
(b) Mergers, acquisitions and corporate restructuring transactions: Companies may use deemed consent under the proposed bill for transferring personal data of employees as part of acquisitions, mergers of companies or other forms of corporate restructuring transactions.
(c) Network and information security: Companies may use personal data of their employees for safeguarding the information security framework of their computer systems and networks from phishing emails, DDOS and other attacks against their networks.
(d) Credit Scoring and Debt Recovery: Banks, NBFC and other financial services companies can use personal data of an individual for verifying creditworthiness prior to granting approval or sanctions for loans, advances, credit cards etc. They may also use this ground for recovery of debts extended to individuals.
(e) Search engine operations: Search engines such as Google may include personal data as part of their search results. Under the proposed bill, they are permitted to rely on deemed consent for using personal data to provide such information. For example, a search about an individual may reveal further personal data, contact details or more information identifying such individual, for which deemed consent may be relied upon.
Certain fair and reasonable purposes may also be specified by the government, which can be used for processing personal data with deemed consent. These would be specified after taking into account interests of companies and adverse effect on individuals, public interest and reasonable expectations of individuals.
Conclusion
The introduction of deemed consent enables companies to rely on this ground, instead of procuring consent for every data processing activity undertaken by them. From an individual standpoint, this enables keeping consent fatigue (i.e., reduced attention span as a result of frequent or multiple requests for consent) at bay.
Instead, express consent may be resorted to only for specific circumstances and situations thereby improving meaningful, informed and valid consent. Companies must exercise caution when relying on this ground of consent as the onus remains on such entities to prove that appropriate consent was taken prior to usage of personal data of individuals.
(Prashant Phillips is Partner at Lakshmikumaran & Sridharan Attorneys.)