Month: June 2023

While the current draft of India’s Digital Personal Data Protection Bill, 2022 (“DPDP”) is partly similar to the EU’s General Data Protection Regulation (“GDPR”) with respect to ‘notice’ and ‘consent’ requirements, the former introduces certain unique elements – such as ‘deemed consents’ under Section 8, involving nine subsections.
While a consent under subsection (1) may be considered ‘deemed’ when a person voluntarily provides their data and it is reasonably expected that they would provide it in such a situation (similar to Section 15 of Singapore’s Personal Data Protection Act, 2012 (“PDPA”)), sub-sections (2) to (9) deal with circumstances where data may be non-consensually processed on account of a necessity or a prescribed purpose (similar to Article 6 of the EU’s GDPR). Although both such categories have been included under the same provision, they are inherently different.
While Singapore’s PDPA specifically imposes purpose limitations and requires reasonable necessity (e.g., contractual performance) with regard to deemed consents, DPDP’s Section 8(1) does not. It is also unclear if ‘notice’ requirements apply to deemed consents under the latter provision. Further, unlike the EU’s GDPR, subsections (2) to (9) of DPDP’s Section 8 do not permit non-consensual processing by non-state and/or private entities other than in a few limited circumstances.
At the same time, a wide variety of human activity could lead to deemed consents under Section 8(1). For instance, during interface with a new technology or platform, an individual may inadvertently (albeit ‘voluntarily’) make their personal data available without actually agreeing to its collection or use. In that regard, DPDP is ambiguous about the possibility of withdrawing a deemed consent –although it allows consent withdrawals in general. Since data processing is required to stop in such cases – unless non-consensual processing is authorized by law (or is otherwise necessary), the final draft of DPDP could clarify this point.

Given the imminence of India’s refurbished digital data framework, along with the diversely innovative ways in which personal data is collected and/or processed today on account of new technologies and platforms – ‘notice’ and ‘consent’ requirements have assumed additional importance.
In this note, we address some such aspects with reference to the current draft of India’s Digital Personal Data Protection Bill, 2022 (“DPDP”) and the EU’s General Data Protection Regulation (“GDPR”).
While DPDP mirrors certain provisions of GDPR with respect to notice and consent, there are significant departures from the EU template. In particular, while earlier iterations of DPDP had more faithfully reproduced GDPR-like disclosure requirements that were comprehensive, elaborate, and rights-laden, DPDP in its present form eschews several such principles. Moreover, DPDP introduces novelties such as ‘deemed consent’ – which we discuss in our next note.
Nevertheless, subject to potential changes in DPDP’s November 2022 draft further to stakeholder feedback, the revised DPDP bill (which is likely to be tabled before parliament during the monsoon session) may continue to retain references to bespoke regulation as may be subsequently prescribed – allowing for flexibility while technologies, priorities, and public policies evolve over time.

Developments in data science have revolutionized the means through which personal data is capable of being collected and/or processed. Control over mass markets can be instrumentalized through mobile and web-based terminals, each of which remains equipped with a variety of embedded technologies. As a result, vast numbers of users – who remain permanently online – come in contact with such technologies, including with respect to the ‘measurement’ of their individual characteristics.
Further, such bio-surveillance and/or data collection via internet-linked apps and devices is powered by increasingly sophisticated analytic tools provided by the digital infrastructures of online media platforms. Unsurprisingly, therefore, the world has witnessed a growing demand for the re-use of this valuable informational inventory.
Since the aggregation of such an inventory may involve both personal and non-personal data, the associated regulatory paradigm must consider the fundamental differences between the two. More importantly, India’s new digital data regime will likely remain alert about how personal information may be converted into its non-personal equivalent, as well as the ramifications of such conversion.

With respect to the collection/processing of children’s personal information under Indian law, Clause 2(3) of the current draft of the country’s Digital Personal Data Protection Bill, 2022 (“DPDP”) defines a ‘child’ to mean “an individual who has not completed eighteen years of age.” Accordingly, a significant number of individuals may be covered under DPDP’s special requirements related to children’s data.
Meanwhile, the proposed Digital India Act (the “Proposed DI Act”) may also introduce special provisions with respect to children – including by ‘age gating’ them from: (i) addictive technologies, and (ii) online/digital platforms that collect/process their data. However, if the Proposed DI Act ends up defining a ‘child’ with a similarly high threshold, there may be implications for a multitude of online/digital/social media platforms, as well as for children and parents themselves, including in terms of access and compliance.
In this note, the fourth of S&R Data+, we discuss the implications of stipulating an upper age-limit of 18 while defining a child in connection with data protection, including through global comparisons.