New Report on Limits of “Consent” in India’s Data Protection Law

Today, the Future of Privacy Forum (FPF) and the Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the eleventh in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).

This report provides a detailed overview of relevant laws and regulations in India, including:

• notice and consent requirements for processing personal data;
• the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
• statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.

The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.

Developments in India’s Data Protection Landscape

To date, India has not enacted comprehensive data protection legislation.

In 2017, against the backdrop of the Supreme Court of India’s landmark decision on the right to privacy in Justice KS Puttaswamy v. Union of India, India’s Ministry of Electronics and Information Technology established a Committee of Experts to study issues relating to data protection in India and draft personal data protection legislation. In July 2018, this Committee of Experts released draft legislation, which was tabled in the lower house of India’s Parliament as the “Personal Data Protection Bill 2019” (“PDP Bill”). 

Between 2019 and 2021, the PDP Bill underwent review by a Joint Parliamentary Committee (“JPC”), which released a report (“JPC Report”) in December 2021 recommending numerous changes to the draft PDP Bill. 

However, on August 3, 2022, India’s Government withdrew the PDP Bill and announced that it was working on a new and comprehensive framework of data protection legislation, which it aimed to release for public comment in early 2023.

India’s Existing Data Protection Landscape: The IT Act and its Subsidiary Legislation

Now that the PDP Bill has been withdrawn, India’s existing personal data protection framework will continue for the foreseeable future to be found in the Information Technology Act 2000 (“IT Act”) as amended in 2008 and its subsidiary legislation, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“IT Rules”).

The IT Rules apply to private-sector entities that possess and handle “sensitive personal data or information” (“SPDI”). The IT Rules define SPDI as personal information which consists of information relating to a person’s:

• password;
• financial information;
• physical, physiological, or mental health condition;
• sexual orientation;
• medical records and medical history; or
• biometric information;

as well as any information relating to the above, which is provided to a private-sector entity for providing a service received, or received by a private-sector entity for processing. This definition does not include information that is freely available, is in the public domain, or has been provided under India’s right-to-information laws.

The IT Rules require private-sector entities to implement certain practices to protect SPDI from unauthorized access and interference. These include requirements for private-sector entities to obtain consent for collecting SPDI and disclosing SPDI to third parties under certain circumstances, to provide a privacy policy, to notify data subjects that their SPDI is being collected, to provide data subjects with the option not to provide their SPDI or withdraw consent to collection of their SPDI, and observe certain data protection principles, such as purpose limitation. Private-sector entities which do not implement such requirements and thereby cause wrongful loss or gain are liable to pay damages to the affected party. Additionally, the IT Act prescribes various penalties for breaches of confidentiality and privacy obligations.

By default, the IT Rules require private-sector entities to obtain consent from data subjects before collecting their SPDI or disclosing SPDI to a third party. However, these requirements are subject to exceptions where:

• there is a contract between the entity and the data subject, which provides for disclosure of SPDI;
• it is necessary to disclose the SPDI to comply with a legal obligation; or
• there is a legal request in writing from a relevant government agency for the purpose of identity verification, investigating crimes, and enforcing criminal law.

The IT Rules require that consent to collection of SPDI must be obtained in writing through letter, facsimile, or email from the provider of such data, potentially making collection of valid consent difficult in practice.

The IT Rules also enable private-sector entities to transfer SPDI out of India to a jurisdiction which provides the same level of protection to the SPDI as that provided under the IT Rules if a data subject consents to the transfer or if the private-sector entity has a contract with the data subject which provides for cross-border transfer of SPDI.

The Future of Data Protection Law in India

As stated above, the Indian Government is now working on new personal data protection legislation to replace the PDP Bill. At this stage, it remains unclear what shape this new legislation may take. However, it is possible that the new legislation will draw on the provisions of the erstwhile PDP Bill and the recommendations in the JPC Report, which were the result of years-long debates and consultations. 

To that end, ABLI and FPF’s report on consent in India’s data protection framework outlines the key provisions of the PDP Bill and JPC Report on consent and alternative legal bases for processing personal data which provide a window into Indian regulators’ perspectives on these topics and may still be relevant in future legislation. 

The PDP Bill provided a number of different legal bases for processing personal data, including consent but also several alternative bases which apply when processing of personal data is necessary for:

• compliance with various legal obligations;
• responding to emergencies;
• employment-related purposes (including recruitment or termination of data subjects, verifying the data subject’s attendance, and assessing the data subject’s performance); and
• “reasonable purposes” – which appear similar to the EU’s “legitimate interests,” but whose scope still remains uncertain.

The PDP Bill would have required consent for processing of personal data to be free, informed, specific, clear, and capable of being withdrawn. For consent to qualify as “informed” under the PDP Bill, the data controller would have to provide certain prescribed information at the time of data collection or a reasonable time thereafter.

Where the personal data to be processed consists of “sensitive personal data” (which is defined more broadly than SPDI under the IT Rules), PDP Bill would have required a data controller to inform the data subject of any purpose or operation of processing that is likely to cause significant harm to the data subject.

Finally, under the PDP Bill, consent for cross-border transfer of sensitive personal data would have to be “explicit.” The PDP Bill did not specify the conditions for explicit consent, though the wording of the relevant provision suggested that minimally, the data principal would have had to clearly and specifically consent to the transfer of his/her personal data out of India.

The PDP Bill proposed penalties for data controllers that process personal data in breach of the Bill’s consent requirements, which could extend to 4% of the data controllers total worldwide turnover in some cases. Data controllers who violate the PDP Bill’s consent requirements would also have been liable to pay compensation to data subjects who suffer harm as a result of such violations.

Read the previous reports in the series here.