#DataProtectionTop10: Exceptions to Consent - A Torn Safety Net
In part 3 of the #DataProtectionTop10 series, we look into various issues regarding the consent provisions for the processing of personal data under the Personal Data Protection Bill, 2019. The provisions under the Bill for processing of data without the consent of data principals are vague and undermine the right to privacy. Furthermore, the lack of clarity on the consequences for withdrawal of consent can even result in the denial of essential services. To address these issues, we suggest certain changes that must be incorporated into the wording of the Bill.
Last time in part 2, we looked at how non-personal data could be processed by various entities without user consent. This time, we will look at how the Bill treats consent in general. Consent is the cornerstone of a robust data protection regime. Consent places the control of personal data with its owners. It gives you the choice to determine whether or not to be subjected to certain types of processing of data. The consent contemplated under the Bill is ‘informed and meaningful’ consent. Consent is said to be valid under the Bill if it is; given freely, informed, specific, clearly expressed, and is capable of being withdrawn. While these provisions appear well-grounded, there are certain carve-outs to consent under the Bill such as exceptions to the State, employers, etc., which make them less effective and debilitate user’s control over their personal data. It is thus important for us to examine the exceptions to consent under the Bill and understand how it affects our rights under the Bill.
THE ISSUE: OVERBROAD EXCEPTIONS
The exceptions to consent begin with clause 12, which inter alia allows the State to process personal data without the consent of data principals for certain purposes, such as for providing services, benefits, or for the issuance of any certification, licence, or permit for any action or activity of the data principal. The exceptions to State under clause 12 essentially legitimise the collection and processing of personal data by the State for projects like Aadhar.
The Sri Krishna Committee report emphasises the need to restrict the exception given to the State for carrying out welfare and regulatory functions to only those entities which are performing functions directly connected to such activities. The report warns that a large part of the functioning of various departments of the government may be indirectly or remotely connected to the promotion of public welfare or regulatory functions, and this ground should not be used for justifying the processing of personal data for all such functions. In this context, the Committee made the recommendation that the availability of this exception should be restricted to certain entities of the State and certain functions to avoid vagueness in the law. However, from the text of clause 12 we can discern that such restrictions are missing.
The processing of data by the State is prescribed under Principle 4 of the Indian Privacy Code, a progressive and rights-based data protection legislation based on multistakeholder collaboration with data protection experts and lawyers. The Code states that the government is responsible for the delivery of many essential services to the public of India and that individuals cannot be forced to trade away their data at the altar of being permitted to use government services and access legal entitlements on welfare. Therefore, any provision which allows the State to collect personal data for providing services or benefits, should not be vague and should respect the informational privacy of the data principals.
DENIAL OF SERVICES BASED ON A LACK OF CONSENT
Though the Bill does not explicitly state that services can be denied to the data principals for want of consent, there are some provisions under the Bill, which when read together, can lead to denial of services. The provisions on consent are set out under clause 11, which inter alia states that the provision of any goods or services, or the performance of any contract, or the enjoyment of any legal right or claim, should not be denied on the ground that no consent was obtained for the processing of any personal data not necessary for that purpose. In the same breath, the clause also states that if the data principal withdraws their consent from the processing of any personal data without any valid reason, all legal consequences for the effects of such withdrawal will have to be borne by such data principal. This clause is very vaguely worded as there is no clarity on what amounts to a valid reason and what are the legal consequences that the data principals will have to face. Since there is no express bar on denial of essential services, it is possible that such legal consequences may also include denial of essential services. This is a valid concern, for instances of exclusion from essential services are plenty in the country. We have already seen this during the ongoing pandemic, as Aadhaar has been made mandatory for the receipt of several healthcare services such as hospital beds, COVID-19 tests, and oxygen cylinders. Patients have even been denied healthcare in certain cases.
EMPLOYERS AS BIG BROTHER
Workplace surveillance has become a common feature of workspaces across India in recent times, with the increased use of CCTV cameras, biometric attendance systems, and other technologies being reported. The use of such pervasive technologies is undesirable and we have always voiced our dissent against their use. The Bill does not do much to allay workplace surveillance, as clause 13 of the Bill exempts employers from obtaining the consent of the employees for the purposes of recruitment or termination of employees, for delivering services to employees, for verifying the attendance of employees, or for the assessment of the performance of the employees. This exception is available only if seeking the consent of the data principal would be inappropriate given the employer-employee relationship or would involve a disproportionate amount of effort on the part of the data fiduciary due to the nature of the processing involved in the clause.
The exception given to employers is broad and poses a grave threat to the privacy of the employees. Here, it is important to refer to Article 88 of the European Union’s General Data Protection Regulation (GDPR) which deals with processing of data in the context of employment. The Article affords more protection to the data and informational privacy of the employees. It formulates that any rule for the processing of the data of employees in the context of employment should have specific measures to safeguard the human dignity, legitimate interests, and fundamental rights of employees, especially with regard to transparency of processing and workplace monitoring systems.
Furthermore, this exception can lead to violation of the fundamental rights of the employees guaranteed under the Constitution of India. In our public brief on workplace surveillance, we have deliberated how workplace surveillance violates the fundamental rights of the employees. Workplace surveillance can aggravate the existing power imbalance between employees and employers, and can adversely impact the fundamental right of employees to form associations or unions guaranteed under Article 19(1)(c) of the Constitution. Also, it is needless to say, the use of pervasive surveillance technologies by employers could amount to disproportionate encroachment on the fundamental right to privacy guaranteed under Articles 14, 19, and 21 of the Constitution.
HOW REASONABLE ARE THE ‘REASONABLE PURPOSES’ FOR PROCESSING OF DATA?
Clause 14 of the Bill allows the processing of personal data without our consent for certain purposes that are considered as “reasonable”. This is a residuary clause to cover the grounds that are useful to the society but are not covered by the grounds for non-consensual processing of data enumerated in Chapter III of the Bill. The Bill also gives a suggestive list of grounds of processing personal data that would amount to reasonable purposes. We find certain grounds contained therein as concerning.
The Bill includes publicly available personal data as one of the reasonable purposes for processing of personal data without consent. This exception stems from the fundamentally flawed notion that there is no reasonable expectation of privacy in public places. We believe that this ground can become a backdoor to profiling of individuals. The government as well as the big techs would no longer require the consent of individuals for aggregating their social networking activities and their sentiments on various issues.
Another interesting ground that has found place under reasonable purposes is the operation of search engines. This was not present in the previous draft of the Bill. The reason for its inclusion remains unknown. The operations of search engines range from simple indexing to profiling of users. The extent and scope of operations of search engines that would constitute a reasonable purpose is not clear.
SOLUTION: CLEAR DEFINITIONS, LIMITED EXCEPTIONS, AND CLARITY
It is no doubt that certain exceptions are necessary in order to facilitate a functional data protection regime. However, as we have mentioned in the second principle of the Indian Privacy Code, these exceptions can, if not worded clearly, end up swallowing the rule. Therefore, any exception should be worded clearly, limited in purpose, necessary and proportionate to the aim, and accompanied by sufficient procedural safeguards. Therefore, to prevent the abuse of the exceptions to the processing of data without consent, all such exceptions must be in line with these safeguards.
The Bill should also provide in explicit terms that essential services cannot be denied for want of personal data or at the very least be based on the impossibility of providing the service. Further, for processing of data in the context of employment, as we have previously stated in our public brief on workplace surveillance, information regarding trade union affiliation, which can be used by employers to target employees, should be categorised as sensitive personal data to put the processing of such data out of the purview of the exception under clause 13 of the Bill. The principles of necessity and proportionality as articulated in the Justice KS Puttaswamy vs Union of India judgement of the Supreme Court on right to privacy should be incorporated into clause 13 so that the employers will be forced to resort to less privacy intrusive employee monitoring programmes, necessary to protect the interest of the employers and to thwart the risks to them. Further, the Data Protection Authority, which is the regulatory body proposed by the Bill, should be entrusted with the responsibility of issuing a Code of Practice for workplace surveillance under clause 50 of the Bill. Employees must be consulted and their views must be sought before processing personal data under clause 13 of the Bill. It is important to incorporate these safeguards into the Bill to ensure that consent, which is the bedrock of our data protection regime, is secure.
This is the third post in our series on the issues with the Personal Data Protection Bill, 2019. Read part 1 here and part 2 here. Do join us on Friday (14th May, 2021) as we look into the issues with user rights under the Bill.
- The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
- Essential Features of a Rights Respecting Data Protection Law dated February 28, 2020 (link)
- IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
- The SaveOurPrivacy Campaign (link)
- Public Brief on Impact of the Personal Data Protection Bill 2019 on Workplace Surveillance (link)
This post has been largely drafted by Fathima V N, who is a 2020 graduate of the National University of Advanced Legal Studies and is currently a Daksha Fellow interning at IFF with the supervision of our staff.