Section 4 of the Digital Personal Data Protection Act, 2023
Comprehensive breakdown of Section 4 dealing with consent, lawful processing, legitimate use, and personal data processing grounds under the DPDP Act.
Introduction
The Digital Personal Data Protection Act, 2023 (DPDP Act) mandates that the personal data of a Data Principal must be processed only for a lawful purpose and be justified under valid grounds of processing. These grounds of processing are mandates that the authorities are required to follow while processing the data of a Data Principal.
This article will provide a comprehensive analysis of these grounds and their implications for your business.
What is a lawful purpose?
As per Section 4(1) of the DPDP Act, the personal data of a Data Principal can be processed only for a lawful purpose. In other words, the data cannot be processed for purposes which are strictly prohibited by any law, regulation or rule in force.
đź“ť Example
The Information Technology Act, 2000 prohibits the sharing of sensitive personal information with hackers. Any individual or entity found responsible for sharing such information will be held liable under the requisite provisions of the legislation.
In cases where the purpose of processing data is lawful, such personal data can be processed on the following grounds under the DPDP Act:
- •Section 4(1)(a) of DPDP Act provides that the personal data can be processed only after the Data Principal has consented to the processing of the data.
- •Section 4(1)(b) of DPDP Act, the personal data can be processed for legitimate uses even if the Data Principal does not consent to the processing of such data.
Consent as a ground of processing under the DPDP Act
Under Section 6 of the DPDP Act, consent is the primary ground of processing personal data. The following legal mandates are to be kept in mind while processing the personal data of the Data Principal:
Consent must be unambiguous and freely given, demonstrating a clear comprehension of the specific data processing purpose. This implies the absence of concealed terms or perplexing language.
The consent should not be conditional and must be clear and precise. Users should fully understand what they are consenting to.
Rule 3(b) of the Draft Digital Personal Data Protection Rules specifies that the notice for obtaining consent shall be given in plain and clear language having sufficient information necessary for the Data Principal to give specified and informed consent. Moreover, the notice shall include an itemized description of personal data and the specified purpose of the goods and services to be provided.
Consent must be provided through an explicit action, such as checking a box or clicking "I agree." Passive consent, such as pre-ticked boxes or implied consent, is not acceptable.
Certain Legitimate Use
Section 7 of the DPDP Act allows the processing of personal data without explicit consent of the Data Principal under certain prescribed circumstances. These circumstances are termed as certain legitimate uses and include:
When a Data Principal voluntarily provides her personal data for a specific purpose, processing is permitted for that purpose until the Data Principal withdraws consent. Explicit consent from the Data Principal is not required in such cases.
The DPDP Act allows the State and its instrumentalities to process personal data without obtaining the explicit consent of the Data Principle under certain circumstances including provisions for subsidies, benefits, services, certificates, licenses, etc.
Data processing can be used to address immediate threats to life or health, such as individual medical emergencies and public health crises. Data processing should be limited to what is strictly necessary for the emergency.
As per the DPDP Act, the business organisations are allowed to process the personal data of the Data Principal without their consent in circumstances where such processing is required under law or is as per the order or direction of the court or a government authority.
The processing of personal data may be conducted with the consent of the Data Principal, especially in cases pertaining to employment or the protection of the employer from potential liabilities. This encompasses measures to prevent corporate espionage, upholding the confidentiality of trade secrets and other intellectual property, and administering employee-related services and benefits.
Personal data may be processed without consent when it is necessary to ensure the safety and assistance of people during natural disasters or circumstances that disrupt the public order of the society.
Conclusion
Section 4 of the DPDP Act provides for a balanced yet questionable framework for the processing of the personal data of the Data Principals in India. Organisations must ensure that they conduct the data processing activities in adherence with these established grounds and maintain transparency regarding the same with the Data Principals.
Many might view the dual approach of consent based data processing and certain legitimate uses as a flexible approach that safeguards the rights of the Data Principal, whereas others might raise questions regarding too much interference by the government authorities.
Nevertheless, as organisations implement compliance measures, they should focus on clear consent mechanisms and proper documentation of the cases falling within the ambit of legitimate use. By following these practices, the businesses can build trust with their clients and at the same time fulfill their legal obligations under the evolving data protection framework of India.
Get Started with Data> Nuance
Reach out to Data> Nuance to ensure compliance with the provisions of the DPDPA and ensure your practices meet legal standards while safeguarding your business from regulatory penalties. Let's make compliance effortless—before regulators make it expensive!