Navigating Consent: DPDPA vs. GDPR on Granularity, Withdrawal, and Proof

The Digital Personal Data Protection Act, 2023 (DPDPA), now a year and a half into its enactment, has brought India’s privacy framework into closer alignment with global standards, particularly the European Union’s General Data Protection Regulation (GDPR). A cornerstone of both regimes is consent, serving as a primary lawful basis for processing personal data. However, while sharing fundamental principles, the DPDPA’s provisions on consent, specifically regarding granularity, withdrawal, and the onus of proof, present both parallels and distinct nuances for Indian businesses.

Granularity of Consent

Both the DPDPA and GDPR demand a high degree of specificity for valid consent. Under the DPDPA, Section 6(1)(a) mandates that consent must be “free, specific, informed, unconditional and unambiguous,” given for a “specified purpose” as per Section 6(1)(b). This implies that a Data Fiduciary cannot seek blanket consent for multiple, disparate processing activities. Each distinct purpose requires its own clear consent. Similarly, GDPR Article 7(1) requires consent to be “freely given, specific, informed and unambiguous.” Further, GDPR Recital 32 clarifies that consent should be given by a clear affirmative act, while Recital 42 stresses the importance of separate consent for different processing operations and purposes, particularly when bundled services are offered.

While the DPDPA’s language is robust, the GDPR’s accompanying recitals and extensive guidance from European data protection authorities often provide more explicit examples and interpretations regarding what constitutes “specific” consent in practice, especially concerning unbundling services. In India, beyond the DPDPA, sectoral regulations, particularly those from the Reserve Bank of India (RBI), often impose even stricter requirements for granularity. For instance, various RBI circulars on digital lending or payment tokenisation demand explicit, auditable consent for each specific data access or processing activity, often going beyond the general DPDPA provisions in their operational detail. This makes the Indian landscape potentially stricter in regulated sectors, requiring businesses to navigate both general privacy law and specific sectoral mandates.

Right to Withdraw Consent

The ability for individuals to revoke their consent is a critical safeguard in modern privacy frameworks. The DPDPA, under Section 6(4), explicitly grants a Data Principal the right to withdraw consent at any time. It further stipulates that such withdrawal must be “as easily as it was given” and that it “shall not affect the lawfulness of any processing of personal data based on the consent before its withdrawal.” This mirrors the GDPR’s provision in Article 7(3), which similarly states that the data subject “shall have the right to withdraw his or her consent at any time” and that “it shall be as easy to withdraw as to give consent.” The GDPR also clarifies that withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

On this front, the DPDPA and GDPR are remarkably aligned. Both regimes place a clear obligation on data processing entities to establish user-friendly mechanisms for consent withdrawal, ensuring that the process is not unduly complex or burdensome. This parity offers a consistent standard for global businesses operating in both jurisdictions.

Onus of Proof for Consent

A fundamental principle in both laws is that the responsibility for demonstrating valid consent rests squarely with the entity processing the data. DPDPA Section 6(9) states unequivocally that “the Data Fiduciary shall be able to demonstrate that a notice has been given and the Data Principal has given consent to the processing of her personal data in accordance with the provisions of this Act.” This places a clear evidentiary burden on businesses to maintain robust records of consent. Similarly, GDPR Article 7(1) mandates that “where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”

This alignment means that Indian businesses, like their European counterparts, must implement comprehensive consent management systems. Simply asserting that consent was obtained is insufficient; verifiable proof, such as timestamped records of consent forms, privacy policy versions, and specific purposes agreed to, is crucial for compliance. The DPDPA’s explicit mention of demonstrating that “a notice has been given” further reinforces the requirement for transparent communication to the Data Principal before consent is sought.

Indian Nuances and Trade-offs

While the DPDPA largely aligns with the GDPR on these core consent principles, some trade-offs and specific Indian contexts are noteworthy. The DPDPA’s “unconditional” requirement in Section 6(1)(a) for consent, while similar to GDPR’s “freely given,” might require further interpretation in contexts of power imbalance (e.g., employer-employee relationships) where GDPR has more established guidance. Furthermore, the DPDPA is currently less prescriptive than GDPR in its detailed interpretive guidance on specific scenarios, which might lead to initial interpretational uncertainty until DPDPA rules, Data Protection Board rulings, or judicial precedents provide more clarity. However, the existing IT Rules, 2011, particularly Rule 5(7) requiring records of consent for sensitive personal data, and the stringent RBI guidelines, already set a precedent for robust consent practices in India, often making the practical implementation for regulated entities stricter than the general DPDPA text alone.

Practical takeaway: Indian businesses, General Counsels, and Data Protection Officers must treat consent under the DPDPA not just as a checkbox, but as an active, verifiable, and dynamic process. Implement granular consent mechanisms that clearly link each data processing purpose to explicit user agreement. Ensure that consent withdrawal is as straightforward as giving it, with readily accessible options. Most importantly, establish comprehensive record-keeping systems to demonstrate compliance with DPDPA Section 6(9) – showing when, how, and for what specific purposes consent was obtained and notice provided. For entities in regulated sectors like finance, always cross-reference DPDPA requirements with stricter sectoral guidelines from bodies like the RBI, as these often add layers of specificity and auditability to consent management.