Navigating Consent: DPDPA's Framework Against Global Benchmarks
As the Digital Personal Data Protection Act, 2023 (DPDPA) firmly establishes its presence in India’s regulatory landscape, businesses are diligently aligning their data processing practices. A cornerstone of this new regime, much like its global counterparts, is the concept of consent. Understanding the nuances of consent under DPDPA Section 6, particularly in comparison to the European Union’s General Data Protection Regulation (GDPR) Article 7, is crucial for any entity operating in or with India. This analysis delves into the critical aspects of granularity, withdrawal mechanisms, and the onus of proof, highlighting where the Indian framework sets its own course.
The Mandate of Granularity: Specificity in Consent
Both the DPDPA and GDPR champion the principle of specific and informed consent, yet their articulation offers subtle differences. Under DPDPA, Section 6(1)(a) mandates that consent must be “free, specific, informed, unconditional, and an unambiguous affirmation.” Furthermore, Section 6(2) stipulates that consent must be limited to the processing necessary for the specified purpose. This “unconditional” requirement is a strong guard against bundled consent, where individuals might be compelled to agree to multiple, unrelated processing activities.
GDPR Article 7(1) similarly requires consent to be “freely given, specific, informed and unambiguous.” Recital 32 further clarifies that consent should be given by a “clear affirmative act,” and Recital 42 emphasizes that “separate consent should be given for different processing operations.” While DPDPA’s “unconditional” language might appear stricter in explicitly precluding conditional consent, the practical effect of GDPR’s requirement for separate consent for distinct purposes often leads to a similar outcome. Both frameworks demand that individuals understand precisely what data is being collected and for what specific use, preventing broad, catch-all consent requests. Where DPDPA is silent on explicit “separate consent for different operations” in its main text, its “unconditional” and “limited to the processing necessary for the specified purpose” provisions achieve a comparable level of granularity.
The Right to Retreat: Withdrawal Mechanisms
The right to withdraw consent is a fundamental pillar of data protection, ensuring individuals retain control over their personal data. Both the DPDPA and GDPR are robust on this front. DPDPA Section 6(4) expressly grants the Data Principal the right to withdraw consent at any time, with ease, and clarifies that such withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. Section 6(5) places a clear obligation on the Data Fiduciary to ensure that the withdrawal of consent is as easy as the process for giving it.
GDPR Article 7(3) mirrors these provisions closely. It states that the data subject shall have the right to withdraw his or her consent at any time, and that it shall be “as easy to withdraw as to give consent.” It also confirms that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In this regard, both frameworks are largely aligned, prioritizing user control and ease of exercising this right. The emphasis on making withdrawal effortless is a key compliance challenge for businesses under both regimes.
Demonstrating Consent: The Burden of Proof
Accountability is a core principle, and both laws place the onus of proving valid consent squarely on the entity processing the data. DPDPA Section 6(6) unequivocally states that the burden of proving that consent was obtained in accordance with the Act lies with the Data Fiduciary. This is a critical provision, requiring robust record-keeping and auditable processes for consent acquisition.
Similarly, GDPR Article 7(1) mandates that “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” This identical requirement underscores a global consensus: it is not enough to merely claim consent; it must be demonstrable. This necessitates comprehensive consent management systems, clear audit trails, and transparent communication with Data Principals/data subjects.
Interplay with India’s Sectoral Regulations
While the DPDPA provides the overarching framework, it’s crucial to consider India’s existing sectoral regulations. DPDPA Section 6(7) explicitly states that the consent requirements under any other law for the time being in force, if they provide a higher standard of protection for the Data Principal, shall not be affected. This is particularly relevant for sectors like finance, where the Reserve Bank of India (RBI) often imposes stringent requirements for customer consent, particularly for data sharing and processing. For instance, RBI’s Master Directions on Digital Payment Security Controls or various guidelines on outsourcing financial services often contain specific consent mandates that might exceed DPDPA’s general requirements for sensitive financial data. Similarly, aspects of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, particularly Rule 3(1)(a) and (i), touch upon user awareness and the right to withdraw consent for online intermediaries. In such cases, businesses must adhere to the stricter of the two standards, making the Indian compliance landscape potentially more intricate than in jurisdictions with a more unified approach.
Practical Takeaway
For Indian businesses, General Counsels, and Data Protection Officers, the DPDPA’s consent framework demands meticulous attention. While drawing parallels with GDPR offers valuable insights, the DPDPA’s “unconditional” clause and the interplay with existing sectoral regulations like those from the RBI, mean that a ‘copy-paste’ approach from global templates is insufficient. Focus on building granular consent mechanisms, ensuring ease of withdrawal that is demonstrably as simple as giving consent, and establishing robust, auditable records to meet the burden of proof. Proactively assess all data processing activities against both DPDPA and relevant sectoral laws to ensure compliance with the highest applicable standard.