This article examines some pitfalls around the processing of “voluntarily provided” personal data under India’s Digital Personal Data Protection Act, 2023 (“DPA”), and it is the second of a three-part series. The first, focussing on “employment purposes” can be accessed here.
The Temptation of “Voluntary Provision”
Under the DPA, private Data Fiduciaries may process a Data Principal’s personal data either on the basis of an express consent or to the extent permitted for certain legitimate uses.
Recording valid consents under the DPA is onerous. Such consent must not only be free, specific, informed, unconditional, and unambiguous, but also be expressed through a clear, affirmative action, with the Data Fiduciary maintaining audit logs of such consent.[1]
Unlike the EU GDPR, from which this consent standard is borrowed, the DPA does not recognise several “non-consent” bases for processing such as “legitimate interests” and “contractual performance”. Consequently, companies in India, particularly those that have touchpoints with their customers (e.g., retail entities), are keenly exploring the possibilities of processing customer data on the basis of voluntarily provided data, without relying on onerous consents.
Under S.7(a) of the DPA, Data Fiduciaries can process personal data:
“for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data.” (emphasis supplied)
This provision has made it very tempting for companies wanting to circumvent the rigour of seeking consent. Braver entities are even trying to couch all data submission as “voluntary” submission in their terms of service and arguing that no notice needs be served for such submissions.
As with all apparent shortcuts, these approaches come with significant risk. Misinterpreting the boundaries of “voluntary provision” can potentially cascade into non-compliance with the DPA, legal challenges, and erosion of consumer trust. This article seeks to examine some of the risks and explore the possible pitfalls of relying too heavily on this exception.
S.7(a) of the DPA also provides two illustrations (reproduced subsequently) that help argue against any expansive interpretation of the voluntary provision.
- “X, an individual, makes a purchase at Y, a pharmacy. She voluntarily provides Y her personal data and requests Y to acknowledge receipt of the payment made for the purchase by sending a message to her mobile phone. Y may process the personal data of X for the purpose of sending the receipt; and
- X, an individual, electronically messages Y, a real estate broker, requesting Y to help identify a suitable rented accommodation for her and shares her personal data for this purpose. Y may process her personal data to identify and intimate to her the details of accommodation available on rent. Subsequently, X informs Y that X no longer needs help from Y. Y shall cease to process the personal data of X.”.
These illustrations bring out the inherent purpose and time limitations that the drafters have always intended to be used in reading this provision. In (i), the “voluntary” provision is limited to the express “purpose” of sharing the receipt for said purchase; and in (ii), it is restricted to a specific transactional service, ceasing to apply once the customer indicates that they no longer need the service.
The Singapore Example and the 2022 Indian Data Protection Bill
To further help interpret S. 7 (a) of the DPA, it is useful to examine its origins, i.e., Singapore’s “deemed consent by conduct”. Under Section 15(1) of Singapore’s Personal Data Protection Act of 2012 (“Singapore Law”), an individual is presumed to have given his consent for processing, if “(a) the individual voluntarily provides the personal data to the organisation for that purpose; and (b) it is reasonable to expect that the individual would voluntarily provide the data”.
Indian and Singapore Laws are both clear in permitting processing on such basis only for specified purposes,butSingapore Law also explicitly calls out the requirement of reasonable expectation.
S.8 of the (Indian) Digital Data Protection Bill, 2022, largely reproduced the Singapore Law’s language and stated that consent can be deemed “(1) in a situation where the Data Principal voluntarily provides her personal data to the Data Fiduciary and it is reasonably expected that she would provide such personal data”. While the provision itself did not stress on a “specified purpose”, the accompanying illustration indicated that it has remained a factor.[2]
The subsequent change in language may be used to infer that the legislature sought to define the standard in narrower and clearer terms in the DPA; namely, purpose limitation and absence of a denial of consent by the Data Principal.
Any other reading, such as to say that this was intended to broaden the scope of “voluntary provision”, does not align with the illustrations under S.7(a) and its limitations under S.8(8) of the DPA as elaborated subsequently.
Courts and Interpretation
The Personal Data Protection Commission of Singapore has resisted expansive processing of data on the basis of voluntary submission and clarified that “[such] purposes are limited to those that are objectively obvious and reasonably appropriate from the surrounding circumstances”.[3]
While interpreting S.7, in addition to the preceding clarification, India’s DPA will also likely be influenced by the core principles of consent and proportionality expounded in Puttaswamy.[4]
Any interpretation of S.7 to allow processing for purposes (such as marketing, cross sell) that should be the subject matter of a consent, or processing not strictly necessary for the purpose the data was “voluntarily”’ submitted, are likely to be looked upon unfavourably.
S.8(8) of the DPA further qualifies S.7(a), by stating that the purpose of processing under “voluntary provision”, “shall be deemed to no longer be served, if the Data Principal does not–– (a) approach the Data Fiduciary for the performance of the specified purpose; and (b) exercise any of her rights in relation to such processing, for such time period as may be prescribed , and different time periods may be prescribed for different classes of Data Fiduciaries and for different purposes”.
More importantly S.8(8) underscores the possible legislative intent that “voluntary provision” is a transaction-specific basis and fixed at a point of time for a specific purpose. This section also indicates that the time limitation of “voluntary provision” may be further defined and limited by rules under the DPA (yet to be notified), which may further affect the utility of this basis.
“Voluntary provision” also continues to share several elements with “consent” basis, such as the obligations of transparency and data minimisation. General rights of Data Principals and obligations of Data Fiduciaries and the special provision for children’s data as provided in the DPA also continue to remain applicable on Data Fiduciaries relying on “voluntary provision”.
Lastly, “specified purpose” is separately defined in S.2 (za) of the DPA as “the purpose mentioned in the notice given by the Data Fiduciary to the Data Principal in accordance with the provisions of this Act and the rules made thereunder”. Hence, it can be inferred that the regulatory authority would expect some form of contemporaneous notice, even when relying on voluntary provision, to clarify the “specified purpose” and inform Data Principals of their rights.
Nonetheless, any attempt to broaden the purpose mentioned in such a notice beyond the specific context and reasonable expectations could be problematic.
The Road Ahead
From all of the above, it is clear that S.7 (a) of the DPA only allows processing of data that has been “voluntarily provided” for an evident, reasonable, and specific purpose, for that purpose, without additional consent. This basis is clearly a limited, transactional one and not suitable for expansive or sustained processing.
The following illustrations help understand this:
- Retail: Where a customer provides their phone number and requests a soft copy receipt, the use of their number for this purpose is clearly permitted. That said, the relevant “purpose” could be argued to conclude with that transaction. The processing will have to cease after the fulfilment of the transaction. The use of the said number without consent for general marketing or cross-selling, or even for future purchases, will be difficult to justify as being covered under the voluntary provision basis.
- CCTV Recording: A mall owner may, after displaying a suitable notice, notify visitors (at least in common areas where there is no reasonable expectation of privacy) that they are under surveillance for the security of the premises. However, any use of this data for other purposes (e.g., facial recognition for tracking usage, spending, or advertising) would strongly be argued to be unreasonable and not within the ambit of the voluntary provision.
Conclusion
“Voluntary provision” under the DPA is best understood as a basis for both purpose-limited and time-specific processing. Data Fiduciaries will need to determine a reasonable and appropriate purpose and ensure such a purpose is specified to the Data Fiduciary and adheres to its limits in the course of processing. They will also likely have to record the action of “voluntary provision”, communication of the specified purpose, and provide a mechanism for the Data Principals to communicate withdrawal of consent. They will have to cease processing upon receiving such communication from the Data Principal, or if the transaction is not followed through, or after the expiry of the prescribed period. We would also look for more clarity on the use of “voluntary provision”, when the Rules under the DPA are notified.
Thus, voluntary provision serves as a helpful tool in certain situations, but it should not be seen as a replacement for robust consent practices. By understanding the nuances of the provision and adhering to best practices, Data Fiduciaries can demonstrate compliance with the DPA, while building trust with their users.
[1] S.6(1) of the DPA.
[2] Illustration: ‘A’ shares her name and mobile number with a Data Fiduciary for the purpose of reserving a table at a restaurant. ‘A’ shall be deemed to have given her consent to the collection of her name and mobile number by the Data Fiduciary for the purpose of confirming the reservation.
[3] PDPC Advisory Guidelines, available at https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-key-concepts/advisory-guidelines-on-key-concepts-in-the-pdpa-17-may-2022.pdf (Pg 42)
[4] Justice K.S. Puttaswamy vs. Union of India, (WP (C) 494/2012).
