Srikrishna panel frowns at current consent-seeking practices for data processing; moots sweeping changes

Citing flaws in the current consent mechanism in the digital world, the Justice Srikrishna panel on data protection has recommended sweeping changes to this framework to make data collectors liable for harm caused to an individual "as if the consent form were a product".

Making consent the touchstone and "lawful basis" of processing personal data, the panel has suggested a revamp in the consent mechanism under the new data protection framework, asserting that consent has to be free, informed, specific, clear and capable of being withdrawn, for it to be valid.

For sensitive personal data -- that entails passwords, financial data, health information, sex life, sexual orientation, biometric and genetic data, caste or tribe, and religious or political beliefs -- consent will have to be "explicit", the panel has said.

The "opacity" of consent and data sharing on the internet today is the foundation of several fears of data protection, the panel noted.

"However, the law will adopt a modified consent framework which will apply a product liability regime to consent thereby making the data fiduciary liable for harms caused to the data principal," the panel said in its recommendations.

The panel noted that present mechanism of notice and consent on the internet is "broken", and that consent forms are "complex and often boilerplate".

"Consequently, individuals do not read them; even if they attempt to, they might not understand them; even if they understand them, provisions to give meaningful consent in a granular fashion are absent," the panel rued.

In spite of this, individuals regularly agree to data collection and use practices as per the privacy policy or terms and conditions of the websites visited, applications downloaded, or programmes.

"So prevalent have such boilerplate contracts become in the online world, that courts too have often recognised their legal validity, irrespective of the unequal bargaining power of parties and doubts about how informed the giving of consent might have been," it said.

Hence, a modified framework for operationalising consent needs to be found, the panel felt.

"The consequence of incorporating product liability into consent forms means that data fiduciaries will be liable, as if the consent form were a product. This implies liability for any harm that is caused to a data principal pursuant to the latter providing consent, as a consequence of such processing," the panel said.

The high level panel, in its report submitted to the government, has said that the obligations on data collectors in relation to the notice provided to individuals should entail collection of personal data that is necessary for providing service to an individual, communicating the same through a clear notice, ensuring that contractual terms that are potentially onerous or harmful are brought to the notice of an individual to who the data belongs, seeking affirmative consent from individual without any pre-checked boxes, and providing granularity (detailing in choice) that allows individuals to access services without necessarily being subject to an 'all or nothing' principle.

The panel has suggested that "model forms" in this regard could be laid down by the proposed 'Data Protection Authority' through codes of practice.

Also, a data trust score -- similar to a credit score -- could be given to all significant data collectors, audited by data auditors and displayed prominently in the notice, it has prescribed.

"Dynamic consent renewal...will be provided for, depending on the type of data in question. A consent dashboard may be created for this purpose," it said.

Such a dashboard, it said, would enable individuals to keep track of consent for processing in real time and allow them to operationalise the right accorded to them under the data protection law.