Apps, firms could lose 'continuous consent' in data protection bill

The move will discard the concept of 'continuous consent' where apps and services get permission to process data from the users when they initially sign up for the service

The Centre could ask firms dealing in personal and non-personal data to get renewed consent from their users every time they change the terms and conditions and update their services, The Economic Times (ET) reported on Tuesday.

Officials were quoted as saying that a clause to this effect could soon be introduced in the Digital Personal Data Protection (DPDP) Bill. The move will discard the concept of “continuous consent” where apps and services get permission to process data from the users initially when they initially sign up for the service and then continue to process the data based on the initial consent.

A senior government official was quoted as saying that a user must be aware at all times of how their data is processed. Since firms keep changing the way they process data collected from the users when they sign up for the service, the current process does not do any justice to the user.

Also Read: Data protection bill gets cabinet nod, major provisions likely to be kept

The Centre has mandated that the personal data of a user, also known as data principal, must be processed only for purposes for which the consent has been taken or the consent is 'deemed’ to have been taken.

According to clauses in the bill, requests for the processing of data should be accompanied by or preceded by “an itemised notice” containing the details of the personal data being collected and how the data can be employed. The data protection Bill states that such notices must be in “clear and plain language".

The Centre has also proposed that in cases where the personal data of users have been collected before the implementation of the Act, the data fiduciaries should provide users with an “itemised notice in a clear and plain language containing a description of personal data of the data principal collected by the data fiduciary and the purpose for which such personal data has been processed”.

In the ongoing monsoon session, the Centre has introduced the DPDP Bill for discussion.

Also Read: Data protection bill: Govt mulls exempting startups from data sharing rules