Code: Section 6 DPDP Act
(1) The consent given by the Data Principal shall be free, specific, informed,
unconditional and unambiguous with a clear affirmative action, and shall signify an
agreement to the processing of her personal data for the specified purpose and be limited to
such personal data as is necessary for such specified purpose.
Illustration.
X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i)
the processing of her personal data for making available telemedicine services, and (ii)
accessing her mobile phone contact list, and X signifies her consent to both. Since phone
contact list is not necessary for making available telemedicine services, her consent shall be
limited to the processing of her personal data for making available telemedicine services.
(2) Any part of consent referred in sub-section (1) which constitutes an infringement
of the provisions of this Act or the rules made thereunder or any other law for the time being
in force shall be invalid to the extent of such infringement.
Illustration.
X, an individual, buys an insurance policy using the mobile app or website of Y, an
insurer. She gives to Y her consent for (i) the processing of her personal data by Y for the
purpose of issuing the policy, and (ii) waiving her right to file a complaint to the Data
Protection Board of India. Part (ii) of the consent, relating to waiver of her right to file a
complaint, shall be invalid.
(3) Every request for consent under the provisions of this Act or the rules made
thereunder shall be presented to the Data Principal in a clear and plain language, giving her
the option to access such request in English or any language specified in the Eighth
Schedule to the Constitution and providing the contact details of a Data Protection Officer,
where applicable, or of any other person authorised by the Data Fiduciary to respond to
any communication from the Data Principal for the purpose of exercise of her rights under
the provisions of this Act.
(4) Where consent given by the Data Principal is the basis of processing of personal
data, such Data Principal shall have the right to withdraw her consent at any time, with the
ease of doing so being comparable to the ease with which such consent was given.
(5) The consequences of the withdrawal referred to in sub-section (4) shall be borne
by the Data Principal, and such withdrawal shall not affect the legality of processing of the
personal data based on consent before its withdrawal.
Illustration.
X, an individual, is the user of an online shopping app or website operated by Y, an
e-commerce service provider. X consents to the processing of her personal data by Y for the
purpose of fulfilling her supply order and places an order for supply of a good while making
payment for the same. If X withdraws her consent, Y may stop enabling X to use the app or
website for placing orders, but may not stop the processing for supply of the goods already
ordered and paid for by X.
(6) If a Data Principal withdraws her consent to the processing of personal data under
sub-section (5), the Data Fiduciary shall, within a reasonable time, cease and cause its Data
Processors to cease processing the personal data of such Data Principal unless such
processing without her consent is required or authorised under the provisions of this Act
or the rules made thereunder or any other law for the time being in force in India.
X, a telecom service provider, enters into a contract with Y, a Data Processor, for
emailing telephone bills to the customers of X. Z, a customer of X, who had earlier given her
consent to X for the processing of her personal data for emailing of bills, downloads the
mobile app of X and opts to receive bills only on the app. X shall itself cease, and shall
cause Y to cease, the processing of the personal data of Z for emailing bills.
(7) The Data Principal may give, manage, review or withdraw her consent to the Data
Fiduciary through a Consent Manager.
(8) The Consent Manager shall be accountable to the Data Principal and shall act on
her behalf in such manner and subject to such obligations as may be prescribed.
(9) Every Consent Manager shall be registered with the Board in such manner and
subject to such technical, operational, financial and other conditions as may be prescribed.
(10) Where a consent given by the Data Principal is the basis of processing of
personal data and a question arises in this regard in a proceeding, the Data Fiduciary shall
be obliged to prove that a notice was given by her to the Data Principal and consent was
given by such Data Principal to the Data Fiduciary in accordance with the provisions of this
Act and the rules made thereunder.
Explanation of Section 6 DPDP Act
Section 6 of the DPDP Act outlines the standards and rules for obtaining and managing consent from Data Principals (individuals whose data is collected). It emphasizes that consent must be informed, freely given, and limited to specific and necessary data purposes.
Key Highlights:
- Consent must be:
- Free from coercion
- Specific to a purpose
- Informed and unambiguous
- Given through affirmative action
- Any illegal or overreaching portion of consent is invalid.
- Consent must be requested in simple language and be accessible in various official languages.
- Withdrawal of consent must be as easy as giving it.
- The Data Fiduciary must ensure that processing stops upon withdrawal unless required by law.
- Consent Managers can assist in managing consent and must be registered with the Data Protection Board.
- The burden of proof regarding valid consent lies with the Data Fiduciary.
Illustration
Example 1: Telemedicine Consent
X installs a telemedicine app that asks for her consent to collect personal data for treatment and access her contact list. Since contact list access isn’t necessary for medical services, her consent only applies to the relevant medical data.
Example 2: Insurance Waiver Invalidity
X agrees to data processing for policy issuance and also agrees to waive her complaint rights. The waiver is invalid and unenforceable.
Example 3: Withdrawing Consent
X uses an online shopping site and gives consent for data usage. After placing and paying for an order, she withdraws her consent. The company must fulfill the existing order but may restrict further access.
Common Questions and Answers on Section 6 DPDP
- What qualifies as “valid consent” under the DPDP Act? Consent must be free, specific, informed, unambiguous, and given through a clear affirmative action. It must also relate only to necessary personal data for the stated purpose.
- Can someone withdraw consent once given? Yes. Section 6(4) allows Data Principals to withdraw consent at any time. The withdrawal mechanism should be as easy as granting it.
- What happens after withdrawal of consent? Data Fiduciaries must stop processing the data and ensure that any Data Processors do the same, unless the processing is otherwise legally authorized.
- Can consent include waiving legal rights? No. Any part of the consent that infringes the law or legal rights (such as the right to file a complaint) is invalid.
- Who ensures the validity of consent in legal proceedings? Under Section 6(10), the responsibility lies with the Data Fiduciary to prove that proper notice was given and that valid consent was obtained.
Conclusion
Section 6 of the Digital Personal Data Protection Act lays the foundation for responsible data governance through a consent-based framework. It ensures individuals have full control over how their personal data is collected and used, with mechanisms for transparency, withdrawal, and enforcement. Understanding and implementing these provisions is essential for any Data Fiduciary to remain compliant and trustworthy.
For expert commentary and more legal resources on the DPDP Act, visit ApniLaw.
