Srikrishna panel recommends changes for data processing framework
The "opacity" of consent and data sharing on the internet today is the foundation of several fears of data protection, the panel noted.
Citing flaws in the current consent mechanism in the digital world, the Justice Srikrishna panel on data protection has recommended sweeping changes to this framework to make data collectors liable for harm caused to an individual "as if the consent form were a product".
Making consent the touchstone and "lawful basis" of processing personal data, the panel has suggested a revamp in the consent mechanism under the new data protection framework, asserting that consent has to be free, informed, specific, clear and capable of being withdrawn, for it to be valid.
For sensitive personal data -- that entails passwords, financial data, health information, sex life, sexual orientation, biometric and genetic data, caste or tribe, and religious or political beliefs -- consent will have to be "explicit", the panel has said.
"However, the law will adopt a modified consent framework which will apply a product liability regime to consent thereby making the data fiduciary liable for harms caused to the data principal," the panel said in its recommendations.
"Consequently, individuals do not read them; even if they attempt to, they might not understand them; even if they understand them, provisions to give meaningful consent in a granular fashion are absent," the panel rued.
"So prevalent have such boilerplate contracts become in the online world, that courts too have often recognized their legal validity, irrespective of the unequal bargaining power of parties and doubts about how informed the giving of consent might have been," it said.
"The consequence of incorporating product liability into consent forms means that data fiduciaries will be liable as if the consent form were a product. This implies liability for any harm that is caused to a data principal pursuant to the latter providing consent, as a consequence of such processing," the panel said.
The high level panel, in its report submitted to the government, has said that the obligations on data collectors in relation to the notice provided to individuals should entail collection of personal data that is necessary for providing service to an individual, communicating the same through a clear notice, ensuring that contractual terms that are potentially onerous or harmful are brought to the notice of an individual to who the data belongs, seeking affirmative consent from individual without any pre-checked boxes, and providing granularity (detailing in choice) that allows individuals to access services without necessarily being subject to an 'all or nothing' principle.
The panel has suggested that "model forms" in this regard could be laid down by the proposed 'Data Protection Authority' through codes of practice.
(This story has not been edited by Devdiscourse staff and is auto-generated from a syndicated feed.)