Last month I wrote on the blog that in India we seem to be waiting for plain language to be made a compliance requirement. I couldn’t have spoken sooner.
The Digital Personal Data Protection (DPDP) Act [pdf] lays down the rules for collection, storage, and use of personal data online. A rule under this Act requires companies to collect informed consent from their users on the data they collect and be clear about the exact purpose they are going to use it for.
And guess what? They need to ask for consent in plain language.
“Every request for consent under the provisions of this Act or the rules made thereunder (sic) shall be presented to the Data Principal in a clear and plain language, …” [Emphasis mine.]
(Data principal here means the person who owns the data.)
The DPDP Act is largely inspired by Europe’s General Data Protection Regulations (GDPR), though it is different in some respects, too. However, both require plain language. Here’s what the GDPR says:
“Requests for consent must be ‘clearly distinguishable from the other matters’ and presented in ‘clear and plain language’.”
Are Indian companies equipped to create a plain language consent form?
No. And neither are they equipped to comply with most of the Act. DPDP has fundamentally questioned the way Indian companies do business. Most of them simply do not bother about privacy. And now they are being asked to obtain consent that is “free, specific, informed, unconditional, with a clear affirmative action”. That’s a big ask.
The Act also lets the data principal withdraw consent at any time, after which the companies can no longer use or store their data. All of this must be complied within May 2027. As one can imagine, companies are scrambling to meet the deadline.
So my guess is that no one is bothered much about drafting a plain language consent form. I’d be happy to be proved wrong.
None of the news articles and blog posts I skimmed mention the term “plain language”. They do talk about clarity in the consent form. But how will companies go about achieving clarity without being aware of plain language guidelines is anybody’s guess. And, if their consent forms are not in plain language, they cannot be in true compliance of the law.
It doesn’t help that the Act itself is not in plain language. That’s a missed chance to set an example. However, some wins are that it provides helpful snippets in the margins which highlight important parts of the Act (see screenshot below).
.png)
Overall, I would celebrate the fact that India’s new digital privacy act demands clarity and actually mentions plain language, not to forget its pathbreaking use of “she” and “her". But we need to keep moving ahead.
(Pic credit: Pexels, Mohammed Yasir https://www.pexels.com/@mohammad-yasir-3365802/.)
No comments:
Post a Comment