Consent and Algorithmic Decision-Making under the DPDP Act, 2023: A Regulatory Paradox
DOI:
https://doi.org/10.37591/njcsl.v9i1.2007Keywords:
DPDP Act, 2023, Consent, Algorithmic Decision-Making, Data Protection, Informational AutonAbstract
The Digital Personal Data Protection Act, 2023, also called the DPDP Act, is based on a consent-focused vision of data regulation, where the consent is the default rule of data processing, as well as the main manifestation of informational independence. The paper explores the performance of such an architecture in a situation whereby individual information is persistently embedded within algorithmic systems that categorize, rank, and make predictions on individuals in a manner that influences access to opportunities and services. The paper asserts that, in modern platform space, the consent is frequently manufactured,
instead of meaningfully exercised: interface design, defaults, bundling, and functional dependency structure, choose, and computational inference is increasing the range of that which is actually processed by anything beyond what a user can reasonably anticipate at the time of collection. Consent is therefore more than a processing gateway, it is a decision ecosystem gateway based on inference downstream. Furthering this, the paper finds the source of a temporal discrepancy in the core of consent- based legitimacy: at onboarding, autonomy manifests episodically, whereas algorithmic assessment proceeds continuously in the long term. Although the DPDP Act provides a set of conditions under which valid consent and notice can be given, it does not introduce a broader statutory framework of exclusively automated decision-making, such as rights to explanation, contestation or meaningful human review, which is similar in logic to Article 22 of the GDPR. The article includes a doctrinal and structural criticism of the idea of entry-based accountability and suggests specific reforms, namely, anti-dark-patterns consent rules, profiling/inference transparency requirements, and review-and-contestation protections against significant-effect automated decisions.
References
Digital Personal Data Protection Act, 2023, s. 6(1).
DPDP Act, s. 5(1).
DPDP Act, s. 7.
Daniel J. Solove, Privacy Self-Management and the Consent Dilemma, 126 Harvard Law Review 1880 (2013).
Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
Regulation (EU) 2016/679 (General Data Protection Regulation), art. 22.
Digital Personal Data Protection Act, 2023, s. 4(1)–(2) (grounds for processing; “lawful purpose”).
DPDP Act, s. 7 (processing for “certain legitimate uses” without consent).
DPDP Act, s. 6(1) (valid consent requirements; necessity limitation).
DPDP Act, s. 5(1) (notice prior to consent; minimum content).
DPDP Act, s. 6(10) (fiduciary’s burden to prove notice and consent).
DPDP Act, s. 6(1).
DPDP Act, s. 5(1).
DPDP Act, s. 6(4)–(6).
European Data Protection Board, Guidelines 3/2022 on Dark patterns in social media platform interfaces (2022).
OECD, Dark Commercial Patterns (OECD Digital Economy Papers, 2022).
Arunesh Mathur et al., Dark Patterns at Scale (Proc. ACM HCI/CSCW, 2019).
Daniel J. Solove, Privacy Self-Management and the Consent Dilemma, 126 Harv. L. Rev. 1880 (2013).
Christopher S. Yoo, Network Effects in Action (2020).
Jonathan A. Obar C Anne Oeldorf-Hirsch, The biggest lie on the Internet, Information, Communication C Society (2020).
Aleecia M. McDonald C Lorrie Faith Cranor, The Cost of Reading Privacy Policies (2008).
Alessandro Acquisti, Laura Brandimarte C George Loewenstein, Privacy and human behavior in the age of information, Science (2015).
Regulation (EU) 2016/679 (GDPR), art. 4(4) (definition of “profiling”).
Information Commissioner’s Office (UK), What is automated individual decision-making and profiling? (UK GDPR guidance).
Digital Personal Data Protection Act, 2023, s. 11 (right to access information about processing).
DPDP Act, s. 12 (right to correction, completion, updating and erasure in specified circumstances).
DPDP Act, s. 13 (right to grievance redressal).
DPDP Act, s. 6(4) (withdrawal of consent; ease comparable to giving consent).
Latham C Watkins, India’s Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison (noting absence of a right not to be subject to automated decision-making under the DPDP Act, contrasted with GDPR art. 22).
Digital Personal Data Protection Act, 2023, s. 5(1) (notice prior to consent; minimum contents).
DPDP Act, s. 6(1) (conditions for valid consent; clear affirmative action; necessity link).
DPDP Act, s. 8(1), 8(3), 8(5)–(6) (general obligations; accuracy/completeness where relevant; reasonable security safeguards; breach intimation to Board and affected Data Principals).
DPDP Act, ss. 11–13 (access to information; correction/updating and erasure in specified circumstances; grievance redressal) and s. 6(4) (withdrawal of consent).
ard, Guidelines 3/2022 on dark patterns in social media platform interfaces (recognising design practices that steer choices while preserving formal consent steps).
GDPR, art. 22 (automated individual decision-making safeguards) (used here as a comparator for the presence/absence of downstream review/contestation logic).
DPDP Act, s. 8(1), 8(3), 8(5)–(6) (general obligations; accuracy/completeness where relevant; reasonable security safeguards; breach intimation to Board and affected Data Principals).
GDPR, art. 22 (safeguards logic for solely automated decisions as comparator); see also DPDP Act, ss. 11–13 and s. 6(4) (rights and withdrawal), contrasted with the absence of an express, general right to contest solely automated decisions.
