In today’s data-driven era, an individual’s identity is their sole tangible possession, emphasising the critical need for informed consent in data collection practices. Before any personal data is collected from a user, one must give consent for it to be collected and used for a specified and agreed-upon purpose. Every time we consent to a terms of service agreement or privacy policy, we become mere data for an app, Artificial Intelligence (AI), or website.
Free and informed consent is the fundamental principle underpinning any legislation concerning data protection. The extent to which one can safeguard one’s identity and personal data hinges upon the consent granted for data sharing. And yet, when a user is a person with a disability (PwD), the question of free and informed consent becomes hazy. In theory, whilst they should have equal legal capacity to consent, an analysis of existing laws presents a contrasting picture.
In India, after much deliberation, the newly enacted Digital Personal Data Protection Act, 2023 (DPDP Act) aims to regulate the collection and storage of digital personal data by entities known as ‘data fiduciaries’. It lays down a framework to strike a balance between ‘the right of individuals to protect their personal data’ and ‘the need to process such personal data for lawful purposes’.
Rights and personal needs
Section 9(1) of the DPDP Act provides for the processing of personal data and states that a data fiduciary, before processing any personal data of a child or a person with a disability who has a lawful guardian, must obtain verifiable consent of the parent of such child or the lawful guardian. In simpler terms, this means that a person with a disability who has a legal guardian appointed for them cannot give consent on their own. This provision grossly undermines the mental capability and autonomy of a PwD to make a decision independently.
To begin with, noscitur a sociis, a rule of interpretation, suggests that the meaning of the word should be determined by considering the words with which it is associated in the context. Applying this principle, the drafters seem to align a PwD’s capacity to consent with that of a child, contrasting the preamble to the Rights of Persons with Disability (RPWD) Act, 2016.
The preamble emphasises the importance of respecting individual autonomy, including the freedom to make one’s own choices and independence of persons, for empowering people with disabilities. Therefore, the DPDP Act implies that an amputee, being a person with a disability, cannot make their own decision regarding their data, contradicting the principles of self-determination and independence upon which the RPWD Act is based. The only category of a person with a disability who may need someone to make decisions for them would be severe cases of intellectual disability. However, the law does not provide such an exception; it includes all disabilities.
This contradicts the kind of inclusion we should strive towards as a society. Similar implications of incapacity to consent can be found in other laws in India too. Consider, for example, the Indian Contract Act of 1872, which states that any person with a sound mind, i.e. “capable of understanding and of forming a rational judgment as to its effect upon his interests.” and above the age of 18, is capable of entering into a contract. The provision in the DPDP Act seems to insinuate that a person with disability is not a person with a sound mind and would, therefore, require a guardian’s consent in situations involving the collection of digital personal data. However, it is crucial to note that out of the 21 types of disabilities identified under the RPWD Act, only six (Intellectual Disability, Mental Illness, Autism Spectrum Disorder, Cerebral Palsy, Chronic Neurological conditions, Specific Learning Disabilities) have a potential impact on a person’s intellectual abilities. All other persons with disabilities are of sound mental faculty and capable of making decisions like anyone else.
One could argue that the DPDP Act only pertains to PwDs with a lawful guardian and not all persons with disabilities. The RPWD Act specifies the appointment of guardians only when individuals are incapable of making decisions independently. However, how would a data fiduciary verify whether the person giving consent is a person with a disability and whether they have a legal guardian? This provision could potentially refer only to individuals with intellectual disabilities. The Mental Health Care Act of 2017 allows persons over 18 years to make advance directives on the mental health care they should receive. Nevertheless, one key question lingers: Are persons with intellectual disabilities or mental illnesses considered to be of ‘unsound mind’ and, therefore, incapable of making decisions regarding their data?
Redefining consent
Two possible approaches to address this inconsistency in the laws could be to either eliminate the language in Section 9 that grants consent-giving authority to the legal guardian of a person with a disability or to specify the types of disabilities to which the provision might apply. In the current framework, food delivery apps, travel booking apps and others of the same kind continuously collect user data, and adding an extra step for the consent of persons with disabilities fails to resolve the underlying issues of consent and independence.
To foster inclusive societies, it is essential to recognise that persons with disabilities constitute a significant portion of the population and cannot be dismissed as individuals of ‘unsound mind’ who must rely on a legal guardian to determine whether they can share their email addresses. Given that the lives of persons with disabilities often involve significant reliance on others for day-to-day tasks, digital platforms and society at large must ensure that their sense of self-determination is safeguarded by upholding their autonomy in decision-making regarding their data.
(The writer is a human rights lawyer with the Policy & Advocacy team at The Association of People with Disability (APD).