Discussion Document – Beyond Consent: A New Paradigm for Data Protection

By Rahul Matthan

Download the Discussion Document in PDF [800 KB]


Data protection is confined by consent (Consent Model). Once a data subject’s consent is obtained, a data controller is free to collect, process and use such data for the specified purpose and will not be liable for any consequences that might result from its actions. This places the onus on an individual to be aware of the terms of data access to which he is providing his consent to. This clearly benefits data controllers more than data subjects.

This is inadequate in the interconnected, data-reliant world of today. Given that India will be working on a formal law on data protection in the near future, it is imperative that it relies on an alternative to the Consent Model in order to protect the interests of data subjects.

We believe that a rights based model (Rights Model) will help secure the interests of a data subject sharing his data with data controllers. This Rights Model assures to every individual, an inalienable right over his personal data. Any data collector that wishes to access a data subject’s personal data must ensure that they do so in a manner that does not violate this inherent data right. This Discussion Document sets out the contours of such a rights based model (Rights Model) as a substitute for the Consent Model. The Rights Model has the following features:

  • It assures a set of data rights that are available to everyone.
  • It shifts the burden of evaluating the privacy risk to personal data away from the data subject and onto the data controller, forcing the data controller to be mindful of its processes for data collection, processing, transfer and storage. The Model applies equally to the State when it collects / processes personal data.
  • It focusses on the harm caused to the data subject due a violation of his data rights, and offers a remedy to him regardless of whether or not he has consented to the terms of a privacy policy. Once a harm is proved, the responsible data controller will be liable for the harm caused to the data subject.


Download the Discussion Document in PDF [800 KB]