In our other reports on the Consent panel at the #NAMAprivacy conference in Delhi, we look at whether we need a data protection and privacy regulator in India, and ways of making consent work.
A large part of the discussion today, when it comes to regulation, is around the idea of consent. At the #NAMAprivacy conference, we debated the premise that consent is broken and looked into whether it should be done away with entirely. A clear case in point, as Renuka Sané, Associate Professor at NIPFP, pointed out is when it comes to the finance sector and disclosure norms: “When you buy a financial product, there are many things written on a page, and you agree to the terms and conditions”, and you find out later that it was mis-sold.” Another case in point is app downloads: most users aren’t aware, or even read the provisions before clicking “I agree” to terms and conditions, or even downloading apps.
Sumant Srivathsan of the Publicis Groupe said that a part of his problems with the consent infrastructure in place today is that “it’s obfuscating language, and when the language is designed to either confuse or obfuscate the person from whom consent is being acquired, that’s bad faith.” It’s like boring a guy into saying yes, he added.
In response to a question from APCO Worldwide’s Shruti Rao, about whether it might be better to make companies mandate that the terms of agreement should be simple and explanatory, Chinmayi Arun,
Chinmayi Arun, Executive Director of the Centre for Communication Governance at the National Law University, Delhi felt that though that would be helpful, there will be tradeoffs as well: ” the more precise you get the less accessible the rule is to other people. It’s important to know that there’s where the challenge lies: you want the rule to be as specific as possible in terms of what it can and cannot do. It sticks to what the broader objective of the rule is, but you also want it to be accessible, and its not easy.”
But is consent really broken?
A point of view currently being promoted is by lawyer Rahul Matthan, who proposes a rights based approach as a substitute for a consent based approach to privacy, saying that “it shifts the burden of evaluating the privacy risk to personal data away from the data subject and onto the data controller, forcing the data controller to be mindful of its processes for data collection, processing, transfer and storage.” That consent is broken, and we should shift to a rights based model.
Jochai Ben-Avie, Senior Global Policy Manager at Mozilla, believes that consent isn’t really broken, as a principle: “I think we have to ask if we have a problem with consent in terms of implementation or do we have a problem with consent as a principle of law. I would argue that we have a problem with implementation.”
Should we do away with consent?
Sané likened problems in data protection as being similar to those in finance: issues of information overload and bounded rationality. The problem: “you’re given a binary choice, you either consent or not. You can’t say that for these things, I’m giving you my consent, and for these things, you’re not.”
But that doesn’t mean that “we should go to the other extreme of having no consent at all”, she added.
Ben-Avie concurred, saying “To realise these notions of privacy, we must realise the notion of agency and self determination. If we do away with consent, we’re doing away with agency. Consent is critical to the rights based framework. We can’t stop at consent. It’s a starting point. It’s where the user indicates their wishes around how their data should be controlled, managed, processed and so forth. The rights based model draft by Rahul Matthan, which is floating around has pointed to the need for their being more accountability. It can’t just be consent based. We need transparency, training and education, rules around sharing, breach, and so forth.”
Chinmayi Arun later warned towards the danger of removing consent, saying that “You take something like a website that is not permitted to display intimate pictures of people without their consent. If you don’t require that consent has to be proved, then you would have a situation where a lot of peoples consent is violated because the burden of proof has shifted. That’s something to consider in how we build a consent paradigm.”
When do we know that we have consent?
Aditya Berlia, of the Svrán Group, pointed towards what he believed is the “diamond standard of consent”, around medical information: “you want [medical] data from somebody? Write up a proposal: why you want this data, what will you use it for, where will it go, and then send this to an independent research board. They will then say that we allow this research project. You then go to, enrol participants, have to give a concept called informed consent, where you have to sit with them and explain what you’re doing and why you’re doing it. When this informed consent came to India, you had to record the sessions on camera, where you explain everything to them in the local language. Finally, they sign on it, and the signature has to have a witness, and hopefully videographed. That’s the diamond standard of consent looks like. It’s the absolute extreme. The other absolute extreme is like, this one screen, a couple of icons, and click OK.”
To the point about continued consent, Sané had earlier pointed towards the fact that it consent also becomes more difficult because the time lag between when you’re giving the data, and when you find out what has happened to the data. The features of the product will play out over 10 years. Many times the data controller doesn’t know what it’s going to be used for.
Berlia’s question left us with much to think about: “At what point do we say that we have arrived at consent, and that this is a legitimate consent given by a person? Please also remember that when you’re giving informed consent, there’s a notion of active consent, which has become a huge issue due to marital rape laws and sexual harassment and assault, where you’re saying that you have to keep seeking continuous consent otherwise at some point you’re in sexual assault or sexual harassment. It’s an active consent, and an informed consent system. To me, the one thing that I’ll add to it, and this goes back to the legal contract system, that if it won’t hold up in court, it’s not real consent. If you can’t take that terms of service and say you take it to a judge, a lot of laws still have to be framed.”
Ben-Avie pointed towards the EU’s Global Data Protection Regulation, which says that “consent of the data subject means any freely given specific, informed and unambiguous indication of the data subjects wishes by which he or she by statement or by clear affirmative action signifies agreement to the processing of personal data relating to him or her”. “That means,” he added, “that a tick box doesn’t work.”
The Right to Privacy judgment on consent
Responding to a question on the Right to Privacy judgment, Chinmayi Arun first highlighted the fact that, as per the judgement from four of the judges (five others wrote their own) there has to be an actual law for data protection, and the law has to meet “a legitimate state aim”, which is a phrase not used otherwise in Indian law. Lastly the manner in which the restriction takes place will have to be proportionate. “There will be litigation around that.”
“The SC has been very clear that all three boxes have to be checked if you’re violating the right to privacy. It gave examples of one category: what may be a legitimate state aim. National security may be a legitimate state aim, but it doesn’t mean that he manner in which privacy is being violated to ensure national security checks the other two boxes.”…”When it comes to Aadhaar,” she continued, “one interesting thing that they did is, they only talked about the welfare components and not about the linking of PAN. It hasn’t talked about any of that. Even with welfare, is the manner in which it is being done is proportional?”
What we’ve gotten is a broad principle, and “specific procedures for phone tapping and aadhaar will be developed by the judiciary in the future, using perhaps the standard emerging from this judgment.”
“Privacy was linked with dignity, which means in a lot of contexts you can’t give it up. [Justice] Chandrachud was also clear that not all elements of privacy are of a fundamental right standard and then also not linked to dignity. Slowly we will start developing a sense. Norms will develop about what falls within the fundamental right and what doesn’t. I may be willing to give you consent for cash to take a test what colours I prefer. It could be commercial for data that you might want from a focus group. It doesn’t look like a violation of privacy, but if what you were taking from me was linked closely to my identity and dignity, then the answer might be different.
The #NAMAprivacy conference was supported by Google, Facebook and Microsoft. To support/sponsor #NAMAprivacy discussions, contact firstname.lastname@example.org