wordpress blog stats
Connect with us

Hi, what are you looking for?

Views: Informed Consent—Fiction, Not Fact

Obtaining user consent is not sufficient to protect their interests; fiduciary duties should be imposed on companies to act in the best interest of their users, the author argues.

By Sachin Dhawan

For many years experts have criticized big tech companies for collecting their users’ data without properly obtaining consent. The Digital Personal Data Protection Bill (DPDPB), 2022, promises to remedy this exploitative status quo by ushering in an era of informed consent. Even the Supreme Court is enthused by this development — in a recent case, it decided to postpone hearings on the privacy policy of global behemoth Whatsapp until the DPDPB is passed.

But even if the DPDPB is passed, informed consent will largely remain a pipe dream. As explained below, users lack the wherewithal to protect their privacy interests in complex contractual transactions with powerful companies. So obtaining user consent is not sufficient to protect their interests, as such consent will inevitably be uninformed. More needs to be done. Consequently, I recommend amending the DPDPB to impose fiduciary duties on companies to act in the best interest of their users. This will prevent companies from taking advantage of uninformed consent.

STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today!

The Problem: Informed Consent is Illusory 

Scholars such as Daniel Solove explain that it is virtually impossible for users to give informed consent to privacy policies, for a number of reasons.

Advertisement. Scroll to continue reading.

First, the privacy policies of most companies are very long and dense. As a result, most users do not read them and so any consent they give is uninformed. It is not clear whether this practice will change as a result of clause 7(3) of the DPDPB which calls for the use of “clear and plain language” by companies (formally referred to as “data fiduciaries”) requesting consent. Indeed, even though the General Data Protection Regulation (GDPR) – passed in the EU a few years ago – requires privacy notices to be “clear and accessible”, they remain inscrutable.

Second, simplifying privacy policies is also potentially counterproductive. The simpler privacy policies become the more they risk overlooking the nuances of data processing to the point where the information conveyed to users is not accurate. Consent to such oversimplified terms is by definition uninformed.

Third, privacy policies are notoriously full of ‘take it or leave it’ terms that users have to agree with or lose access to the company’s product/service. Very few will be willing to give up access because of the high cost and inconvenience of remaining offline in a digital world. This lack of bargaining power deprives users of the ability to freely consent.

Finally, even if privacy policies become clearer and even if there are no take it or leave it terms (however unlikely that might be), informed consent will still be a mirage. This is because users simply lack the knowledge and expertise to give informed consent to privacy policies. Data practices are extremely complex today and require in-depth mathematical expertise to understand even the basics of what algorithms do with our data.

The Solution: Fiduciary Duties 

Thus, consent by itself will not do much to advance the cause of user privacy. Companies can obtain consent and still exploit users, given the disproportionate power they wield. Fortunately, there is a way to protect users from undue harm in these unequal relationships.

Advertisement. Scroll to continue reading.

That way is imposition of fiduciary duties on companies i.e. the duty to act in accordance with the best interests of their users. This is a duty that is often imposed by the law to protect the interests of weaker parties to a transaction. Arm’s length bargaining is the norm but there are plenty of instances where it does not apply. Take a doctor-patient relationship or an attorney-client relationship, for instance. In such situations, the consent that the patient or the client gives will not be fully informed given that they lack detailed knowledge of and insight into medical and legal practices.

The law solves this dilemma by imposing constraints or duties on the more powerful party in the relationship – in the case of the above example, the doctor and the lawyer. It says that while they can benefit from the relationship, they cannot take undue advantage of their superior knowledge and power over the other party. Doctors have to prioritize the health of their patients even if they can earn more by undermining it. Lawyers have to advance the interest of their clients even if it is more lucrative to violate the trust placed in them. In other words, even though they can get their patients/clients to agree to exploitative arrangements, doctors and lawyers have to nonetheless act in good faith and deal fairly with them.

In a similar way, the imposition of fiduciary duties on data-collecting companies means that they cannot collect as much data as they want even if users will probably agree to any exploitative terms they set. The fact of the matter is that users do not know much about the privacy policies they are consenting to. They are dependent on companies to use their data prudently.

Consequently, companies should be prevented from abusing this vulnerability to undermine their users’ interests. Transgression of this fiduciary duty to be responsible stewards of data should trigger liability for any harm that befalls users. This is where the proposed Data Protection Board and courts can play a key role in cultivating norms and standards for trustworthy company behaviour.

By imposing fiduciary duties, the DPDPB will rein in the power of data-hungry companies to exploit users by relying on the fig leaf of consent. Such duties have been proposed before, in the Srikrishna Committee Report. Reviving them will help bring India’s off-kilter data protection regime back on course.

Sachin Dhawan is a Programme Manager at the Centre for Communication Governance, NLU Delhi.

Advertisement. Scroll to continue reading.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read:

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...


RBI Deputy Governor Rabi Shankar called for self-regulation in the fintech sector, but here's why we disagree with his stance.


Both the IT Minister and the IT Minister of State have chosen to avoid the actual concerns raised, and have instead defended against lesser...


The Central Board of Film Certification found power outside the Cinematograph Act and came to be known as the Censor Board. Are OTT self-regulating...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ