By Sachin Dhawan
For many years experts have criticized big tech companies for collecting their users’ data without properly obtaining consent. The Digital Personal Data Protection Bill (DPDPB), 2022, promises to remedy this exploitative status quo by ushering in an era of informed consent. Even the Supreme Court is enthused by this development — in a recent case, it decided to postpone hearings on the privacy policy of global behemoth Whatsapp until the DPDPB is passed.
But even if the DPDPB is passed, informed consent will largely remain a pipe dream. As explained below, users lack the wherewithal to protect their privacy interests in complex contractual transactions with powerful companies. So obtaining user consent is not sufficient to protect their interests, as such consent will inevitably be uninformed. More needs to be done. Consequently, I recommend amending the DPDPB to impose fiduciary duties on companies to act in the best interest of their users. This will prevent companies from taking advantage of uninformed consent.
STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today!
The Problem: Informed Consent is Illusory
Scholars such as Daniel Solove explain that it is virtually impossible for users to give informed consent to privacy policies, for a number of reasons.
First, the privacy policies of most companies are very long and dense. As a result, most users do not read them and so any consent they give is uninformed. It is not clear whether this practice will change as a result of clause 7(3) of the DPDPB which calls for the use of “clear and plain language” by companies (formally referred to as “data fiduciaries”) requesting consent. Indeed, even though the General Data Protection Regulation (GDPR) – passed in the EU a few years ago – requires privacy notices to be “clear and accessible”, they remain inscrutable.
Second, simplifying privacy policies is also potentially counterproductive. The simpler privacy policies become the more they risk overlooking the nuances of data processing to the point where the information conveyed to users is not accurate. Consent to such oversimplified terms is by definition uninformed.
Third, privacy policies are notoriously full of ‘take it or leave it’ terms that users have to agree with or lose access to the company’s product/service. Very few will be willing to give up access because of the high cost and inconvenience of remaining offline in a digital world. This lack of bargaining power deprives users of the ability to freely consent.
Finally, even if privacy policies become clearer and even if there are no take it or leave it terms (however unlikely that might be), informed consent will still be a mirage. This is because users simply lack the knowledge and expertise to give informed consent to privacy policies. Data practices are extremely complex today and require in-depth mathematical expertise to understand even the basics of what algorithms do with our data.
The Solution: Fiduciary Duties
Thus, consent by itself will not do much to advance the cause of user privacy. Companies can obtain consent and still exploit users, given the disproportionate power they wield. Fortunately, there is a way to protect users from undue harm in these unequal relationships.
That way is imposition of fiduciary duties on companies i.e. the duty to act in accordance with the best interests of their users. This is a duty that is often imposed by the law to protect the interests of weaker parties to a transaction. Arm’s length bargaining is the norm but there are plenty of instances where it does not apply. Take a doctor-patient relationship or an attorney-client relationship, for instance. In such situations, the consent that the patient or the client gives will not be fully informed given that they lack detailed knowledge of and insight into medical and legal practices.
The law solves this dilemma by imposing constraints or duties on the more powerful party in the relationship – in the case of the above example, the doctor and the lawyer. It says that while they can benefit from the relationship, they cannot take undue advantage of their superior knowledge and power over the other party. Doctors have to prioritize the health of their patients even if they can earn more by undermining it. Lawyers have to advance the interest of their clients even if it is more lucrative to violate the trust placed in them. In other words, even though they can get their patients/clients to agree to exploitative arrangements, doctors and lawyers have to nonetheless act in good faith and deal fairly with them.
In a similar way, the imposition of fiduciary duties on data-collecting companies means that they cannot collect as much data as they want even if users will probably agree to any exploitative terms they set. The fact of the matter is that users do not know much about the privacy policies they are consenting to. They are dependent on companies to use their data prudently.
Consequently, companies should be prevented from abusing this vulnerability to undermine their users’ interests. Transgression of this fiduciary duty to be responsible stewards of data should trigger liability for any harm that befalls users. This is where the proposed Data Protection Board and courts can play a key role in cultivating norms and standards for trustworthy company behaviour.
By imposing fiduciary duties, the DPDPB will rein in the power of data-hungry companies to exploit users by relying on the fig leaf of consent. Such duties have been proposed before, in the Srikrishna Committee Report. Reviving them will help bring India’s off-kilter data protection regime back on course.
Sachin Dhawan is a Programme Manager at the Centre for Communication Governance, NLU Delhi.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also Read:
- DPDP Bill, 2022: Personal data processing now primed with ‘deemed consent’, and other changes
- #NAMA Children and Privacy on the internet: Should there be a blanket age of consent for using online services?
- How function of state may limit informed consent: Examining Clause 12 of the Data Protection Bill
