The legal landscape on privacy in India seems to be witnessing a tectonic shift, in light of a data protection framework on the horizon — with the publication of the BN Srikrishna White Paper on data protection and the impending release of the final report.
Regulatory interest and awareness about data privacy is an emerging concern not only in India, but worldwide, with the EU General Data Protection Regulation (GDPR) also coming into force this May. In light of these developments, it is crucial to identify concerns that continue to exist despite these changes, so that the nascent Indian framework can best navigate around them.
One such concern is: if consumers wish to access online services without compromising their privacy, can the service provider deny them access just because they refuse to tick the ‘Terms and Conditions’ box?
Informed, Voluntary Consent
In the digital world that we live in, consumers stand to lose significantly in an ‘all or nothing’ scenario, where they must either agree to the data controller’s (that is, entities such as Facebook) privacy policy, or forfeit use of the service altogether.
In such a case, would consent to the data controller’s privacy policy amount to real and free consent?
The Indian data protection framework should not only focus on ensuring informed consent, but also ensure that it safeguards the voluntariness of consent, such that every Indian consumer can exercise the necessary agency that he / she is granted on account of the fundamental right to privacy.
If It Is Conditional, Is It Consent?
Being by far the most comprehensive data protection guideline presently in force under the GDPR, there are six nuanced bases for processing an individual’s data. One of the more contentious of these bases is ‘consent’.
It is upon the ‘consent’ requirement, that Max Schrems, an Austrian lawyer privacy activist has recently mounted his case against four internet giants: Facebook, WhatsApp, Google, and Instagram. His crowd-funded, data protection organisation nyob.eu filed the multi-billion dollar penalty payout complaints within hours of the GDPR coming into effect. According to Schrems, the ‘take it or leave it’ terms and conditions in these services violate the GDPR.
An example in Recital 43 of the GDPR illustrates this concept: it describes a situation wherein access to a service is dependent upon consenting to the privacy policy of the server, even where the information being so collected is not necessary for the provision of such service and states that such consent cannot be construed as ‘free’.
Herein, lies the crux of Schrem’s case.
Mark Zuckerberg, speaking at a VivaTech conference in Paris, emphasized how Facebook had in fact, gone to lengths to ensure GDPR compliance, even putting in place a new ‘consent flow’ which allowed people using Facebook to review what data they were consenting to allow Facebook to access. He added, that the vast majority chose to consent, attributing it to a desire for better targeted advertising among Facebook users. A similar consent flow made its way to European users of Facebook-owned Instagram as well.
Power Imbalance Between Facebook & Users
What Zuckerberg conveniently chose to gloss over was: the only alternative to consenting in Facebook’s ‘consent flow’ was to quit Facebook entirely. In essence, it appears that data subjects have no other pragmatic option, but to consent to Facebook’s privacy policies and terms, on account of the huge power imbalance between the two parties.
Moreover, given the reach and connections that social media giants like Facebook, Instagram and WhatsApp have, and the importance that they hold in most consumers’ interpersonal and business relationships, withholding consent would have a significant negative impact on consumers, or data subjects.
In the Indian context, there is significant cause for any potential data regulatory body to be concerned. Through digitalisation of social security schemes and ‘nudges’ such as demonetisation the individual is often pushed towards availing services online.
For instance, there was a manifold increase in PayTM transactions as a consequence of demonetisation. Often, these services are offered by private corporations that exercise a dominant position in the market such that there is no real alternative.
The absence of any alternative exacerbates dependency on such services undermining the genuineness in the individual’s choices. This brings forth a clear element of coercion, reducing this consent to ‘coerced consent’.
‘Coerced Consent’ in India
The Srikrishna Committee White Paper, published in 2017, acknowledges the lack of bargaining power between the data subject and the data controller as a concern. It recognises the GDPR approach to consent as one of the international best practices. In its seven-point framework, it stresses on the need for consent to be informed and meaningful.
However, in light of the supposedly ‘GDPR- compliant’ policies put out by data controllers (as evidenced above) and the challenges to the same in the EU regime, it appears that ‘informed consent’ may be too low a threshold to evaluate consent. This is because, even in cases where there is no substantial information asymmetry, there may be little to no real choice on account of ‘take it or leave it’, privacy policies adopted by powerful internet giants.
In order for consent to truly be meaningful, it must not only be informed, but also free and voluntary.
That is to say, not only must the individual know that his data is being processed, the individual should really consent to such processing, for which he should have a viable alternative to consenting.
Free and voluntary consent can only be achieved when an individual does not face any detriment upon declining any terms of service — non-acceptance of certain unnecessary terms relating to data processing should not result in negative consequences for the consumer, through discontinuance of the service.
For instance, if a data subject wishes to access a social media website, her name and e-mail address may qualify as information necessary to allow her access. However, her credit card information cannot fall within the same category.
If the site denies the data subject access unless she agrees to all the terms and conditions, it results in the creation of a mechanism that vitiates consent. Data processing pursuant to such vitiated consent should be regarded as unlawful.
A future Indian data protection law should envisage protecting data subjects from processing of data in cases where there is no free, voluntary, and informed consent. The law could allow injunctions against such processing and also provide for the imposition of fines to deter data controllers from breaching this norm. Hopefully, the upcoming Indian data protection framework will conceptualise consent in a manner that accommodates its true meaning, so that the essence of data protection is not lost.
(Mallika Sen is a third year student of the National Law School of India University (NLSIU), Bangalore with an interest in corporate law and legal policy. Siddharth Sonkar is a 4th year student of the National University of Juridical Sciences (NUJS), Kolkata with an interest in law and technology. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for the same.)
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)