I Do, I Do, until I Don't: Consent, Contracts and the Data Protection Bill
The protection of data must come at a cost that has been unknown to the Indian lawmaker; for privacy isn’t an archaic right, nor is the enactment of rules that make for a superstructure enabling an Indian law on the subject. Data Protection in India, effectively begins at the level of legislation, and legislation is a recent phenomenon.
The Personal Data Protection Bill 2018, is a Saville Row suit stitched for a kurta body, and acclimatization must bear time and consequence. As imported formulations on notions such as Privacy by Design or localization, embolden the ecosystem on data protection in India, some formulations seemingly overhaul certain peremptory legal norms in the domestic system.
One such norm is the question of consent. The standard of consent, as understood by the Indian lawmaker, was an inheritance, a colonial remark, making for contracts to be free from forms of coercion or undue influence. This freedom has been understood, contextualized and deliberated over the many years of the existence of a Contract Act. With a new formulation for consent in the Data Protection Act, one must deliberate the nature of the new law, and whether the revitalizing of the consent matrix for the purposes of data, holds some meaning for the manner in which contracts may be concluded in the previous enactment.
Consent Under The Personal Data Protection Bill
Section 12 of the proposed Act, defines consent required for the processing of data. The standard of consent has five key aspects. Consent must be free, informed, specific, clear and capable of being withdrawn.[i]
One must be hard pressed to find these terms in the original Contract Act. Whilst free consent remains etched in the Contract Act, where it is earmarked to be consent obtained free of coercion, undue influence, fraud, misrepresentation and mistake[ii], the notions of informed, specific or clear consent are innovations, seeking to be fit into the Indian model.
Informed consent does however have certain derivatives. Under Section 18(1) and 19 of the Indian Contract Act, any representation of information asserted in a positive manner, found to be untrue, even if it is made under the presumption of truth, is a voidable contract, at the option of the party whose consent was so caused. This formulation, however, does not extract an obligation upon parties to extract informed consent, thereby creating a dissonance with the intent of the data protection law.
The role of informed consent, has however, been held true to the idea of contracts, in jurisprudence. The Hon’ble Apex Court has opined that, in cases of medical procedure, a patient must indeed be given, “sufficient information for her to understand the nature of the operation, its likely effects, and any complications which may arise…”[iii] This risk too, is however, quantified by the words, ‘recognized risk’, thereby reducing informed consent to a pleonasm.
Specific consent, perhaps the best outlined of the consent parameters under the law. The idea of specific consent is, in essence to trim the excess, to obliterate the requisition of bulk data sets, which are more vulnerable to privacy breaches than specific strains of information. This formulation, eventually ties itself down to another contour, that of clarity. Clear consent, representing affirmative action and meaning, is an indicator of a matrix that seeks to exclude grey consent, consent obtained under a lack of denial, which, whilst not violating the provisions of contract law, also is not true consent.
Specific and clear consent, thus seek to become the two formulations seeking to enfranchise unambiguous consent, a notion that interpretation of the Contract Act, has permitted, streamlining the categorizing of consent in surgery forms, distinguishing consent granted for general surgery from other forms of consent.[iv] The Contract Act, further accommodates specific consent, where “specific consent is for the purposes of obtaining specific goods”.[v]
One must end their observations on standard forms of consent, with an exposition made by jurisprudence to see that the ordinary formulation under Contract Law, is now adopting a colour of real consent. The Apex Court has observed that, consent which is not real consent, ‘is a thing totally void under the law’.[vi] This new formulation of data protection may very well become the yardstick by which purveyors of contractual consent shall seek to establish terms of contract.
Withdrawal of Consent
The withdrawal of consent is a novelty in data protection, and a departure from contractual standards. The General Data Protection Regulation (“GDPR”), perhaps the Magna Carta of data protection, intended withdrawal to be a reactionary provision, providing for revision of data processing norms relating to the data set in question at the earliest.[vii]
A formulation adopted by the GDPR, which has been dealt with differently by the makers of the Indian Data Protection Bill, is the ease of withdrawal. It remains a challenge to fully withdraw consent, but the consequences of such a withdrawal, are manifold. Illustratively, a withdrawal in the bio-banking field, would automatically lead to a wastage of bio-resources.[viii] Withdrawal, also prevents archiving, thereby crippling secondary analysis, although the argument that subsequent analysis may also form a clause to a contract, is one deserving study.
Another feature of the law, is the consequence of such a withdrawal with the data principal shall be the bearer of the legal consequences of such repudiation. One must however, consider the impact of such withdrawal on the effects of the contracts, and perhaps the withdrawal of consent being tantamount to a material breach.
Section 73 of the Indian Contract Act, deals with the question of material breach. The test for material breach, depends upon the performance of the essential conditions to the contract, and not conditions collateral. A material breach, becomes actionable by the parties, with the party responsible, entitled to recover damages.[ix]
As withdrawal measures seek to be exercised, it is pertinent to note that the consent matrix might flirt with material breach in relation to contract. This makes for contracts, to secure an additional burden, highlight data sets essential for the processing of the contract. This essentiality, may however be tied down to the question of necessity, another feature of the law.
Necessity For Performance of Contract
Pursuant to this standard, the consent framework also draws on the aspect of necessity, which is again related to the functioning of contracts. Data processed for the purpose of a contract, must be necessary in the context of a contract or for the intention of entering into a contract. Necessity means the data processing is a reasonable and proportionate necessity. The necessity herein is greater than a desirable or a convenient form of necessity, but a little short of an indispensable form of necessity.[x]
As necessity continues to languish in a definitional void, one must take recourse to jurisdictions abroad to understand what qualifies as necessity. An identical formulation, adopted by the European Union, has been justified to become the standard of what is ultimately, the data that is strictly necessary for the purpose of performing a contract.[xi]To import this notion to Indian law, is a tricky component however. Businesses have for long realized the importance of standard form contracts, with boiler plate clauses, seeking to gather data, never founded upon specificity or necessity.
The difficult task with understanding necessity is that jurisprudence across jurisdictions’ centres around States’ procuring consent for data processing and the fetters that may be placed on the same. The argument to be made, is that firms must be given greater leeway, substituting the public interest under state action, with one that places principles of contract law at its heart. A notion that is argued that State substitutes necessity with subsidiarity, with subsidiarity pursuing alternatives method for achieving the means of the contract, in other words a less intrusive policy.[xii]
Proportionality, similarly, is a restatement of the techniques, which amongst other principles, shall chiefly attempt to protect privacy and ensure data minimization. The remedy, does not stress effectiveness or appropriateness but merely an adequate performance of the data protection function, vis-à-vis data processing.[xiii] A Facebook shall contemplate the processing of data, assess behavioural patterns to provide for a better realized user experience. This form of behavioural targeting is still convoluted though, it being necessary for the performance of contract, an issue which the companies and the Data Protection Agencies not finding any common ground on.
This, is true about multi-platform services, with Google, the provider of a varying degree of services, not necessarily legitimizing their services through a contractual framework, but still adhering to norms of data protection.
Innovating consent norms, comes at the cost of implementing such norms. The difficulty of the data protection law, is that the standard it seeks to implement, is one that burdens the data principal. Real consent is a difficult concept, but the realization of real consent in a contractual setting, brings forth a grander rethink on the conception of contract. This, implementation machinery, shall make for interesting arguments on privacy by design, and perhaps, as the provision on the same in the Indian law, is a bundle of directives, one shall look at a stronger formulation on the same in the foreseeable future.
The revolt here, is the shift from generics, to specificity. Contracts can no longer, shield stray intentions, nor can be umbrella contracts, intending for a wide array of functions to be successfully performed, based on the obtaining of a single tick in an online box, or a single signature. The data protection law, may very well have sounded the death knell for the standard form contract, and one must not contemplate that as a tragedy.
[i] Section 12(2), Personal Data Protection Bill, 2018, available at http://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf
[ii] Section 14, The Indian Contract Act, 1872.
[iii] Sameera Kohli v. Dr Prabha Manchanda, 1 (2008) CPJ 56 (SC).
[iv] Ram Bihari Lal v. Dr. J. N. Srivastava, AIR 1985 MP 150.
[v] ONGC v. Wig Brothers Builders, 2010 (10) SCALE 614.
[vi] Central National Bank v. United Industrial Bank, (1954) 1 SCR 391.
[vii] ‘Consent’, Information Commissioner’s Office available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/.
[viii] Eugenia Politou et al., ‘Forgetting personal data and revoking consent under the GDPR: Challenges and proposed solutions’, Journal of Cybersecurity, Volume 4, Issue 1, 1 January 2018, available at tyy001,https://doi.org/10.1093/cybsec/tyy001.
[ix] AH McDonald & Co. Ply. Ltd. v. Wells, (1931) 45 CLR 506; Pollock and Mulla, The Indian Contract and Specific Relief Acts, 14th Edition. p. 1149.
[x] Corporate Officer of the House of Commons v. IC,  EWHC 1084.
[xi]‘Contracts for the supply of digital content and personal data protection’, European Parliament available at http://www.europarl.europa.eu/RegData/etudes/BRIE/2017/603929/EPRS_BRI%282017%29603929_EN.pdf
[xii] Fredrik Johannes, Zuiderveen Borgesius, ‘Improving Privacy Protection in the area of Behavioral Targeting’, (PhD Thesis) University of Amsterdam (2014).
[xiii] ECJ, C-524/06, Huber, 16 December 2008.
By KS Roshan Menon, 5th Year, Rajiv Gandhi National University of Law, Punjab