11 September 2018

IPC Section 377 and Publishing Explicit Content

In India, the legality of publishing explicit content hinges on three factors : obscenity, privacy, and consent.

Focusing on consent in the wake of the IPC Section 377 judgment:

Without the consent of persons featuring in explicit content, it is generally illegal to film, photograph or otherwise record such content, or to disseminate it in any manner. An exception to this general rule (which makes legal recording and disseminating more difficult) is indicated by Section 377 of the Indian Penal Code which criminalises 'carnal inter­course against the order of nature with any man, woman or animal'. This Section makes the acts which fall within its scope illegal, so it follows that regardless of the consent of those who engage in such acts, it would be very questionably legal to disseminate content featuring the acts as they are illegal and engaging in them cannot be legalised by consent.

Except for a brief interval from 2009 to 2013, since the time it was introduced into the Indian corpus juris by the British, IPC Section 377 has criminalised all sex other than possibly procreative M/F sex. There was some confusion brought in by the 2013 amendment to the Indian Penal Code which, through an amendment to the definition of rape in Section 375, suggested that non-procreative M/F sex could be considered non-criminal if it was engaged in with the consent of the woman involved. However, all M/M and F/F sex continued to be considered criminal by virtue of Section 377 of the Code.

There has never been any explicit statutory hierarchy or separation between IPC Sections 375 dealing with rape and 377 dealing with supposedly unnatural acts, so the interaction of the two provisions remains in need of judicial clarification.

What has changed, however, is that on September 6, 2018, the Supreme Court read down IPC Section 377 with the effect of decriminalising sexual relations between consenting adults. Although, in reference to the overlap with IPC Section 375, the judgment isn't entirely clear, it is clear that consensual homosexual acts have ceased to be criminal.

This subtly changes the law on the legality of publishing explicit content featuring homosexual acts. Since the acts themselves are no longer illegal, the barriers to publishing content featuring them have been lowered, and it would likely be easier to consent to the their being recorded and, possibly, if one were a participant, monetised through dissemination.

The details of how the how the 'new' law will be applied remain to be seen. As I'd argued in a piece over at Scroll:

"Decriminalising consensual sexual acts, as the Supreme Court has done, is important but the devil will lie in the details and in how the Indian body of law is recalibrated. One can only hope that those who have had no recourse but to rely on the provision [Section 377] to address sexual violations that would not otherwise be criminal are not left out and forced to endure without adequate legal recourse to address the wrongs done unto them. Ensuring that the law respects the agency and autonomy of individuals, too, will likely require careful consideration and a range of proactive measures."

[Read the whole piece here: Section 377: Decriminalising homosexuality is great, but the fight for true equality is not yet over]

The Supreme Court's decision in Navtej Singh Johar, the case in which IPC Section 377 was toned down, is incredibly important but it is not a story complete. The publication of explicit content is but one narrow issue. More important are the many steps which are yet to be taken to establish an equal society without reference to the positions of individuals on the spectrums of sex, gender identity, and sexual orientation.

(This post is by Nandita Saikia and was first published at IN Content Law.)

4 August 2018

Structuring Privacy through Confidentiality Obligations

Privacy has, of course, assumed centrestage in recent years with concerns about data and how to handle personal information becoming increasingly urgent. The Indian Supreme Court issued a decision in August 2017 which was unarguably in support of privacy although it recognised that the right could not be absolute.

At the time, I'd written in a piece in Business Standard saying: "The Supreme Court has done more for Indians in its judgment on privacy which was released yesterday than many had the temerity to hope for. The nine judges who heard the case have developed a comprehensive jurisprudence of privacy for India through six largely-concurring judgments appended to each other (with one of them having been signed by four of the judges). They have effectively harmonised the law which had earlier been developed on a case-by-case basis by providing a doctrinal basis for it, and, critically, they have held, without a shadow of doubt, that privacy is a fundamental right."

The months since the judgment was rendered have seen the emergence of an increasingly polarised debate about privacy which has, unfortunately, been marked by widely-accepted suggestions in some quarters about the legitimacy of structuring privacy protections based on consent instead of on rights. What this, if it were ultimately accepted, means is that being able to protect one's privacy would, in large part, be dependent on one's ability to impose confidentiality obligations on others and on one's willingness to adhere to non-disclosure commitments oneself.

In other words, a consent-based model of privacy protection would require those within its remit to possess a basic degree of legal literacy which would enable them to understand the implications of non-disclosure agreements, at the very least. This poses problems in a country where basic literacy itself is far from universal but, amongst the literate, it is not unachievable.

The structure of non-disclosure agreements or NDAs is fairly simple. The information sought to be protected is clearly defined in terms of its nature and the period during which it is disclosed; information either not listed or not disclosed within the disclosure period is generally not subject to contractual confidentiality obligations. A separate confidentiality period is also defined during which the receiving party is required to keep confidential information disclosed to it private. However, confidentiality obligations even during the confidentiality period are subject to agreed exclusions such as allowing necessary disclosure to law enforcement perhaps with notice to the disclosing party, and allowing any disclosure of what would otherwise have been confidential information to anyone in respect of information which is demonstrably in public domain but not as a result of the receiving party having breached its confidentiality obligations. Agreements also tend to contain either remedial or punitive provisions which are intended to come into play in case confidentiality obligations are breached; these provisions may involve monetary reparation, indemnification, or some other arrangement which the parties agree to.  

Provided one doesn't fall foul of the 1872 Contract Act, Indian law allows parties a great deal of leeway to structure confidentiality obligations in a manner that makes sense to them. There are, however, a few statutes which recognise privacy as a right and which could be considered to impose supra-contractual statutory requirements on to parties. For example, Section 23 of the 2017 Mental Healthcare Act begins by stating: “A person with mental illness shall have the right to confidentiality in respect of his mental health, mental healthcare, treatment and physical healthcare,” and then goes on to impose specific obligations on certain people.

The effect of statutory provisions such those recognising the rights of people with mental healthcare concerns to confidentiality is that, in some cases, individuals are granted the option of choosing how to structure their privacy requirements within the framework of basic rights which they, hopefully, cannot simply sign away in toto. This helps level the field in cases where the power dynamic between parties is so skewed that “consent” becomes meaningless.

It is perhaps important that we inch towards developing a stronger framework which recognises limited choice within rights rather than one which could potentially legitimise unlimited choice despite rights. Ultimately, in a world rife with choice inhibition, we shouldn't be able to sign away, possibly by oversight, what should be inalienable rights.

28 July 2018

First Impressions: The Data Protection Bill

The Personal #DataProtection Bill appears to be an exercise in contouring human rights to serve capitalism. It clearly recognises privacy as a fundamental right at the outset itself but links the importance of data protection to the economy alone.

Considering the structure of the Data Protection Bill indicated at the outset, it's unsurprising that it makes many of the right noises in terms of recognising rights but, when it comes to ensuring that the ideal is achieved, it often falls short.

The first post-definitional line speaks of "Fair and reasonable processing", for example, and that sounds fab BUT it is a policy statement. Sans clear rules, it isn't enough.

(You know where else "fair" is used. Copyright law. Fair dealing. The result: piles of litigation about what constitutes fairness.)

Without specifics, expect litigation. Which, of course, few have the wherewithal to engage in.

Where there's been the opportunity to circumscribe what can be done with others' personal data, the opportunity has largely been squandered in a morass of provisions that are vague and often consent-centric, where consent is required at all. 

Even the requirement of consent, though it finds mention in the Data Protection Bill, may be inadequate. The definition of data processing is, for example, effectively all encompassing and the requirement that consent be "specific" for data to be processed is geared to specifying the aim of processing in the case of personal data. Although specificity additionally contemplates operational specificity in the case of sensitive personal data, given that the two categories of data are relatively fluid, it isn't obvious that the specificity requirement in relation to consent would be enough to protect individuals. 

There appears to be an emphasis on accountability which is arguably betrayed by the contemplation of "privacy by design" in the Bill. However, accountability mechanisms may not be appropriate or adequate simply because restorative justice isn't a certainty: if wrongful disclosure leaves one ostracised or dead (as is possible in a hierarchical, often-violent society) there's no undoing damage.

Privacy, by design or otherwise, may mean next to nothing without suitable pre-breach protection. Accountability mechanisms may be adequate if one's focus is the market and one limits oneself to addressing the annoyance caused by a pop-up. It is entirely inadequate in many other circumstances.

Compounding concerns is the fact that the #DataProtection Bill is consent-centric & there is also the worry that those who wrongfully disclose data could escape accountability on the technicality of having "consent" (if they do) which, of course, is easily obtained in the real world.

Consent centricity expects techno-legal savvy which most lack & is a concern. It isn't at all clear why a consent-centric model has been adopted instead of a rights-focused one in which what should ideally be inalienable rights cannot possibly be waived by contract. 

A rights-focused model would also have ameliorated concerns about data processing without consent. Not all data processing without consent is immediately bad (eg to enforce court orders) but, bereft of a viable rights-based approach (eg explicitly limiting processing to what's essential for the purpose), it's susceptible to misuse. And that is obviously problematic.

Even if the Data Protection Bill is passed sans amends, there remains the opportunity to refine & improve it via subordinate legislation. That's not an ideal solution but it's better than nothing.

That said, given the gravity of existing concerns, one can only hope that the Bill's revised.

(Edited & cross-posted from Twitter; updated on 29 July 2018.)


This site is supported by FrontierNxt.