4 August 2018

Structuring Privacy through Confidentiality Obligations

Privacy has, of course, assumed centrestage in recent years with concerns about data and how to handle personal information becoming increasingly urgent. The Indian Supreme Court issued a decision in August 2017 which was unarguably in support of privacy although it recognised that the right could not be absolute.

At the time, I'd written in a piece in Business Standard saying: "The Supreme Court has done more for Indians in its judgment on privacy which was released yesterday than many had the temerity to hope for. The nine judges who heard the case have developed a comprehensive jurisprudence of privacy for India through six largely-concurring judgments appended to each other (with one of them having been signed by four of the judges). They have effectively harmonised the law which had earlier been developed on a case-by-case basis by providing a doctrinal basis for it, and, critically, they have held, without a shadow of doubt, that privacy is a fundamental right."

The months since the judgment was rendered have seen the emergence of an increasingly polarised debate about privacy which has, unfortunately, been marked by widely-accepted suggestions in some quarters about the legitimacy of structuring privacy protections based on consent instead of on rights. What this, if it were ultimately accepted, means is that being able to protect one's privacy would, in large part, be dependent on one's ability to impose confidentiality obligations on others and on one's willingness to adhere to non-disclosure commitments oneself.

In other words, a consent-based model of privacy protection would require those within its remit to possess a basic degree of legal literacy which would enable them to understand the implications of non-disclosure agreements, at the very least. This poses problems in a country where basic literacy itself is far from universal but, amongst the literate, it is not unachievable.

The structure of non-disclosure agreements or NDAs is fairly simple. The information sought to be protected is clearly defined in terms of its nature and the period during which it is disclosed; information either not listed or not disclosed within the disclosure period is generally not subject to contractual confidentiality obligations. A separate confidentiality period is also defined during which the receiving party is required to keep confidential information disclosed to it private. However, confidentiality obligations even during the confidentiality period are subject to agreed exclusions such as allowing necessary disclosure to law enforcement perhaps with notice to the disclosing party, and allowing any disclosure of what would otherwise have been confidential information to anyone in respect of information which is demonstrably in public domain but not as a result of the receiving party having breached its confidentiality obligations. Agreements also tend to contain either remedial or punitive provisions which are intended to come into play in case confidentiality obligations are breached; these provisions may involve monetary reparation, indemnification, or some other arrangement which the parties agree to.  

Provided one doesn't fall foul of the 1872 Contract Act, Indian law allows parties a great deal of leeway to structure confidentiality obligations in a manner that makes sense to them. There are, however, a few statutes which recognise privacy as a right and which could be considered to impose supra-contractual statutory requirements on to parties. For example, Section 23 of the 2017 Mental Healthcare Act begins by stating: “A person with mental illness shall have the right to confidentiality in respect of his mental health, mental healthcare, treatment and physical healthcare,” and then goes on to impose specific obligations on certain people.

The effect of statutory provisions such those recognising the rights of people with mental healthcare concerns to confidentiality is that, in some cases, individuals are granted the option of choosing how to structure their privacy requirements within the framework of basic rights which they, hopefully, cannot simply sign away in toto. This helps level the field in cases where the power dynamic between parties is so skewed that “consent” becomes meaningless.

It is perhaps important that we inch towards developing a stronger framework which recognises limited choice within rights rather than one which could potentially legitimise unlimited choice despite rights. Ultimately, in a world rife with choice inhibition, we shouldn't be able to sign away, possibly by oversight, what should be inalienable rights.

28 July 2018

First Impressions: The Data Protection Bill

The Personal #DataProtection Bill appears to be an exercise in contouring human rights to serve capitalism. It clearly recognises privacy as a fundamental right at the outset itself but links the importance of data protection to the economy alone.

Considering the structure of the Data Protection Bill indicated at the outset, it's unsurprising that it makes many of the right noises in terms of recognising rights but, when it comes to ensuring that the ideal is achieved, it often falls short.

The first post-definitional line speaks of "Fair and reasonable processing", for example, and that sounds fab BUT it is a policy statement. Sans clear rules, it isn't enough.

(You know where else "fair" is used. Copyright law. Fair dealing. The result: piles of litigation about what constitutes fairness.)

Without specifics, expect litigation. Which, of course, few have the wherewithal to engage in.

Where there's been the opportunity to circumscribe what can be done with others' personal data, the opportunity has largely been squandered in a morass of provisions that are vague and often consent-centric, where consent is required at all. 

Even the requirement of consent, though it finds mention in the Data Protection Bill, may be inadequate. The definition of data processing is, for example, effectively all encompassing and the requirement that consent be "specific" for data to be processed is geared to specifying the aim of processing in the case of personal data. Although specificity additionally contemplates operational specificity in the case of sensitive personal data, given that the two categories of data are relatively fluid, it isn't obvious that the specificity requirement in relation to consent would be enough to protect individuals. 

There appears to be an emphasis on accountability which is arguably betrayed by the contemplation of "privacy by design" in the Bill. However, accountability mechanisms may not be appropriate or adequate simply because restorative justice isn't a certainty: if wrongful disclosure leaves one ostracised or dead (as is possible in a hierarchical, often-violent society) there's no undoing damage.

Privacy, by design or otherwise, may mean next to nothing without suitable pre-breach protection. Accountability mechanisms may be adequate if one's focus is the market and one limits oneself to addressing the annoyance caused by a pop-up. It is entirely inadequate in many other circumstances.

Compounding concerns is the fact that the #DataProtection Bill is consent-centric & there is also the worry that those who wrongfully disclose data could escape accountability on the technicality of having "consent" (if they do) which, of course, is easily obtained in the real world.

Consent centricity expects techno-legal savvy which most lack & is a concern. It isn't at all clear why a consent-centric model has been adopted instead of a rights-focused one in which what should ideally be inalienable rights cannot possibly be waived by contract. 

A rights-focused model would also have ameliorated concerns about data processing without consent. Not all data processing without consent is immediately bad (eg to enforce court orders) but, bereft of a viable rights-based approach (eg explicitly limiting processing to what's essential for the purpose), it's susceptible to misuse. And that is obviously problematic.

Even if the Data Protection Bill is passed sans amends, there remains the opportunity to refine & improve it via subordinate legislation. That's not an ideal solution but it's better than nothing.

That said, given the gravity of existing concerns, one can only hope that the Bill's revised.

(Edited & cross-posted from Twitter; updated on 29 July 2018.)

25 July 2018

[Links] Trafficking and Free Speech

The well-intentioned Indian anti-trafficking bill isn't flawless.

Swaraj Barooah and Gurshabad Grover explain how it could impinge on free speech and lead to censorship.

And the raid/rescue model unrestrained could resurrect a form of indentured labour, one of capitalism's & colonialism's worst excesses as I've argued.

One can only hope the amendment is revised before it is passed.

Indian challenges to the law's patriarchal structure, not yet totally successful, have resulted in statutory confusion. This, I'd expect, impacts some trafficking & some sex work too. After all, sexual offence law isn't clear about whether it's based on consent or dominion.

Some years ago, there was a fracas about online ads for escort services. It was impossible to tell who'd posted the ads: sex workers acting of their own volition or pimps trafficking them. Consequently, it was also impossible to opine on their legality where they were not prima facie obscene or in furtherance of an illegal objective. Ideally, the law should clarify such issues so that people acting legally cannot possibly be targetted except through an outright subversion of the law for which accountability can be demanded. Unfortunately, the law currently shows no sign of its willingness to issue what would be necessary clarifications in this regard.


This site is supported by FrontierNxt.