Skip to main content

Structuring Privacy through Confidentiality Obligations

Privacy has, of course, assumed centrestage in recent years with concerns about data and how to handle personal information becoming increasingly urgent. The Indian Supreme Court issued a decision in August 2017 which was unarguably in support of privacy although it recognised that the right could not be absolute.

At the time, I'd written in a piece in Business Standard saying: "The Supreme Court has done more for Indians in its judgment on privacy which was released yesterday than many had the temerity to hope for. The nine judges who heard the case have developed a comprehensive jurisprudence of privacy for India through six largely-concurring judgments appended to each other (with one of them having been signed by four of the judges). They have effectively harmonised the law which had earlier been developed on a case-by-case basis by providing a doctrinal basis for it, and, critically, they have held, without a shadow of doubt, that privacy is a fundamental right."

The months since the judgment was rendered have seen the emergence of an increasingly polarised debate about privacy which has, unfortunately, been marked by widely-accepted suggestions in some quarters about the legitimacy of structuring privacy protections based on consent instead of on rights. What this, if it were ultimately accepted, means is that being able to protect one's privacy would, in large part, be dependent on one's ability to impose confidentiality obligations on others and on one's willingness to adhere to non-disclosure commitments oneself.

In other words, a consent-based model of privacy protection would require those within its remit to possess a basic degree of legal literacy which would enable them to understand the implications of non-disclosure agreements, at the very least. This poses problems in a country where basic literacy itself is far from universal but, amongst the literate, it is not unachievable.

The structure of non-disclosure agreements or NDAs is fairly simple. The information sought to be protected is clearly defined in terms of its nature and the period during which it is disclosed; information either not listed or not disclosed within the disclosure period is generally not subject to contractual confidentiality obligations. A separate confidentiality period is also defined during which the receiving party is required to keep confidential information disclosed to it private. However, confidentiality obligations even during the confidentiality period are subject to agreed exclusions such as allowing necessary disclosure to law enforcement perhaps with notice to the disclosing party, and allowing any disclosure of what would otherwise have been confidential information to anyone in respect of information which is demonstrably in public domain but not as a result of the receiving party having breached its confidentiality obligations. Agreements also tend to contain either remedial or punitive provisions which are intended to come into play in case confidentiality obligations are breached; these provisions may involve monetary reparation, indemnification, or some other arrangement which the parties agree to.  

Provided one doesn't fall foul of the 1872 Contract Act, Indian law allows parties a great deal of leeway to structure confidentiality obligations in a manner that makes sense to them. There are, however, a few statutes which recognise privacy as a right and which could be considered to impose supra-contractual statutory requirements on to parties. For example, Section 23 of the 2017 Mental Healthcare Act begins by stating: “A person with mental illness shall have the right to confidentiality in respect of his mental health, mental healthcare, treatment and physical healthcare,” and then goes on to impose specific obligations on certain people.

The effect of statutory provisions such those recognising the rights of people with mental healthcare concerns to confidentiality is that, in some cases, individuals are granted the option of choosing how to structure their privacy requirements within the framework of basic rights which they, hopefully, cannot simply sign away in toto. This helps level the field in cases where the power dynamic between parties is so skewed that “consent” becomes meaningless.

It is perhaps important that we inch towards developing a stronger framework which recognises limited choice within rights rather than one which could potentially legitimise unlimited choice despite rights. Ultimately, in a world rife with choice inhibition, we shouldn't be able to sign away, possibly by oversight, what should be inalienable rights.

Addendum (2022): Also see Draft Confidentiality Agreements