The Draft of Personal Data Protection Act 2018 (PDPA 2018) which is being discussed in the Parliament has one extremely important hurdle to be crossed. The hurdle is how to establish a relationship between the Data Principal and the Data Fiduciary in such a manner that the Consent is provided “Explicitly” in certain cases incorporating the several requirements of Informational Privacy such as how the personal data may be processed by the Data Fiduciary.
The GDPR called the person whose personal data is being discussed as the “Data Subject” and the entity which determines how the data would be processed as the “Data Controller”. Though the Data Controller was to take consent from the Data subject, it is clear that it is the “Data Controller” who takes over the control over Personal data and the Data Subject lives with the hope that the Data Controller will fulfill the obligations that he has contractually agreed in the letter of consent.
Some legislations prefer to consider “Data” as a “Property” and “Personal Data” as the property who is identifiable in the set of the subject data. By considering data as “property”, the property owner’s right can be recognized as owning a property which can be sold or assigned to the Data Controller (Data Buyer?).
But the Srikrishna Panel preferred to steer clear of both the approaches namely “Data as a Right that can be transferred by a consent contract” and “Data” as “Property” . It preferred to call the Data Subject as “Data Principal” and the Data Controller as a “Data Fiduciary”. The reason that Justice Srikrishna provided for this departure was very innovative. He felt that by recognizing the role of the Data Controller as a “Data Fiduciary”, we are imputing a certain set of expectations on the Fiduciary which is beyond what can be expressed in a Consent contract. Hence, with or without a “Contractual Binding” created by a “Consent Form”, the Fiduciary is bound to protect the “Privacy Right” of the individual.
“Privacy” being a “State of Mind”, it is difficult to be defined. Protecting the Privacy Right by writing down a few lines in a Consent form would therefor not suffice. The Data undergoes a metamorphosis after it is delivered to the Fiduciary and the Consent is signed when neither the Data Subject or the Data Controller is aware what is the potential of the data as it undergoes processing.
This dynamic nature of data and possible discovery of value after the hand over of data by the data subject, makes the Consent meaning less as a contract, since at the time of signing of the Consent, there would be lack of acceptance of the “Facts” surrounding the object called “Personal Data” which is being handed over.
Hence the Consent fails the definition of “Contract” as defined in the Indian Contract Act. At the same time, the Supreme Court in its Aadhaar judgement has held that at least a private company cannot contractually obtain a consent to collect sensitive personal data using a consent contract.
Hence accepting “Consent” as a “Contract” appears untenable both under the Contract Act and because of the the Supreme Court verdict on Aadhaar.
Had PDPA 2018 adopted the GDPR definition of Data transfer from the Data Subject to the Data Controller as a contractual agreement called “Consent”, then we would have reached a legal dead end in passing the PDPA 2018.
It was a blessing in disguise that the Srikrishna Committee decided to adopt a “Fiduciary” concept for the Data Subject-Data Controller relationship.
While this has resolved the problem of “Consent Contract” being considered void, it has however created another problem.
The “Fiduciary” relationship pre-supposes the existence of a “Trustee-beneficiary Relationship” between the Data Fiduciary and the Data Principal.
If we consider that “Consent” is a written representation of what the “Fiduciary Relationship” implies, then the “Consent” has to pass the test of being a “Trust deed”.
In the electronic world, a trust deed suffers from two deficiencies namely lack of “Stamp duty payment” and lack of recognition under Information Technology Act by virtue of Section 1(4).
We therefore end up with a situation where the Consent Contract is neither recognized under the Contract Act nor the Trust Act.
Solution is to create a new Instrument
There is no need to get disheartened by the failure of the Contract Act and the trust Act to solve our problem of getting a legally recognized instrument that can validate an electronic consent. There are at least two ways by which this problem can be resolved.
First is to amend the Section 1(4) by providing an exemption for the Data Fiduciary Creation instrument under PDPA 2018 and also provide exemption for the instrument from the Stamp Duty.
Second is to define the “Data Fiduciary Creation Instrument” as a new type of electronic document that is neither a Contract under the Contract Act or a Trust deed under the Trust Act. If this definition is included in PDPA 2018, there will be no need to amend the ITA 2000 nor the Stamp Duty Act.
Consent in a Privacy context requires to be an “Informed Consent” where the data principal is informed of his rights and also the details of processing etc., as per law. But in practice, it is difficult to make the Consent really fulfill all the details that may be required under law to be included and even if included, the “Consent fatigue” will ensure that the data principal does not take the trouble of understanding the details.
Hence the “Fiduciary creation instrument” will superimposes the duties imposed by the PDPA 2018 on the data fiduciary in addition to the written provisions of the Consent.
Let’s hope that this innovative approach is taken to ensure that “Consent” in electronic form would be considered as an instrument of creation of the fiduciary relationship.