FREE CONSENT IN E-CONTRACTS: CYBERSPACE REALITY OR FALLACY
ABSTRACT
In the tech-savvy era, it is mandatory to update the legal arena with the possible applications of digital advancements and to increase the pace of relevant legislation to withhold the pressure of digital innovations. Online contracts often tend to exploit users by gaining their consent unilaterally without giving an option to exit. Such agreements cannot be invalidated due to the legal vacuum in the present legal system and, it is high time to revamp the law relating to online contracts. Thus it is pertinent to verify the nature of consent obtained in an e-contract and also to test the degree of freedom enjoyed by the user while entering into the contract.
This article focuses on the issues arising in online contracts and the circumventing processes employed by the evaders to falsify the related liability arising from such contracts. The process by which the consent required for the contract is obtained from the users and associated privacy issues are deeply analysed.
With this aim and background, the researcher through this research paper aims to analyze the consequences of an online contracts and the effect of free consent in determining its validity.
FREE CONSENT IN E-CONTRACTS: CYBERSPACE REALITY OR FALLACY
INTRODUCTION
“We use consent theory not as a map, not realizing that like any other map it’s simpler than reality, but as a set of blinders or rose-colored glasses that make the world look clearer, less problematic, than it really is .”
Consent plays a dominant role in the formation of contracts because it is considered as the driving force behind the purpose of establishing a contract. It helps in maintaining and protecting an individual autonomy. Consent has a morally enforceable value since it justifies the conduct of the consented person and prevents him from avoiding the liability.
Consent can be effectuated by giving notice and establishing one’s choice with regard to the terms of agreement. Thus many online contracts seek to inform the terms of contract via notice and makes the person to consent by the click-in option. But such technologies were misused by the companies to reduce the time thereby reducing the quality of consent. Completing the online transaction by providing privacy notice is considered as feasible mode in establishing the intention to create a contract. But such privacy notices lack sufficient expertise in assessing the consequences of the contract agreed upon.
The following deteriorates the value of consent in the emerging digital era:
* Technological advancements cannot be updated by the party to the contract all the time and, such lack of awareness hinders such person from expecting the consequences of the contract.
* Unwarranted usage of information provided for the contract may be shared with the third party thereby harming the concerned individual.
* Express consent of the individual is mandatory for the validity of the contracts.
Many contracts lack bargaining power between the parties because such contracts are basically “contracts of adhesion” , where the terms of the notice only provide a “take it or leave it option”. This form of contract blocks the opportunity of the parties to negotiate upon the terms of service.
The Indian Contract Act by defining the term Contract merely states that a Contract is an agreement enforceable by law. The 1872 Act, has not been amended yet to specifically include the procedure regarding the enforcement of the e-contracts or Click-wrap Agreements. Though Indian judicial forums have accepted the validity of electronic contracts it cannot be considered as a blanket acceptance. Indian courts are suggesting various principles to govern the principles of the e-contract, the bargaining powers of the contracting parties and the terms of the contract to decide its validity. Jurisdictional issues in online contracts are hindering the growth of judicial pronouncements in the field of e-contracts. The basic credentials of a contract are affected by the nature of an online contract. For example, free consent given in an online contract cannot be substantially tested without any legal standard procedure. This is the consequence of an unbalanced nature in the bargaining capacity of the parties.
In the Indian Contract Act, the definition of Consent is given in Section 13, which states that “it is when two or more persons agree upon the same thing and in the same sense”. Thus when two parties involved in an E-contract becomes bound by the contract when the offer concurs with the required acceptance. The entry of smart contracts into legal system cannot be an excuse to circumvent the law, similar to simulating an inexistent operations or evading from tax payment obligations.
This article aims to analyze consent as an essential element in any online contracts. The Information Technology Act 2000(hereinafter referred to as the IT Act), which came into force in October 2000 does not have any specific provisions for regulating online contracts. It does not prescribe any procedure to guard the personal information of parties involved in an online contract. The IT Act, 2000, deals with substantive law and thus a procedural law is required to govern any e-platform. The Indian Evidence Act though provides various procedural safeguards it is still considered inadequate in the emerging legal era. The above-mentioned legislation paved the way for the introduction of the IT bill, 2006 which later provided for the enactment of IT (Amendment) Act, 2008. The IT (amendment) act, 2008 introduced section 43 A in the IT Act which later provided powers to the central government to legislate Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 under the power entrusted in sec 87(2)(ob) read with the former provision mentioned above. The Department of Information Technology notified Information Technology the 2011 Rules on April 11, 2011, vide notification no. G.S.R.313(E), which provided guidelines for data protection. Rule 5 enlists duties which a Body Corporate needs to follow while collecting the data as follows:
Obtain consent from the person(s) providing information in writing or by Fax or by e-mail before collecting such sensitive personal data.
Later a press note dated on August 24, 2011 issued by the Ministry of Communication and Information Technology, it was clarified that consent includes consent given by any mode of electronic communication. The following conditions were enlisted under 2011 Rules to ensure adequate protection for collected information:
* Consent requirement
* Lawful purpose
* Purpose limitation
* Subsequent withdrawal of consent
The 2011 Rules ensures that the prior consent of the concerned individual is essential for disclosing his information with a third party. Thus the procedure related to the processing of data is founded on the principle of consent of the concerned individual. A common procedure cannot be made to monitor the process of obtaining consent, and this entails a piece of strong machinery to monitor the entire process of obtaining consent. With the entry of online contracts the space for direct communication between the user and the website visited has drastically reduced. Nowadays merely clicking the icon of consent is deemed as the genuine process of obtaining consent.
Since there is no specific legislation to regulate online contracts, it becomes very difficult to challenge online contracts on technical grounds. Even though the IT Act, 2000, dedicates certain provisions to test the validity of such contracts, still it is deemed insufficient.
ENFORCEMENT OF CLICK WRAP AGREEMENTS
This variant of the agreement is executed by making the user to click the “click ok” or “I agree” button thereby obtaining his consent. The terms and conditions of such agreements entitled ‘end person settlement’ governs the licensed usage of software program which comes into effect as soon as the user clicks the abovementioned button. The click-through procedure followed in E-contracts is generally considered as the legitimate way of obtaining consent. The autonomy of an individual when deciding the process of sharing his personal information forms the very basis of the principle of informed consent under law related to privacy. The process normally involves signing in a document entitled privacy notice or otherwise agreed by the user.
The privacy notice normally includes the risks and benefits of the user and thereby guiding the user to make the prudent choice. The terms of the agreement also ensure the binding nature of the contract thereby invoking clauses to make the parties legally oblige the contract.
Conveyance – the user needs to be specifically informed about the terms of service. Thus, by merely incorporating a link without specifically intimating the user amounts to failure on the part of the website from fulfilling its obligations. But if the user continues to use the website even after specific intimation would be considered as acceptance of the contract by the user.
* Variation- Without the prior permission of the user, no changes could be made in the end-user agreement.
* Fresh consent- Necessary permission from the user with regard to the newly made modifications inserted in the agreement needs to be obtained without fail. Absence of negotiation in e-contracts cannot make a user to forcibly sign a contract since there is always an option for the user to choose between “take it” or “leave it”.
The Supreme Court in the case of LIC India vs. Consumer Education and Research Centre held that “In dotted line contracts there would be no occasion for a weaker party to bargain as to assume to have equal bargaining power. He has either to accept or leave the service or goods in terms of the dotted line contract. His option would be either to accept the unreasonable or unfair terms or forgo the service forever.”
BROWSE-WRAP CONTRACTS AND ITS VALIDITY
It is an alternative form of contract used when the click-wrap contracts fail to invite the attention of the user of the website. In this form of contract, the user need not indicate his consent even before accessing a website. It invites the user’s attraction by providing icons on the webpage. Involvement of e-agents has challenged the nature of consent requirements in electronic contracts. It is time to answer the question about whether the consensus ad idem between the user and e-agents satisfies the requirements of a contract.
As observed in the case of Scriven Bros & Co v Hindley that the ‘will theory’ proposed by theorists such as Pothier or Von Savigny enunciating that consensus ad idem – ‘a meeting of the minds’ is required for the contract to be formed. The definition of consensus ad idem in a smart contract can be analysed only by reviewing the definition of a smart contract. The Smart contract is a sort of computer code which is operated by a computer and is self-executing and self-enforcing.
The validity of Click-wrap agreements initially discussed in 1998 in the famous case of Hotmail Corporation v. Van Money Pie Inc, wherein the court for northern district of California impliedly upheld the validity of such licenses by ruling that "the defendant is bound by the terms of the license as he clicked on the box containing "I agree" thereby indicating his assent to be bound"
American Legislators have recognized the validity of mass market licenses like Click-wrap and Shrink-wrap by proposing Article 2B of the Universal Commercial Code which is now replaced by National Conference of Commissioners on Uniform State Laws with the Uniform Computer Information Transaction Act (UCITA) which was passed by the majority of the states of America on the 29th of July 1999.
Sec 209 of the UCITA states that ‘the terms and conditions of the mass-market licenses can only be effectively adopted if the other party agrees to the license by manifesting his or her assent before or during the party’s initial performance or use and access of the information’.
Sec 112 of the same deals with how assent can be manifested .It clearly lays down that a person can manifest assent to a record or a term by his conduct if he intentionally engages in such conduct with reasons to know that such behavior will be construed by the other party or his electronic agent to be a form of assent. But all this will only hold good if the terms and condition are within the knowledge of the party assenting and that he has the chance to review the same. It is lucid that under Click-wrap license, the user by reading the terms of the agreement and by clicking the "I agree" button he is deemed giving his assent to the contract. This can be understood by reading Sec 209 and 112.
UNICITRAL Model Law on Electronic Commerce (1996) under Sec. 11 guarantees statutory recognition to the Click-wrap licenses. The section mentions that an offer and acceptance can be validly expressed by data messages which include information generated, sent, received or stored by electronic, optical or similar means including, but not limited to, electronic data interchange (EDI), electronic mail, telegram, telex or telecopy.
In India under Section 11 of The Information Technology Act, 2000 the legislators accept an offer by way of data message either by himself or by any electronic system programmed for that specific purpose but is silent as regards mode of assent or acceptance of the same. The above-listed section includes click-wrap contracts can be understood from its bare text provided below:
11. Attribution of electronic records.-An electronic record shall be attributed to the originator,-
(a) if it was sent by the originator himself;
(b) by a person who had the authority to act on behalf of the originator in respect of that electronic record; or
(c) by an information system programmed by or on behalf of the originator to operate automatically.
Thus with regard to the essentials of offer and acceptance in click wrap contracts it is legally enforceable in India.
CONTRACTUAL CAPACITY OF PARTIES UNDER SHRINK-WRAP AGREEMENTS
In the case of ProCd, Inc v. Zeidenburg involving shrink wrap contracts it was held "that the very fact that purchaser after reading the terms of the license featured outside the wrap license opens the cover coupled with the fact that he accepts the whole terms of the license that appears on the screen by a key stroke, constitutes an acceptance of the terms by conduct.
Under the Shrink-wrap licenses on software, the very conduct of the purchaser of software by tearing the wrap and using the CD after reading the terms and condition expresses his or her assent to the terms. This makes the Shrink-wrap agreements valid and enforceable contracts. In the case of LAN Systems Inc. vs. Net scout Service Legal Corporation , the court held that the click wrap agreements were and enforceable by clicking on ‘I agree’ and LAN had consented to the terms. The ‘Click-Wrap’ acceptances of offers or agreement were not invalidated by the earlier purchase order agreement between the parties.
The Supreme Court of India held that if the terms of a Contract had been discussed over the email, such emails constituted to be a valid contract and hence were enforceable. Here the Supreme Court recognised the validity of electronic contracts even if they were not electronically signed and registered .
The Supreme Court commented on the scope of its intrusion in a contract where the parties to the contract had unequal bargaining power. The Court held that when a contract is of such a nature that it can be stated to be an Adhesion Contract and further when the parties to the contracts do not have equal bargaining power then in the light of Article 14 of the Constitution of India (guaranteeing equal protection of law to its citizens) the Supreme Court shall strike an unfair or unreasonable contract .
DISCREPANCIES IN FREE CONSENT GIVEN BY THE PARTIES IN E-CONTRACT
A valid contract must entail that the parties are entering into the contract with their free consent. But in an online contract, the consent is often vitiated by three elements, namely:
(1) Fraud
(2) Misrepresentation and
(3) Mistake.
Holding a presumption in law that the parties to an online contract have consented to bind themselves by the terms and conditions is desirable. But the application of such presumption in law might defeat the advantage which one can derive in an online transaction under the camouflage of mistake.
The flaws in a contract can undermine privacy which is the cornerstone in sharing information in an online transaction. The definition by the late Alan Westin, former Professor of Public Law & Government Emeritus, Columbia University , which enshrines privacy as "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to other". .
Paul Schwarz, the Jefferson E. Peyser Professor at UC Berkeley School of Law and a Director of the Berkeley Center for Law and Technology, called the FIPP Fair Information Practice Principles (FIPP) from the United States as the building blocks of modern information privacy law. These principles initially embedded in a report called 'Records, Computers and Rights of Citizens' framed by an Advisory Committee appointed by the US Department of Health, Education and Welfare in 1973 during the reign of increasing automation in data systems involving information about individuals. The Committee's mandate was to "explore the impact of computers on record keeping about individuals and, in addition, to inquire into, and make recommendations regarding, the use of the Social Security number."
The five essential principles have democratized the privacy law involving data protection and increased the role of such principles in the data protection regime internationally with its usage in the OECD Privacy Guidelines, the EU Data Protection Principles, the FTC Privacy Principles, APEC Framework or the nine National Privacy Principles articulated by the Justice A P Shah Committee Report which are reflected in the Privacy Bill, 2014 in India.
The principles recommended to ensure protection are as follows:
* Notice/Awareness
* Choice/Consent
* Access/Participation
* Integrity/Security
* Enforcement/Redress
In the words of Fred Cate, the C. Ben Dutton Professor of Law at the Indiana University Maurer School of Law:
"All of these data protection instruments reflect the same approach: tell individuals what data you wish to collect or use, give them a choice, grant them access, secure those data with appropriate technologies and procedures, and be subject to third-party enforcement if you fail to comply with these requirements or individuals' expressed preferences" .
The above mentioned measures seeks to ensure that consent is informed and free and thereby also to implement an acceptable tradeoff between privacy and competing concerns. Consent mechanism initially questioned for determining data quality has later emerged as a separate regime for validating the electronic contracts. The workability of consent mechanism under the protective cover of privacy forming its benchmark has enlarged due to the emergence of Big Data and the Internet of Things. The consent mechanism in an electronic contract needs to overcome the following hardships. The limited collection from secondary users, under the minimisation principle, has not been followed and thus the following issues arise:
1. Constraints in reading or accessing privacy notices
To avoid the problem of skipping the privacy notices it need to be made available in a language understood by the user. As per estimates, about 840 million people (11% of the world population) can speak or understand English. Due to non-availability of information a vernacular language and absence of up gradation in interfaces on mobile screens and wearables make the privacy notices extremely difficult to read.
The usage of the term 'privacy policy' leads people to make false assumption that if a company has a privacy policy in place, it automatically means presence of substantive and responsible limits on how data is handled. But many companies often misuse the privacy policy to extract information from the users under the false pretext. Joseph Turow, the Robert Lewis Shayon Professor of Communication at the Annenberg School for Communication, and his team for example has demonstrated how "when consumers see the term 'privacy policy,' they believe that their personal information will be protected in specific ways; in particular, they assume that a website that advertises a privacy policy will not share their personal information. "
2. Problems in grasping the real nature of privacy policies
FTC chairperson Edith Ramirez stated: "In my mind, the question is not whether consumers should be given a say over unexpected uses of their data; rather, the question is how to provide simplified notice and choice." The privacy policies are "long, complicated, full of jargon and change frequently."
Kent Walker list five problems that privacy notices typically suffer from –
a) overkill - long and repetitive text in small print,
b) irrelevance - describing situations of little concern to most consumers,
c) opacity - broad terms the reflect the truth that is impossible to track and control all the information collected and stored,
d)bnon-comparability - simplification required to achieve comparability will lead to compromising accuracy, and
e) inflexibility - failure to keep pace with new business models.
FTC Chairperson Timothy Muris summed up the problem with long privacy notices when he said, "Acres of trees died to produce a blizzard of barely comprehensible privacy notices." Margaret Jane Radin, the former Henry King Ransom Professor of Law Emerita at the University of Michigan, provides a good definition of free consent. Privacy Policy "involves a knowing understanding of what one is doing in a context in which it is actually possible for or to do otherwise, and an affirmative action in doing something, rather than a merely passive acquiescence in accepting something."
3. Restraints implicit in forecasting the consequences
Normally the web operations are assumed "invisible, managed at distant centers, from behind the scenes, by unmanned powers."
The principle of purpose limitation has served as a key component of data protection for decades. Purposes given for the processing of users' data should be given at the time of collection and consent and should be "specified, explicit and legitimate". Normally the consent obtained can be limited only for the primary purposes which ultimately motivated the data collector to gain the information in the first hand.
Robert Sloan and Richard Warner argue that it is impossible for a privacy notice to contain enough information to enable free consent. They argue that current data collection practices are highly complex and that these practices involve collection of information at one stage for one purpose and then retain, analyze, and distribute it for a variety of other purposes in unpredictable ways.
Helen Nissenbaum points to the ever changing nature of data flow and the cognitive challenges it poses. "Even if, for a given moment, a snapshot of the information flows could be grasped, the realm is in constant flux, with new firms entering the picture, new analytics, and new back end contracts forged: in other words, we are dealing with a recursive capacity that is indefinitely extensible ." The balancing wheel slides normally in favour of the data mining corporations since it would be easier for them to make use of the available technologies in the market.
Daniel Solove, the John Marshall Harlan Research Professor of Law at the George Washington University Law School, in his book, "The Digital Person" , calls it the aggregation effect. He argues that the ingenuity of the data mining techniques and the insights and predictions that could be made by it render any cost-benefit analysis that an individual could make ineffectual.
An individual when entering his personal information for the purpose of an electronic contract will be protected only if it is awarded with proper consent. The problem in the process of obtaining consent is due to the absence of any procedure, thereby allowing an individual to make an exit by refusing to provide the necessary permission.
"This binary choice is not what the privacy architects envisioned four decades ago when they imagined empowered individuals making informed decisions about the processing of their personal data. In practice, it certainly is not the optimal mechanism to ensure that either information privacy or the free flow of information is being protected."
Simon Davies, a privacy advocate based in London, comments on opting-out 'to do so could be seen as giving ground to the data vultures' , and risks further weakening an already dangerously fragile privacy framework. Since the focus of law architects confined to obtaining the consent by fair and ethical means, the necessity of scrutinizing the follow-up procedure on the data collected is often left out providing space for unwarranted usage.
Davies, for example cites the case of the EU Cookie Directive, which required websites to gain consent for the collection of cookies . Davies observes how, 'a proper audit and compliance element in the system could require the processing of even more data than the original unregulated web traffic. Even if it was possible for consumers to use some kind of gateway intermediary to manage the consent requests, the resulting data collection would be overwhelming''
The responsibility shouldered on the service providers by the US legislators involved in an online contract under the privacy law is thus made clear by enacting the Consumer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act, which requires the service providers to notify the users about the subscription, time period and sharing of information with third parties to ensure transparency of the transaction and to safeguard the privity of contract.
The Act also obliges the edge-providers to obtain express consent from users before using, disclosing or permitting access to any of the personal information collected. Thus the above liability on service providers based on user-centric model guarantees the users to refuse to grant permission for third-party usage. But there is flak in the above-mentioned legislation which provides the service providers to cancel the contract with the user who places restrictions on sharing of information with the third party.
Under the Electronic Signatures in Global and National Commerce Act, electronic records may be used to satisfy any law that requires that records be provided to consumers “in writing” only if the consumer has affirmatively consented to the use of the electronic records, and has not withdrawn consent (the “E-Sign Consumer Consent Process”).
Moreover, the consumer must consent electronically or provide consent electronically, in a manner that “reasonably demonstrates” that the consumer can access information in the electronic format that will be used to provide the information . Thus, any in-person transaction which concludes in a paper agreement to engage in business electronically should be followed up by an electronic confirmation and consent—which must occur before any information that is required to be provided “in writing” is delivered. What satisfies the requirement is subject to interpretation: One view is that the reasonable demonstration test is flexible and can be satisfied by a consumer’s e-mail confirming that the consumer can access the electronic records or a consumer’s acknowledgement or affirmative response to a provider’s query asking if the consumer has the necessary hardware and software. However, the more conservative view is that the consumer must demonstrate that they can access the information through an actual test using the electronic format in which the information will be delivered.
Thus the abovementioned enactments clearly signify the following
* Clear, voluntary consent between parties to use electronic records and signatures before conducting a transaction electronically.
* Although an express agreement is not strictly required—especially in business-to-business transactions—and an agreement may be implied or determined from relevant facts and circumstances, a standard contract written in legal prose could readily manifest parties’ intent to use smart contracts to govern their transaction and would limit potential ambiguity and the risk of an enforceability challenge.
* Consensus ad idem between the parties concludes the formation of a smart contract when there is a concurrence of the offer and acceptance of the clauses as agreed upon. Once settled, there cannot be a change of mind because the computer program is created to be self-enforceable.
But such smart contracts with its dependence on disruptive technologies may create the following problem:
The consequences of the self-enforcement and self-sufficient features of the smart contract cannot always be intended by a user since he is not made aware of such results. Thus his consent can be invalidated on the ground of motivated consent. For that, “it must refer to the substance of the thing that is the object of the contract, or on those conditions thereof that mainly gave reason to celebrate it” (art. 1266).
In the case of Alka Bose vs Parmatma Devi & Ors the court defines that an unilateral contract refers to a gratuitous promise where only party makes a promise without a return promise. Unilateral contract is explained thus:
"If A says to B, `If you walk across the Brooklyn Bridge I will pay you $ 100,' A has made a promise but has not asked B for a return promise. A has asked B to perform, not a commitment to perform. A has thus made an offer looking to a unilateral contract. B cannot accept this offer by promising to walk the bridge. B must accept, if at all, by performing the act. Because no return promise is requested, at no point is B bound to perform. If B does perform, a contract involving two parties is created, but the contract is classified as unilateral because only one party is ever under an obligation. "
In a unilateral contract, one party makes an offer, and the other party accepts it through its performance rather than through simply indicating consent. Such similar situations thereby make a smart contract to be construed as a unilateral contract offer. Identification of parties is another impediment in the contracts involving blockchain technologies. Unlike public blockchains, the parties can mutually identify under private blockchains since it is necessary for validating the consent. This is attained even at the time making entry into the webpage by restricting the access to the said webpage.
EVOLUTION OF DISRUPTIVE TECHNOLOGIES AND ITS IMPACT ON ONLINE CONTRACTS
Pseudonymous participations by parties in blockchain transactions would vitiate the contract. By referring the participation as pseudonymous it is considered that the data stored on the chain is not something related to the real-life identities but just a digital key pair. At the same time, it is not completely anonymous since it is possible to discover patterns that would link key pairs to digital identities. Thus, the identity of a participant could be confirmed off-chain by making the required alterations even while designing the block chains. Thus, to employ free consent it is necessary to employ the above requirements as a part of a smart contract itself.
A smart contract can specify the timeframe required for acceptance, otherwise it may be assumed to be open for acceptance indefinitely. Moreover, because content placed on a blockchain is immutable (at least as the technology stands at the moment), it is not currently possible to alter the terms of an offer once it has been placed on a blockchain. Accordingly, the contract is executed when the offeree accepts the terms set in the code by performing certain actions. The parties would need to negotiate off-chain or encode a new smart contract in order to change the terms or the outcome of an existing smart contract.
A smart contract need not always employ the technologies involving blockchain, but when using a smart contract with blockchain technology, the underlying algorithm in blockchain technology utilizes a consensus mechanism. Thus the disruptive technologies can be used to provide a remedy to the emerging problems.
The most prominent platform for smart contracts is the Ethereum blockchain and its native token, Ether, is a mining-based one, meaning that it is not possible to completely control entry-points in the world of smart contracts. Mere identification of parties does not provide any solution since it would be difficult to cull out the intentions of the parties due to the usage of programming language.
Encryption of codes during the process of handling the information would involve some unavoidable errors which cannot be rectified even by experts. Hence, it is practically impossible to conclude that the consent given under a contract is inclusive of all intended consequences. Smart contracts are similar to the terms and conditions of a standardised form of contracts in the sense that there are no fixed parties, but only a code that could be executed by anyone on the network. In other words, a general consent to trigger a process does not necessarily imply consent for each and every detail of the process involved. Thus it cannot be validated in the absence of specific national level legislation to govern the same.
Immutable nature of public blockchains makes it extremely difficult to modify what has already been registered on a blockchain. Immutability might be considered as an improvement for record-keeping. But the viability of enforcing an immutable contract would invite problems since contracts are amended according to the needs and conditions of the time. Ever since the formation of contracts consent is enjoying a privileged position in e-contract law and cyber tort. It forms the cornerstone in determining the liability of the parties in cases involving the breach of contracts.
E-Contracts are private agreements – a set of terms and conditions to which the parties have consented. Some have pointed out that the consent doctrine helps protect individual autonomy and freedom of contract, core values protected by contract law. Consent has served to justify the government’s choice of sides in a contractual relationship. The idea that contracting parties tacitly consent to default rules by their failure to contract around them fails to provide a basis for distinguishing contract from tort. Lack of knowledge of default rules, disproportionate transaction costs and inequalities of bargaining power prevent many contracting parties from routinely choosing contract terms. If, despite those constraints, persons engaging in contractual behavior can be said to consent to the legal consequences of that behavior, we can equally say that legal actors engaging in other types of voluntary conduct consent to the obligations arising from that behavior in the law of tort.
Most companies in India are mindful of the implications that their services could have on the privacy of their customers and, for that reason, try to obtain user consent before they use personal data. Almost every application that you download or service that you register for requires you to first agree to site-specific terms of service before signing up. “I accept", “I do" and “Yes"—powerful words denoting acceptance—are becoming increasingly commonplace in our digital lives. They greet us at the beginning of each new relationship we enter into and signify our acceptance of every change to these terms and conditions. These terms and conditions list the various things that the service provider can do with the data they collect from us, and form the basis for every action that data controllers take.
These contracts, however, are dense and complex, making it difficult, if not impossible, to effectively assess the implications of agreeing to their terms. This, combined with the sheer number of contracts we end up signing, leads to consent fatigue and consequently to diminished consent as it becomes impossible for us to truly understand the full extent of the implications of consent on our privacy.
Alok Prasanna Kumar, policy expert and research fellow at Vidhi Centre for Legal Policy in New Delhi said that one problem with the consent provided through Internet-based (click-wrap) agreements is that there is no obligation on the companies that collect this data to explain the implications of collection to the consumer.
“The consent given here, when examined under the law for consent as it stands today (under the Indian Contract Act, 1872) could be vitiated on grounds of misrepresentation or for being against public policy at large. Some click-wrap agreements are never freely consented to, because they are of a take-it-or-leave-it nature, imposing unfair obligations," said Kumar. This includes insisting that disputes will be decided by arbitration in some other jurisdiction.
ABSENCE OF NEXUS BETWEEN TECHNOLOGY AND LEGAL SYSTEM- FLEXIBILITY TRAP
The technology which makes this situation even worse is the fact that databases today are designed to be interoperable, allowing them to interface with other datasets using application programming interfaces (APIs). Most privacy policies that we accept include provisions relating to such interchanges of personal data. If it was difficult to assess the impact of modern privacy policies on direct data collection and use, trying to assess the impact of interconnected datasets, where the insights gleaned are often unpredictable, is virtually impossible.
The International Association of Privacy Professionals (IAPP), does “not believe that consent is the best or only way to empower individuals in this day and age" .
First, IAPP believes that consent has become “overused" and “over-relied" in practice. It points out that privacy policies and notices are too numerous, long and complex to result in valid consent. The solution, IAPP believes, will not simply be in developing shorter and better privacy policies in order to obtain more valid consent.
Second, IAPP notes that the context makes it impossible to obtain valid individual consent, such as where there is no direct interaction with individuals or individuals may not have a relationship with organizations that may touch their data in the context of an ecosystem of mobile devices and the Internet of things (IoT). Machine learning systems and artificial intelligence tools do not need explicit programming and can teach themselves from mountains of data. IoT is about billions of devices communicating and sharing data with each other over a network, primarily the Internet.
The context, IAAP points out, makes consent inappropriate, such as in fraud prevention or information systems and network security, where seeking consent would prejudice the very purpose of processing.
According to a May 2016 paper by the Policy and Research Group of the Office of the Privacy Commissioner of Canada, the consent model of personal information protection was conceived at a time when transactions had clearly defined moments at which information was exchanged. Individuals generally knew the identity of the organizations they were dealing with, the information being collected, and how the information would be used.
“Today, with cloud computing, big data and the Internet of things (IoT), the environment is radically different. Further, traditional point-to-point transfers of data are being replaced with data flows through distributed systems, making it difficult for individuals to know which organizations are processing their data and for what purposes," the paper notes.
After the case of Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors. , the judiciary has indeed promoted various platforms for ensuring privacy. Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank, says a serious debate is needed on “informed consent", given that in reality, people don’t understand the complex ways in which information intermediaries use consumers’ data.
At the same time, the government has appointed a committee under the chairmanship of retired Supreme Court judge B.N. Srikrishna to formulate a data protection law for the country. Against this backdrop, a new discussion paper from the Takshashila Institute has proposed a model of privacy particularly suited for a data-intense world which are deliberated below:
* Reducing information asymmetry between the various stakeholders in the data ecosystem by creating clear reporting and compliance frameworks;
* Ensuring that the data collecting/processing entity continues to remain accountable and does not use the user’s consent as a shield against abiding by the law;
* Creating and empowering “Learned Intermediaries”, or independent professional data auditors, to conduct periodic checks on the data controllers and ensure that their processes are secure and transparent; and
* Crystallising the data rights that every individual is entitled to, and outlining harms that could arise from an abuse of these rights.
The OECD Privacy Guidelines have long recognized that consent is not the sine qua non of data processing. The “collection limitation principle”, for example, states that “data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject”. The nine principles set out by the Justice AP Shah Committee are as follows :
* Principle 1: Notice;
* Principle 2: Choice and Consent;
* Principle 3: Collection Limitation;
* Principle 4: Purpose Limitation;
* Principle 5: Access and Correction;
* Principle 6: Disclosure of Information;
* Principle 7: Security;
* Principle 8: Openness;
* Principle 9: Accountability
The relevant principles which determines the quality of consent in online contracts are as follows:
Principle 2: Choice and Consent
* Principle: A data controller shall give individuals choices (opt-in/opt-out) with regard to providing their personal information, and take individual consent only after providing notice of its information practices. Only after consent has been taken will the data controller collect, process, use, or disclose such information to third parties, except in the case of authorized agencies. The data subject shall, at any time while availing the services or otherwise, also have an option to withdraw his/her consent given earlier to the data controller. In exceptional cases, where it is not possible to provide the service with choice and consent, then choice and consent should not be required. When provision of information is mandated by law, it should be in compliance with all other National Privacy Principles. Information collected on a mandatory basis should be anonymized within a reasonable timeframe if published in public databases. As long as the additional transactions are performed within the purpose limitation, fresh consent will not be required.
* Rationale: The choice and informed consent principle empowers the individual to readily approve and authorise collection and usage of personal information for defined purposes. The principle ensures that data controllers provide simple choices to data subjects that allow them to make informed decisions about the extent to which they would like to share their personal information, prior to collecting that information. When individuals are mandated by law to share information, the principle ensures that this is done in accordance with the other National Privacy Principles, and that the information, if shared in public databases, is not retained in an identifiable form longer than is necessary.
Data subjects are ‘forced’ to give their consent without being given any meaningful choices – they are denied services if they do not agree with the privacy terms and conditions of the organisation.
* Implicit consent is taken from data subjects without their full understanding of privacy implications.
* In an online environment, the way mechanisms to provide choices are positioned, it becomes difficult for the data subjects to locate and exercise their choice. Practical difficulties in consent withdrawal and choice limitation once the information has been shared exist.
* From a business perspective, it may be irrelevant, and operationally difficult to provide choices and / or take consent in every type of service it offers. Many services the organisation offers may not be required to provide choice and / or take consent.
From a data subject perspective, data subjects may not like to be offered choices or provide consent for every transaction as it may adversely impact their user experience when dealing with organisations.
* From an Indian context, integration of illiterate and poor residents in the overall privacy design especially in the implementation of user centric principles is a major challenge.
Principle 3: Collection Limitation
* Principle: A data controller shall only collect personal information from data subjects as is necessary for the purposes identified for such collection, regarding which notice has been provided and consent of the individual taken. Such collection shall be through lawful and fair means.
* Rationale: The collection limitation principle ensures that data controllers only collect personal information that is necessary for achieving the stated objective, and that all collection is lawful and fair. This reduces the probability of misuse of individuals’ personal information.
Principle 4: Purpose Limitation
* Principle: Personal data collected and processed by data controllers should be adequate and relevant to the purposes for which they are processed. A data controller shall collect, process, disclose, make available, or otherwise use personal information only for the purposes as stated in the notice after taking consent of individuals. If there is a change of purpose, this must be notified to the individual. After personal information has been used in accordance with the identified purpose it should be destroyed as per the identified procedures. Data retention mandates by the government should be in compliance with the National Privacy Principles.
* Rationale: The purpose limitation principle ensures that personal information is used only in compliance with the National Privacy Principles and only for intended and agreed purposes. The principle also ensures that personal information is retained by the data controller only as long as is necessary to fulfill the stated purposes, and is destroyed in accordance with identified procedures when it is no longer required.
CONCLUSION
Consent plays a very prominent role in determining the validity of a contract. This is true because consent is the expression of individual self-autonomy and there are some irregularities in our legislation from making the granted consent to be effective.
Arthur Leff in his work contends that “consumer contracts (of which online contracts are a manifestation) share no significant similarities with contracts per se- only one party sets the terms, with no opportunity for the other party to negotiate such terms; further, there is no bargain, agreement, dicker, process, mutability, becoming which are standard features of contracts. These contracts of adhesion are not based on informed consent or mutual common understanding”.
He also suggests online contracts need not be differentiated from ordinary contracts as it would provide room for false excuses. This would be in keeping with the limitations of contract law, which regulates the process of contracting, rather than the product at the end of it. Since an online contract is essentially a piece of paper over which there is no bargaining or agreement but merely evidence of the same, it is akin to a product which is exchanged at the end of the contracting process. Seeing an online contract in this manner allows us a wider operating arsenal to regulate notice and choice, i.e., the regime of product liability. normally consent given to online contracts are not considered as free because the person whose consent is required is not free from encumbrances and is under compulsion to provide consent since he cannot renounce the process in mid-way to avail his necessity. So, free consent needs to be capable of being withdrawn at the time of entering into the contract. Such a possibility cannot be allowed for unilateral withdrawals by evading the obligations under the contract. If the performance of the contract is sought to be refused, any legal consequences resulting from actions already taken by the other party in pursuance of the contract would have to be borne by the party preventing or refusing such performance.
The standard form contracts on the internet are an example, which while legal, may not always be fair due to the slim likelihood of the consumers reading and understanding the terms. A self-certification by such entity that the contract is in line with the model contract, and that it undertakes to bear liability as that entails from such contracts will be a proper guiding pathway for the online contracts in future.