Abstract
E-Contracts which involve browse, shrink and click wrap agreements1, control the whole user- tech interaction. With respect to the standard nature of a contract2, the e-commerce space renders a higher bargaining power to the addressor rather than the addressee. In today’s day and age, where sharing information through technology has become efficient and faster, the privacy of the users is not given due importance, resulting in data sharing propagandas by several social media platforms to affect the decision making of their users. The benefits of this data sharing have made polarizing effect giving undue advantage to a specific party using this data. This includes the 2016 US elections as well as the Facebook-Meta collaboration, which collects meta-data actively3. The Indian Contract Act 1872 (ICA 1872), Information Technology Act 2000 (IT Act) and Indian Evidence Act, 1872 provide the present legal framework to administer an agreement as duly applicable or not-applicable.
These acts when read in compliance with the newly legislated Digital Personal Data Protection Act, 2023 (DPDP 2023), fail to give consumers the right to choose correct data (fake data is the fastest-spreading data, according to political researchers (Allcott and Gentzkow 2017; Kennedy et al. 2018; Persil 2017)). This comes without any legal restrictions on these organizations. The right to give informed consent can be easily passed over, given the ease at which these agreements fail to acknowledge the dangers of sharing data by their users. Unethical sharing of data has become the onus of consumers (bound to give their consent after reading the contract), even though these Terms and Conditions can go easily unacknowledged and have restricted jurisdiction power.
This paper critically analyses the ICA, 1872, IT Act 2000 and DPDP 2023 to highlight the limited power of consumers in protecting their data as well as question the legality of the commercial use of personal data by businesses. In the end, it also addresses solutions acknowledging the tech-savvy world of current times.
Background of data privacy contracts and breaches
The 2016 U.S. elections brought the intersection of data privacy and social media influence into the spotlight, with Facebook playing a central role. Facebook is one of the most widely followed social media platforms in USA, amongst all age groups. According to a research, journalistic coverage, surprise events, social media and fake news are all believed to have played a role in effecting the election results (Kübler, Pauwels, and Manke, 2020). Evidence shows that: 1) 62 percent of US adults get news on social media (Gottfried and Shearer 2016); 2) the most popular fake news stories were more widely shared on Facebook than the most popular mainstream news stories (Silverman 2016); 3) many people who see fake news stories report that they believe them (Silverman and Singer-Vine 2016); and 4) the most discussed fake news stories tended to favour Donald Trump over Hillary Clinton (Silverman 2016). It is on the research front, that Cambridge Analytica, a political consulting firm, intentionally gained unauthorized access to data from 87 million Facebook users via a third-party app that was originally a personality quiz. It used this data to create psychological profiles of voters, allowing targeted political advertisements to influence their opinions and behaviour during the 2016 U.S. elections. Political advertisements ranged from several false allegations against Hillary Clinton to exaggerated comments on her email scandals (Kübler, Pauwels, and Manke, 2020). Her use of private email system and server was considered against federal law. At the time, Facebook had lax data privacy protocols, enabling third-party apps to collect extensive user data without meaningful oversight. It initially downplayed the severity of these breaches, sparking criticism. All these allegations made Facebook to create a more transparent Meta privacy policy, according to which Facebook is liable to collect all information related to the user’s interaction with the advertisements, the kind of posts they share, the date and location of where the users have shared as well as their frequency of liking specific kind of posts as opposed to others. (Facebook Meta Privacy Policy, 2024). Facebook Meta Privacy Policy is an example of browse wrap agreement, where mere utilization of a specific product of the company automatically means the user has given his or her consent.
The spreading of fake advertisements based upon a personalized quiz, taken by Cambridge Analytica can be compared to a form of contract – click wrap agreements, whereby the users were not clearly informed about the use of the data for political campaigns. The breach of data privacy contract by Facebook for sharing the information to third parties points out to the unjust ‘right’ (as consented by the customer) of these organizations in not following those contracts for commercial gains. These examples also include the cyber-attacks, the use of data for consumer analysis by big fashion industries and quick-commerce apps like Blinkit, Zomato, etc.
In one of the biggest cyber-attacks of India, Aadhaar details of 81.5 crore people were leaked. The hacker claimed to have extracted the information from the Covid-19 test details of the citizens registered with ICMR (Indian Council of Medical Research). In India the only law which governs the data privacy rights is the Digital Personal Data Protection Act, enacted in the year 2023. Article 4 clause 1 of the act states clearly that “A person may process the personal data of a Data Principal (to whom the data concerns) only in accordance with the provisions of this Act and for a lawful purpose, (a) for which the Data Principal has given her consent; or (b) for certain legitimate uses.” Following this, it also mentions the consent which will be valid under article 5, which says, ”Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary (the organization using the data, in this case Facebook for instance) to the Data Principal, informing her,—(i) the personal data and the purpose for which the same is proposed to be processed; (ii) the manner in which she may exercise her rights under this act; and iii) the manner in which the Data Principal may make a complaint to the Board’’. In the case of hacking where there is no consent by the users, as well as the Government agency, ICMR, the onus of data protection should go to the research organization or the hacker is unclear based upon the provisions of this Act. This is because of the breach of implied contract of the Covid-19 patients by ICMR, who gave their trust when getting tested. The limitations of DPDP Act with respect to Indian Contract Act can be listed since the jurisprudence of data privacy should be read along with the rules of the ICA, 1872.