By Gwyn Powers

 

 

As children, we all heard the saying, “don’t post anything on social media that you wouldn’t want your boss to see.”[1] We know that anything a person posts on Facebook, Twitter, or Instagram has the possibility to be seen by millions of people.[2] However, people make their social media accounts private to limit who can see their posts.[3] Even though a person’s social media post may be private, what privacy rights do employees have for their private social media posts?

Employees have two potential avenues of protection from employers monitoring their employees’ social media activities.[4] The first is a cause of action under a common law intrusion upon seclusion tort claim arguing that the employer intruded on the employee’s private affairs.[5] The plaintiff would have to prove that their employer (1) intentionally intruded on the employee’s solitude, seclusion, or private affairs and (2) that the intrusion would be highly offensive to a reasonable person.[6] Courts have held that if a person posts something on the internet without restricting access to the post, the individual does not have a claim to privacy for that post.[7] However, if an individual takes steps to control who can access their Facebook posts, then a court may find that the person had a reasonable expectation of privacy for their Facebook post.[8] Still, some states do not recognize a common law intrusion on seclusion cause of action but have a privacy statute.[9] For example, the Massachusetts Privacy Act creates a right against a serious interference of their privacy which primarily protects the dissemination of private information.[10] Additionally, some states like Virginia do not recognize an intrusion of seclusion tort claim.[11] Therefore, employees in Virginia would need to find protection for their private social media posts from another source.

The second potential source of protection for an employee’s private social media post is under the Stored Communications Act (SCA).[12] The SCA protects a person’s stored communications, such as a person’s email.[13] While a criminal statute, the SCA does create a civil cause of action.[14] The plaintiff would need to show that the defendant  “(1) intentionally accesses (2) a facility through which an electronic communication service is provided (3) without authorization or by exceed[ing] an authorization given and (4) thereby obtains . . . a wire or electronic communication (5) while that wire or electronic communication is in electronic storage.”[15] However, the SCA does not protect electronic communication that is “readily accessible to the general public.”[16] So, the plaintiff would need to show that their social media post was not accessible to the general public.[17]

Courts have held that posts made on private Facebook accounts, private online bulletin boards, and private websites may be protected under the SCA.[18] This is because the owners of the private sites took steps to control and limit access to their sites, which would make the information not readily accessible to the public.[19] However, courts are not likely to find SCA protections for posts made on private Facebook groups because the initial poster does not have control over who can be a member of the group and see their post.[20] Thus, the poster’s lack of control made the post “readily accessible to the public.”[21]

If an employer accesses an employee’s private social media post, the next step is determining whether the employer has authorization to access the employee’s post.[22] Courts have held that the employer violated the SCA if an employer did not have authorization to private posts and manages to access the private communication.[23] For example, in Pietrylo v. Hillstone, a group of employees created a private MySpace group to vent their problems with restaurant management.[24] A member of the MySpace group felt coerced by management to provide their MySpace login information so the management could access the employee group.[25] The court held that the coercion from the management did not have authorization to access the MySpace group.[26] Several state legislatures have passed statutes prohibiting employers from requiring their employees to provide their social media usernames and passwords.[27] However, these statutes do not prohibit employers from accessing social media posts that are publicly accessible.

In Ehling, the court stated that “[p]rivacy in social networking is an emerging but underdeveloped area of case law.”[28] As social media continues to be a constant part of our day-to-day life, courts must ensure that the law and protections do not fall too behind technology.

 

 

 

 

[1] Stephanie Smith, 11 Photos you should never post on social media, Business Insider (May 1, 2018, 5:24 PM), https://www.businessinsider.com/photos-you-should-never-ever-post-on-social-media-2018-5.

[2] Press Release, Meta, Reports Third Quarter 2022 Results (Oct. 26, 2022), https://investor.fb.com/investor-news/press-release-details/2022/Meta-Reports-Third-Quarter-2022-Results/default.aspx; Instagram Statistics and Trends, DataReportal, (Aug. 15, 2022), https://datareportal.com/essential-instagram-stats; Twitter Statistics and Trends, DataReportal, (Aug. 15, 2022), https://datareportal.com/essential-twitter-stats.

[3] 8 Reasons to Keep your Social Media Set to Private, Eset (Jun. 16, 2022), https://www.eset.com/uk/about/newsroom/blog/8-reasons-to-keep-your-social-media-set-to-private/.

[4] Marion G. Crain et al., Work Law: Cases and Materials, 407­—09 (4th ed. 2020).

[5] See Ehling v. Monmouth-Ocean Hosp. Serv. Corp., 872 F. Supp. 2d 369, 373 (D. N.J. 2012).

[6] Restatement (Second) of Torts § 652B (Am. L. Inst. 1977).

[7] Ehling, 872 F. Supp. 2d at 373.

[8] Id. at 374.

[9] Portnoy v. Insider, Inc., No. 22-10197-FDS, 2022 U.S. Dist. LEXIS 2020080, at *26 (D. Mass. 2022).

[10] Mass. Ann. Laws Ch. 214, § 1B (LexisNexis 2022).

[11] Cockrum v. Donald J. Trump for President, Inc., 365 F. Supp. 3d 652, 670 (E.D V.A. 2019).

[12] Marion G. Crain et al., Work Law: Cases and Materials, 407­—09 (4th ed. 2020).

[13] 18 U.S.C. § 2701.

[14] 18 U.S.C. § 2707.

[15] Backhaut v. Apple, Inc., 74 F. Supp. 3d 1033, 1041 (N.D. Cal. 2014).

[16] 18 U.S.C. § 2511(2)(g).

[17] See Davis v. HDR Inc., No. CV-21-01903, 2022 U.S. Dist. LEXIS 102949, at *10 (D. Ariz. 2022).

[18] Id.

[19] See id. at *11.

[20] Id. at *22—23.

[21] Id. at *11.

[22] Pietrylo v. Hillstone Rest. Group, No. 06-5754, 2009 U.S. Dist. LEXIS 88702, at *7 (D. N.J. 2009).

[23] Pietrylo, 2009 U.S. Dist. LEXIS 88702, at *8.

[24] Pietrylo v. Hillstone Rest. Group, No. 06-5754, 2008 U.S. Dist. LEXIS 108834, at *1—2 (D. N.J. 2008).

[25] Pietrylo, 2009 U.S. Dist. LEXIS 88702, at *8—9.

[26] Id. at *9.

[27] Va. Code Ann. § 40.1-28.7:5 (2021).

[28] Ehling, 872 F. Supp. 2d at 373.

 

Image Source: Photo Source: https://medium.datadriveninvestor.com/social-networking-harmless-media-or-privacy-intrusion-9b8e30402d5

By Dante Bosnic

 

 

After FTX filed for bankruptcy in the beginning of November, Samuel Bankman-Fried was finally arrested and extradited to the U.S. in late December.[1] In early January, Bankman-Fried appeared in federal court and pled not guilty to eight felony counts, including fraud, conspiracy, and money laundering.[2] If convicted, Bankman-Fried could face over 100 years in prison.[3]

Even worse for the once famed cryptocurrency star, according to a recent statement by the U.S. Attorney of the Southern District of New York, Damien Williams, Caroline Ellison, a former executive of Alameda Research, and Gary Wang, the co-founder of FTX, have agreed to cooperate with authorities to build a case against Bankman-Fried.[4] According to recent court documents, Ellison has agreed to provide investigators with key inside information, including handing over relevant documents, giving crucial eye-witness testimony, and fully disclosing the extent of her crimes as well as the crimes of other defendants.[5]

Along with going after Bankman-Fried, federal prosecutors are investigating an alleged cybercrime that drained more than $370 million out of FTX just hours after the cryptocurrency exchange filed for bankruptcy.[6] According to an individual who is familiar with the case but has been asked not to be identified, U.S. authorities have managed to seize some of the stolen funds. However, the frozen assets represent only a fraction of the $370 million.[7] In interviews before his arrest, Bankman-Fried indicated that the cyberattack may have been an inside job.[8] The conduct could amount to a charge in connection with computer fraud, which carries a maximum sentence of ten years in prison.[9] Regardless, the amount stolen is significantly less than the amount of money Bankman-Fried is accused of misusing while in charge of FTX.[10] According to authorities, Bankman-Fried, who is currently on bail in California, fraudulently raised $1.8 billion from investors and used FTX funds to wage high-risk bets at hedge fund Alameda Research to cover personal expenses.[11]

It also appears that individuals outside of FTX may be culpable as well. According to FTX’s lawyers, some of FTX’s immediate family aren’t cooperating with the investigation.[12] Bankman-Fried’s brother, mother, and father were his “advisors” and should be subpoenaed alongside former company executives.[13] FTX, known in bankruptcy proceedings as the Debtor, alleges that Gabriel Bankman-Fried, Sam Bankman-Fried’s brother, used his lobbying organization, Guarding Against Pandemics, to purchase a multi-million dollar property just a few blocks from the United States Capital.[14] Additionally, Fried’s political action committee, Mind the Gap, allegedly received donations from Sam Bankman-Fried and other FTX staffers. Furthermore, both parents resided in a $16.4 million [Bahamas] house titled in their names, despite understanding that the house was intended to be the company’s property.[15] In an emailed statement, Marissa McBride, Executive Director of Mind the Gap, told CoinDesk that “Sam Bankman-Fried contributed to some of the programs that Mind the Gap recommended to its network, but he did not make any direct contributions to Mind the Gap,” and that the group publicly discloses all contributions received to the Federal Election Commission. Finally, FTX and investigators are questioning Sam Bankman-Fried’s decision to send $400 million to an obscure cryptocurrency firm named Modulo Capital.[16] The young firm, which was founded in March and operated out of the same Bahamian compound where Mr. Bankman-Fried lived, had no track record or public profile.[17] According to the New York Times, prosecutors are investigating if Bankman Fried used FTX’s customers’ funds to invest in Modulo Capital, given that he is also accused of doing the same with Alameda Research.[18]

As it stands, Bankman-Fried has quite a lot on his plate. While the investigation continues, we most likely will not see or hear from him until his trial in October.[19] Depending on how the investigation goes, this could be a very long or short ten months for Samuel Bankman-Fried.

 

 

 

 

 

[1] See Travis Cartwright-Carroll, SBF Extradited, The Nassau Guardian (Dec. 22, 2022), https://thenassauguardian.com/sbf-extradited/.

[2] See Lauren Leffer, Sam Bankman-Fried Pleads ‘Not Guilty’ on All Counts, Gizmodo (Jan. 3, 2023), https://gizmodo.com/sbf-ftx-not-guilty-sam-bankman-fried-crypto-1849943902.

[3] Id.

[4] Mehron Rokhy, FTX Debacle: Two Top-Level Insiders Cooperating With Prosecutors in Criminal Case Against Sam Bankman-Fried, The Daily Hodl (Dec. 22, 2022), https://dailyhodl.com/2022/12/22/ftx-debacle-two-top-level-insiders-cooperating-with-prosecutors-in-criminal-case-against-sam-bankman-fried/.

[5] Id.

[6] Ava Benny-Morrison, U.S. Probes How $372 Million Vanished In Hack After FTX Bankruptcy, Bloomberg (Dec. 27, 2022), https://www.bloomberg.com/news/articles/2022-12-27/us-probes-how-372-million-vanished-in-hack-after-ftx-bankruptcy.

[7] See id.

[8] See id.

[9] Id.

[10] Benny-Morrison, supra note 6.

[11] See id.

[12] See id.

[13] Jack Schickler, Sam Bankman-Fried’s Mother and Brother Not Cooperating With Financial Probe, FTX Lawyers Say, Coindesk, (Jan. 26, 2023), https://www.coindesk.com/policy/2023/01/26/sam-bankman-frieds-mother-and-brother-not-cooperating-in-financial-probe-ftx-lawyers-say/.

[14] Id.

[15] Id.

[16] David Yaffe-Bellany, Matthew Goldstein, and Royston Jones Jr., The Unknown Hedge Fund That Got $400 Million From Sam Bankman-Fried, N.Y. Times (Jan. 24, 2023), https://www.nytimes.com/2023/01/24/business/ftx-sbf-modulo-capital.html.

[17] See id.

[18] See id.

[19] See Soumen Datta, SBF free on bail for 10 months until trial in October as he pleads not guilty, CryptoSlate (Jan. 3, 2023), https://cryptoslate.com/sbf-free-on-bail-for-10-months-until-trial-in-october-as-he-pleads-not-guilty/.

 

Image Source: https://abcnews.go.com/US/ftx-crypto-ceo-sam-bankman-fried-expected-plead/story?id=96107918

By Brianna Hughes

 

 

The harm from a breach of privacy can not only be potential fines, litigation costs, loss of trade secrets and reputational damage, a breach of privacy can also put the nation’s safety at risk.[1] An important tool to maintain privacy and secure confidential information is the technique of redaction.[2] Redaction is used to filter information out of documents to keep that information secret from unauthorized individuals.[3] In the past, redaction was performed manually by using a black marker to mark out the information or by cutting out the information with scissors.[4] These manual methods were costly and time-consuming.[5] As technology evolved, different digital techniques for redaction came to light, making it easier to filter out confidential information.[6] Many individuals, businesses, and governments rely on these digital techniques to keep their sensitive information confidential.[7] Though these digital techniques are easier, this does not mean that the redactions done are secure.[8]

Those who use digital redaction typically use PDF redaction tools.[9] This involves placing a black box over the sensitive information that is supposed to remove the information behind the box.[10] When this technique fails, it is usually because the text data remained in the document.[11] This allows an individual who would like to access the information to simply copy and paste the information behind the black box into a new word document, defeating the purpose of the redaction.[12] Some information can also be shown when converting a redacted document from Microsoft Word to PDF.[13] Additionally, the inclusion of enough details can allow individuals to decipher what the redactions were meant to be.[14] When these failures occur, information that was supposed to be unknown to the public could be exploited through the press.[15] Examples of this include the redacted court deposition of Ghislaine Maxwell, the partner of Jeffrey Epstein, being published after being deciphered by journalists.[16] The journalists were able to decipher many names that were redacted, many of those names being high-profile individuals.[17] Redaction failures do not only happen in court filings; anyone using digital redaction techniques can fall victim.[18] An unintentional exploitation of private information through the press occurred through the New York Times when they published redacted information that fell victim to the copy and paste method.[19] This redacted information revealed CIA operations and the name of a program’s target; this information is a matter of national security and was not intended to be known by the public.[20] There are multiple high-profile redaction failures that have exposed information that someone wanted to keep secret.[21]

Ineffective redaction can be detected before information is leaked; however, if it is not detected, that information sits available to all.[22] Researchers have built a tool called Edact-Ray to identify, break, and fix information leaks.[23] The program focuses on the size of the characters and their positioning; it then compares the size of the redaction with a predefined “dictionary” of words to estimate what has been replaced.[24] This software can eliminate 80,000 estimates per second. When it detects a vulnerable PDF redaction, it removes the underlying text from the PDF.[25] The inventors of this tool intend to release parts of this program to help identify non-excising redactions and help repair those redactions.[26] For those individuals and entities that intend to use digital redaction in the future and do not intend on using Edact-Ray, changing the content of the original document before redacting can be one way to avoid failure.[27] While redacting will never be proof, understanding that redaction is not as secure as one thinks will help avoid careless mistakes.[28]

 

 

 

 

 

[1] See e.g., Adam Pez, Digital Redaction Fails & Best Practices: How to Keep Your Sensitive Information Safe, Intralinks (Sept. 3, 2020), https://www.intralinks.com/blog/2020/09/digital-redaction-fails-best-practices-how-keep-your-sensitive-information-safe; Matt Burgess, Redacted Documents Are Not as Secure as You Think, wired (Nov. 25, 2022), https://www.wired.com/story/redact-pdf-online-privacy/.

[2] See Pez, supra note 1.

[3] Id.

[4] See Maxwell Bland, et al., Story Beyond the Eye: Glyph Positions Break PDF Text Redaction 1 (2022).

[5] See Pez, supra note 1.

[6] See Burgess, supra note 1.

[7] See id.

[8] See id.

[9] See Bland, supra note 4, at 1.

[10] Burgess, supra note 1.

[11] Lisa C. Wood & Marco J. Quina, Litigation Practice Notes from the Field the Perils of Electronic Filing and Transmission of Documents, 22 Antitrust ABA 91, 91 (2008).

[12] See Bland, supra note 4, at 2.

[13] See Judge Herbert B. Dixon Jr., Embarrassing Redaction Failures, 58 the judges journal 37, 38 (2019).

[14] See Burgess, supra note 1.

[15] See Wood, supra note 11, at 91.

[16] Burgess, supra note 1; Josh Levin, et al., We Cracked the Redactions in the Ghislaine Maxwell Deposition, slate (Oct. 22, 2020), https://slate.com/news-and-politics/2020/10/ghislaine-maxwell-deposition-redactions-epstein-how-to-crack.html.

[17] Levin, supra note 16.

[18] Id.

[19] See Dixon, supra note 13, at 39.

[20] Id.

[21] Burgess, supra note 1.

[22] Wood, supra note 11, at 92.

[23] Bland, supra note 4, at 2.

[24] Burgess, supra note 1.

[25] Id.

[26] Bland, supra note 4, at 18.

[27] Id. at 17.

[28] See Burgess, supra note 1.

 

 

Image Source: https://images.squarespace-cdn.com/content/v1/58090c87d1758ec5d1815f6f/1507577772082-FHNXIFFO7VSSSFCMEWOB/howto.PNG?format=1500w

By Manasi Singh

 

 

Reproductive rights have been a heavily controversial topic in the United States for several decades. In Dobbs v. Jackson Women’s Health Organization (2022), the Supreme Court overturned two past decisions: Roe vs. Wade (1973) and Planned Parenthood v. Casey (1992).[1] While these cases are broadly remembered for upholding the right to abortion, the intricacies of these cases are where we get into discussions about the definition of legal personhood regarding a fetus and the legal and ethical implications of that definition.

Prior to the Dobbs decision, abortion jurisprudence said that the state could not impose an undue burden on a woman’s right to an abortion before the fetus is viable, with the implication that states may restrict abortion access after viability.[2] This theory of viability was based in the Casey decision. While the Dobbs decision now makes it a mostly moot point, it does beg the question of how we define personhood as a general legal term, specifically in the context of fetuses.[3]

Medicine today is on the path toward ectogenesis, which is gestation that takes place entirely outside the body.[4] In other words, artificial wombs may become a realistic medical option in the near future. This type of technology would allow conception and fetal development to occur outside the human body. It would also allow for a fetus to be transferred from its womb into an artificial womb for the remainder of its gestation.[5] These possibilities would serve many benefits such as removing the need for a surrogate, drastically increasing survival chances for premature babies, and effectively eliminating the health and career risks that are most commonly associated with pregnancy.[6] However, these benefits should not distract from the variety of complex legal questions that this technology raises.

While there are several legal and ethical considerations, three encompass the conversation most broadly. This is not a comprehensive list by any means, but I believe the most likely legal issues to arise out of the development of artificial wombs include: (1) the balance of maternal, paternal, and state interests in the fetus, (2) the enforceability and validity of contracts regarding fetuses in artificial wombs, and (3) the creation of new liability concerns and the exacerbation of existing liability concerns with fetuses in artificial wombs. This list reveals an interesting phenomenon, which is that all these issues require assessing the value and autonomy of a fetus independent of its relationship to the physical body of a biological mother. This takes us back to our earlier conversation about the viability doctrine. This doctrine may not be a constitutional standard anymore. Still, discussions about viability will come into play again when we attempt to resolve some of these issues being brought by artificial womb technology.

 

 

 

[1] Dobbs v. Jackson Women’s Health Organization, 142 U.S. 2228, 2241 (2022).

[2] Planned Parenthood v. Casey, 112 U.S. 2791, 2804 (1992).

[3] Id. at 2807.

[4] Jessica H. Schultz, Development of Ectogenesis: How Will Artificial Wombs Affect the Legal Status of a Fetus or Embryo?, 84 Chicago-Kent L. Rev. 877, 878 (2009).

[5] Id. at 879.

[6] Seppe Segers, The Path Toward Ectogenesis: Looking Beyond the Technical Challenges, 22 BMC Medical Ethics 59, (2021), https://bmcmedethics.biomedcentral.com/articles/10.1186/s12910-021-00630-6#citeas.

 

Image Source: https://rewirenewsgroup.com/2012/02/23/what-do-artificial-wombs-mean-women/

 

By Bryce Yancey

 

 

Since 2018, a company called Fog Data Science has been procuring and selling private individuals’ data which allows private security companies and government agencies to track people without a warrant through its program called ‘Fog Reveal.’[1] Fog Reveal uses its technology to take cellphone location data that was originally collected by smartphone apps.[2] Each cell phone has an advertising ID that is comprised of a set numbers that are unique to the specific phone.[3] Fog Reveal uses smartphones’ GPS capability, which provides detailed location data that it collects from commercially available data brokers that wherever a smartphone goes and any time a user downloads an app or visits a website, a trail is created.[4]

This has become especially controversial since several of the Company’s clients include several government entities, including Virginia State Police.[5] Police have been able to use the technology to sweep an area to see which phones were in a particular location at a given time.[6] The technology has been used in several criminal investigations, including the murder of a nurse in Arkansas in 2018 and tracing participants from the January 6, 2021, attack on the capital.[7] However, the technology is rarely, if ever, mentioned in court documents.[8]

Fog Data Science has maintained that the data collected is anonymous and isn’t tied to individuals.[9] However, the true nature of Fog Reveal came to light when a digital privacy nonprofit called ‘Electronic Frontier Foundation’ publicized information through the Freedom of Information Act that found the data collected was indeed linked to individuals.[10] A senior attorney for Electronic Frontier Foundation said it’s “child’s play” for police to figure out the identity of any given cellphone user based on their individual patterns of life, including where they live, sleep, and work.[11]

The U.S. Supreme Court has ruled in Carpenter v. United States that the Constitution’s Fourth Amendment protects individuals from unreasonable search and seizures by requiring law enforcement agencies to obtain a warrant before tracking someone using a GPS device or cell site location information.[12] However, Fog Reveal technology has been used as a loophole to get around these requirements and to gather the same information without court oversight or public transparency. This technology usage has brought to light to many the differences between Electronic surveillance and data privacy. Under the Electronic Communications Privacy Act and Fourth Amendment of the Constitution, law enforcement officers are required to get a warrant based on probable cause if they wish to intercept communications or track a person’s location.[13] However, the concern raised by many is that there aren’t any comprehensive laws that protect people from their data being bought and sold to government agencies and private entities.

However, there is hope. Civil Rights lawyers and Senators have started pushing for legislation limiting law enforcement’s ability to purchase peoples’ data without a warrant.[14] But until any meaningful steps are taken, data capturing will continue to expand in both the public and private sectors as the unregulated data market grows.

 

 

 

[1] Jason Dearen & Garance Burke, Senators push to reform police’s cellphone tracking tools, ABC 13 News (September 29, 2022), https://wset.com/news/local/senators-push-to-reform-polices-cellphone-tracking-tools-fog-reveal-virginia-data-science-tracking-democrats-lawyers-civil-rights.

[2] Ben Paviour, Virginia State Police is using software to track cellphone location data, VPM News (January 12, 2023, 12:54 AM), https://vpm.org/news/articles/38757/virginia-state-police-is-using-software-to-track-cellphone-location-data.

[3] Anne McKenna, What is Fog Reveal? A legal scholar explains the app some police forces are using to track people without a warrant, The Conversation (October 17, 2022, 8:31 AM), https://theconversation.com/what-is-fog-reveal-a-legal-scholar-explains-the-app-some-police-forces-are-using-to-track-people-without-a-warrant-189944.

[4] Garance Burke & Jason Dearen, Tech tool offers police ‘mass surveillance on a budget,’ AP (September 2, 2022), https://apnews.com/article/technology-police-government-surveillance-d395409ef5a8c6c3f6cdab5b1d0e27ef.

[5] Paviour, supra note 2.

[6] Id.

[7] Dearen & Burke, supra note 1.

[8] Id.

[9] Paviour, supra note 2.

[10] McKenna, supra note 3.

[11] Paviour, supra note 2.

[12] Carpenter v. United States, 138 S. Ct. 2206 (2018).

[13] Electronic Communications Privacy Act of 1986, 18 U.S.C. §§ 2510-2523.

[14] Dearen & Burke, supra note 1.

 

Image Source: https://static.wixstatic.com/media/5a1250_4e52a6d7e2964302b2cd9b308a01876d~mv2_d_2262_1557_s_2.jpg/v1/fill/w_916,h_660,al_c,q_85,usm_0.66_1.00_0.01,enc_auto/5a1250_4e52a6d7e2964302b2cd9b308a01876d~mv2_d_2262_1557_s_2.jpg

By Anubhav Das [1]

 

 

INTRODUCTION

In the aftermath of Justice K. S. Puttaswamy v. Union Of India decision (2017) by the Supreme Court of India – that held that the right to privacy is a fundamental right – India recently unveiled the much-awaited draft of the data protection law called ‘The Digital Personal Data Protection Bill, 2022’[2] (“DPDPB 2022”). This is the fourth iteration (once in 2018, then in 2019, then in 2021, and now in 2022) of the draft law, and it is currently under public consultation. The DPDPB 2022 contains many important ingredients of a (good?) data protection law, such as (i) the grounds for processing personal data, (ii) the rights of individuals with respect to their personal data, (iii) the establishment of a data protection board to oversee compliance with the law, and (iv) penalties/fines for violation or non-compliance with the law.[3]

Given the above, an aspect that has been consistent with the Indian government’s approach towards data protection law is the reliance on ‘consent’ as the only practical ground for processing personal data. While there are other grounds under the DPDPB 2022 for processing personal data that are categorised as ‘deemed consent’ (Section 8), however, they are limited to public interest grounds or for employment purposes.[4] On the other hand, the counterpart of DPDPB 2022 – the European General Data Protection Regulation (“GDPR”)[5] – has identified other grounds (Article 6) for processing personal data, such as performance of a contract, legitimate interest, etc.

A key question concerning the discussion above is – what exactly is consent in the context of processing personal data? Is it clicking the ‘I agree’ checkbox while installing an application or accessing a website? But generally, that ‘I agree’ checkbox is accompanied by a line stating that “by clicking on ‘I agree,’ you also agree to the terms and conditions and the privacy policy.” But won’t this be regarded as processing personal data under a contract that is not recognised as a ground for processing personal data under the DPDPB 2022? Considering the above, this article attempts to answer the questions above in the context of DPDPB 2022.

CONSENT: TAKEN OR NOT?

The DPDPB 2022 contemplates consent under Section 7 by stating that it must be ‘freely given, specific, informed, and unambiguous’ and it must be obtained with a clear affirmative action for a specific purpose.[6] With respect to clear affirmative action, it means that organisations cannot use pre-ticked boxes for ‘I agree’ (to get an individual’s consent). Further, to comply with the specific purpose requirement, organisations must provide written digital notice to the individuals in itemised format in plain language containing the description of personal data sought to be collected along with the purpose of processing such personal data.[7]  In addition, organisations are also required to inform the individuals about the contact details of the data protection officer (if applicable) or the grievance redressal officer.[8]

While the above approach can be complied with by small companies/organisations who undertake processing for limited and specified purposes, the problem is that it does not contemplate those companies/organisations that process personal data for many and varied purposes. For example, a social media company may process personal data for (i) targeted advertisement, (ii) improving its services, (iii) enabling communication for its users, (iv) enabling the ease of logging in, and (v) various other purposes. Effectively, such companies (e.g., social media companies) will be required to display a long notice detailing every purpose for which it is processing personal data and will be required to seek individual consent.[9] Now, it is unclear if such consent can be obtained from individuals for all such purposes (as a whole) at once or if organisations will be required to seek consent for each of these purposes separately. If such consent can be obtained for all such purposes (as a whole) at once, then that would mean that individuals by clicking on ‘I agree’ are basically agreeing to the privacy policy and/or the terms and conditions of the website or application. This may raise the question of whether such a consent obtained from the individuals is actually consent or whether such personal data is being processed under a contract. Going with this approach, if it is regarded as processing under a contract, then the entire processing of personal data by such companies will be deemed unlawful under the DPDPB 2022.

Consequently, consent as a ground for processing personal data can only be complied with if individuals agree and consent to each of the purposes for which personal data is processed by such organisation, e.g., by clicking on each of the checkboxes corresponding to the specific purposes.[10] This could of course, dissuade individuals due to such complexity in onboarding from ever taking the services or accessing the websites/application of the organisations, thereby hampering business.

Another consequence of establishing a purely consent-based regime (other than its practical ambiguity) is that it will end data scrapping as a form of business.[11] Data scrapping is an operation wherein data is not extracted from the source (that is from the individual).[12] Instead, it is generally extracted from websites where data is displayed or is in open access. The extracted data may contain personal data, and in such circumstances, consent cannot be obtained by organisations. The DPDPB 2022 neither foresees such a situation nor provides any guidance on obtaining consent on an ex-post facto basis.

PERFORMANCE OF A CONTRACT AS A GROUND FOR PROCESSING PERSONAL DATA

On the one hand and from a business perspective, recognising performance of a contract as a ground for processing personal data will provide an easy solution to the problems (as mentioned above) faced in a purely consent-based regime. Under a contract-based regime, individuals will have to click the ‘I agree’ checkbox, which will bind them to the terms and conditions and privacy policy of the website or the application. However, on the other hand, due to the usually lengthy and complex language used in the terms and conditions and privacy policy of a website/application, individuals may agree to such processing purposes that may be detrimental to their privacy. Therefore, a balance needs to be struck between a contract-based regime and a consent-based regime.

A balanced approach in this regard will be to detail and outline the applicability of processing personal data under a contract and consent for different types of businesses. For example, small to mid-sized businesses with less processing complexity may process personal data under consent. However, large-sized businesses that undertake complex processing activity may rely on contract as a ground for processing personal data. This should be subject to the sensitivity of the personal data processed by such organisations, e.g., financial data must be processed via consent only.

CONCLUSION

While the DPDPB 2022 is a much-required step towards establishing a comprehensive data protection legal framework, however, it does contain a few structural inefficacies. Given that it is still in the draft form, one can hope to get some respite concerning the grounds of processing with the inclusion of additional grounds, such as contractual processing. If granting additional grounds is an inconvenient approach, then the Indian government must issue clarificatory notes and/or a compliance guide for the ease of business as well as for the protection of individual privacy.

 

 

 

 

[1] Anubhav Das is an Associate at Saraf and Partners in Delhi (NCR), focusing on IP and Technology Law. He regularly advises businesses on legal issues with respect to data privacy and intellectual property. LinkedIn.

[2] The Digital Personal Data Protection Bill, 2022 (India).

[3] Id.

[4] The Digital Personal Data Protection Bill, 2022, Section 8 (India).

[5] European General Data Protection Regulation, 2016 (Europe).

[6] The Digital Personal Data Protection Bill, 2022, Section 7 (India).

[7] The Digital Personal Data Protection Bill, 2022, Section 6 (India).

[8] The Digital Personal Data Protection Bill, 2022, Section 9(7) (India).

[9] The Digital Personal Data Protection Bill, 2022, Section 7, (India).

[10] Id.

[11] Fiona Campbell, Data Scrapping – Considering the Privacy Issues, Fieldfisher (Jan. 04, 2023, 12:46 PM), https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/data-scraping-considering-the-privacy-issues.

[12] Id.

 

Image Source: https://unsplash.com/photos/JFk0dVyvdvw