by Rishab Bailey and Trishee Goyal.
The Justice Srikrishna Committee Report of August 2018 (the "Report") introduces the concept of a fiduciary relationship into privacy jurisprudence in India by categorising data processing entities as "data fiduciaries" and individuals as "data principals". The draft Personal Data Protection Bill, 2019 (the "PDP Bill") attempts to operationalise the concept by establishing various rights of data principals and associated obligations on data fiduciaries.
The idea of using the fiduciary concept to protect an individual's privacy rights is not new - traditional fiduciary relationships such as that between a doctor and patient or a lawyer and client, do recognise duties of confidentiality. However, the PDP Bill is one of the first attempts to use the fiduciary framing as a basis for a generic data protection law.
In this context, in a recently released paper, we examine whether and how the fiduciary framing is suitable to develop a generic privacy framework and whether this provides individuals any protections over and above typically seen notice and consent regimes. In particular, we examine:
- Whether all data processing entities are in fiduciary relationships with individuals (and therefore whether the fiduciary concept works as the basis for a generic data protection law)?
- Whether, in theory, the use of the fiduciary concept can adequately protect an individual's privacy rights?
- Whether the obligations imposed by the PDP Bill are similar to the duties expected of traditional fiduciaries?
- Whether the fiduciary framing in the PDP Bill has any practical effect?
Before beginning to answer the above questions however, it is relevant to briefly explain what is meant by a `fiduciary relationship'. A fiduciary relationship is one characterised by a high degree of vulnerability between the parties, despite which the weaker party is required to impose trust or confidence in the other (Miller, 2014; Rotman, 2011). In order to protect the beneficiary in such a relationship, the law casts a series of onerous obligations on the more powerful party in the relationship, including importantly, the duties of loyalty and care (Frankel, 2011). This implies that the fiduciary is required to:
- Ensure that it acts so as to protect or advance the interests of the beneficiary, or to act for the benefit of the beneficiary (Aditya Bandopadhyay, 2011; Jayantilal Mistry, 2015; Treesa Irish, 2010.) The fiduciary cannot normally put itself in a position that may be seen as conflicting with the interests of the beneficiary.
- Put in reasonable skill (in accordance with general sectoral practice) while handling the affairs of the beneficiary.
The exact formulation of these duties varies depending on the nature of the relationship at hand and the vulnerabilities therein (though the beneficiary's interests must be placed before that of the fiduciary). For instance, trust law appears to cast more onerous duties and limits the fiduciary’s powers in more ways than company law. Often beneficiary’s in a trust relationship will not have any ability to comprehend risks or give proper consent (as may be the case where the beneficiary is a minor). The law therefore puts in place greater protections for a beneficiary of a trust vis-a-vis the trustee - for instance, Section 53 of the Trusts Act, 1882, permits the trustee to purchase the interest of a beneficiary only once a court is satisfied that the transaction is "manifestly to the advantage" of the beneficiary. In the company law context however the law generally recognises that if sufficient disclosures are made, shareholders and other stakeholders can act to protect the company against the erring director.
Are data processing entities in fiduciary relationships with their users?
Indian law requires a fairly high standard of vulnerability/power differential to be met before a relationship can qualify as "fiduciary". Courts have in fact held that relationships where there is no significant power differential are not fiduciary despite the exchange of confidential information therein. There is a catena of case law that holds for instance, that relationships of service provision are not fiduciary in nature, that situations where information is provided under a legal obligation are not covered under fiduciary relationships, that examination authorities are not fiduciaries qua students, that the chief justice is is not a fiduciary qua puisne judges of the Supreme Court, that banks are not fiduciary's to their clients and that the central bank is not a fiduciary qua other banks (Canbank Financial Services, 2004; Aditya Bandopadhyay, 2011; Jayantilal Mistry, 2015; BPSC, 2012; Subhash Chandra Aggarwal, 2010; Naresh Trehan, 2014; Shri Rakesh Kumar Gupta, 2011).
This appears to indicate that the use of a fiduciary framing may not be suitable to cover the breadth of situations that a generic data protection law may need to cover. Many relationships of information exchange that would not qualify as fiduciary could nevertheless require some form of regulation (however light-touch) in order to protect individual autonomy and privacy. For example, the European General Data Protection Regulation (GDPR) applies in certain contexts to processing even by individuals.
On the other hand, Indian courts have in a few instances, allowed separation of fiduciary parts of a relationship from other parts thereof (Union of India, 2009; Canbank Financial Services, 2004). This could imply that a relationship not normally fiduciary in nature, could possibly be considered as such, only with respect to the transfer of information and the expectation of trust created thereby.
Overall, it appears that large data processing entities can certainly be in a position of power with respect to users by virtue of the information that users have to provide to them. Users do tend to expect their data to be used in certain limited ways, and in any event, not to disadvantage them or cause them harm (Punia, Kulkarni, Narayan, 2019). The power enjoyed by these entities can be unilaterally exercised so as to affect the rights and interests of the user (in the form of disclosure, acting on the basis of user profiling, etc.) and there is a social need for protection of user interests in such cases. The information asymmetry in such relationships, in addition to other issues such as the technical and structural concerns of the digital ecosystem, also make it difficult for users to either rely on contract, consumer protection or tort law, etc. to seek remedies. The information asymmetries problem in particular limits the abilities of users to act as autonomous and informed agents while contracting or indeed seeking remedies. The fiduciary concept could therefore prove useful in protecting user rights in the digital ecosystem.
Some, if not many relationships that involve processing of personal data, would not normally fall within the scope of the fiduciary concept. That said, statute could deem certain relationships as being akin to fiduciary relationships, and thereby bring within its scope all necessary actors in the digital ecosystem. Duties can then be imposed that are similar to those in a fiduciary relationship should this be felt necessary to solve a particular social problem. Whether such a relationship can continue to be called "fiduciary" however, is another issue.
Can the concept ensure a sufficient standard of rights protection?
While the breadth of the information fiduciary concept may be narrow in so far as its coverage of relevant entities is concerned, it does permit itself to expansion both in the scope of duties that could be made applicable to entities and indeed the scope of the data that forms the basis for the relationship.
The imposition of a high duty of loyalty and care for instance, could lead to a high standard of rights protection by ensuring that data processing entities can only use data for the benefit or to maximise the gains to the individual concerned. This could mean, for instance, that practices aimed at manipulating individuals based on profiles created using their personal data would no longer be permitted (Dobkins, 2018). Similarly, discriminatory practices that result from an analysis of personal data could also be prohibted (Dobkins, 2018). In fact, it is possible to argue that any monetisation of user data could be prohibited using this concept to the fullest (Balkin, 2016).
The use of the fiduciary concept could also mean that obligations will be imposed irrespective of contractual terms between the parties. The duty of care requirement in a fiduciary relationship could be interpreted to imply security and other related obligations on data processing entities.
Further, the fiduciary concept does not have to be restricted merely to protect "personal data" (i.e. data that relates to or identifies an individual) but can cover all types of data that are exchanged in a unequal relationship, with an attendant expectation of confidentiality (i.e. the data should not be publicly known information). Therefore, the concept could also be used to cast obligations qua the usage of non-personal data gleaned from a user, as well as non-personal data derived from personal data of a user. This has in fact been attempted in two draft American laws - New York's Privacy Act and the federal Data Care Act. Notably, these laws specifically deem data processing entities as fiduciaries thereby requiring them to place their user's interests ahead of their own, and avoid acting in a manner that could be considered unexpected or offensive to a reasonable user. In this context, it is interesting to note the draft PDP Bill does in fact attempt to cover even "inferred" data within its ambit - i.e. information that is gleaned from analysing personal information.
That said, there remain questions as to the efficacy of the concept in protecting privacy rights.
First, commentators have pointed to the dissonance in treating service providers as fiduciaries at all. This is on grounds that the business models of many digital service providers, being based on monetizing user data, can never be squared with the fiduciary concept, which involves the fiduciary placing its interests second to that of the beneficiary (Khan and Pozen, 2018).
While undoubtedly true that fiduciary law requires the interests of the beneficiary to be given precedence over that of the fiduciary, it is worth noting that fiduciary law does recognise multiple standards of the duty of loyalty - based on the asymmetry or vulnerability at hand, the nature of the relationship, the ability of the beneficiary to understand the risks involved, and so on. It does not therefore appear inconceivable for the concept to be made workable. Even implementing a 'best interest' or 'benefit' based framing of obligations may not necessarily lead to a complete bar on targeted advertising or monetisation of user data (though certainly some existing business models may need to be changed).
Second, it is argued that existing law (in the US) - whether in contract or consumer protection law - already requires companies to adhere to standards of fair dealing and good faith and restrains them from acting as con-men (Khan and Pozen, 2018). While existing law does indeed give consumers some remedies against privacy invasive practices, the standard of care and the range of rights/obligations in Indian contract and consumer protection law are significantly limited. Though Indian contract law does prevent fraudulent behaviour, it does not include an express "good faith" requirement as US law does. Indian law only requires insurance contracts to be entered into in "utmost good faith", which entails disclosure of all material facts (Makkar, 2018; Law Commission of India, 2006). Indian consumer protection law too only protects consumers from certain limited harms such as those defined as "unfair trade practices". The recognition of a fiduciary standard can therefore improve rights protection in India by raising the standards of care from that in existing law.
Third, the fiduciary concept applies to information provided in private settings and with an expectation of privacy at the time it is provided. The reliance of the concept on the expectations of users as a standard to gauge the validity of practices can be problematic. It has been argued for instance, that use of this concept lacks any independent normative standard and therefore does not adequately protect privacy rights (Crowther, 2012; Schneir, 2009). Balkin himself notes that the standard he proposes would require users to factor the monetisation of their data into account (Balkin, 2016). This may not be possible for all users.
Given that the concept only applies to data exchanged in private settings, an individual's privacy rights over data can end if voluntarily placed in the public domain at any point of time. However, data protection regimes such as the GDPR continue to recognise certain individual rights over personal data even once made public - for instance, by recognising a right to forget.
Fourth, concerns about the workability of the notice-consent framework as a means to overcome information asymmetry issues remain. As Khan and Pozen point out, the nature of information asymmetry in the digital ecosystem is of a significant order (Khan and Pozen, 2018). It could therefore be argued, that just as trust relationships often do not permit the beneficiary to consent to certain harmful acts (say where incompetent to contract, or where the risk of harm is significant as in the case of a beneficiary's interest being bought by the trustee) there is a need for higher standards of care to be imposed.
Are the obligations under the PDP Bill "fiduciary obligations"?
At the outset, its important to note that the nature and scope of obligations contained in the PDP Bill are indeed broadly similar to those imposed in the fiduciary relationships we have studied (trustee-beneficiary relationships, doctor-patient relationships and company-director relationships). The mechanisms used by the PDP Bill to address the agency problem can be summarised under five broad heads as below:
- Limitations on the authority/ability of the data fiduciary to act without knowledge of the data principal: Provisions pertaining to purpose limitation, limitations on data collection and storage, informed consent as the primary ground for processing data, right to correct data, etc.
- Duty of loyalty and care: Requirement for fair and reasonable processing, obligations to secure data and implement privacy by design measures, requirement to ensure obligations flow with the data, etc.
- Reduction of information asymmetry: Provisions pertaining to notice, high standards of consent, right to access and correct data, transparency (record keeping and disclosure) and accountability related provisions such as requirement to provide various types of information pertaining to the processing to the data principal, conduct data audits, have a data trust score for certain entities, requirement of data breach notification, etc.
- Standard of care: A reasonable and proportionate standard of care is required by the PDP Bill. Obligations are scaled based on the risks of any particular processing practice, as well as the type of personal data concerned and the nature of entities involved. Notably, greater obligations are imposed on significant data fiduciaries and guardian data fiduciaries.
- Remedies: Data principals can approach the data fiduciary and then adjudicatory forums for breach of the duties cast on data fiduciaries by the law. Mere breach of the obligations under the law can lead to penal action. The penalties that the draft law imposes are fairly stringent.
However, it must be kept in mind that the PDP Bill imposes a low standard of loyalty. By requiring the data fiduciary to inform the data principal of relevant processing practices, by ensuring purpose limitation, and making it mandatory for processing to be fair and reasonable, the legislation appears to impose a "good faith" standard. Such a standard does not appear to be entirely inconsistent with the fiduciary concept, being similar to the interpretation of fiduciary duties in the context of Indian company law, though it does not offer the same level of protection as the duties cast on trustees.
There is no general requirement in the PDP Bill for the data fiduciary to act in the user's interests, for their benefit or to avoid acting in a manner detrimental to the user. This can be contrasted to the Indian law pertaining to directors, doctors and particularly trusts, which all contain provisions specifically limiting the ability of a fiduciary to act in their own interests or against that of the beneficiary. "Predictability" of processing - which is what the draft law aims at - is not synonymous with processing in the data principal's interests of for its benefit.
Though the Report repeatedly recognises the need for data fiduciaries to act in the "best interests" of the user, this standard is not explicitly included in the law with the general standard applied in the PDP Bill only requiring data fiduciaries to act in a bona fide, diligent and reasonable manner. Notably, the PDP Bill itself uses the phrase "best interest" only once - in the context of protection of children's data.
A lower standard is generally used where it is easier to overcome information asymmetry problems or where social norms otherwise dictate the need to do so (Langbein, 2005). Accordingly, the low standard used in the draft law can be traced to the Justice Srikrishna Committee aiming to balance business and individual interests. It is unclear if this is a sufficient standard of rights protection in the data protection context in view of the various consent related problems in the digital ecosystem and the vast information asymmetries present in a country like India (Punia, Kulkarni, Narayan, 2019; Bailey et all, 2018; Matthan, 2017).
On the other hand, by imposing such a standard, the law puts the onus on individuals to take charge of and actively seek to protect their privacy rights (as opposed to being viewed through paternalistic eyes). Further, the safeguard of the data protection authority being able to step in and prohibit/seek modification of any particularly problematic practice acts as a check on the most pernicious practices of large data processing entities. However, relying on the data protection authority to ban pernicious practices is not the same as requiring the data fiduciary to act in the interests of or for the benefit of the data principal. Empowering the authority in this manner appears to detract from the fiduciary concept in that it enables ex-ante decision making by an executive authority, rather than enabling practices to be adjudicated as being in consonance with (or in breach of) fiduciary obligations by an adjudicatory authority.
In traditional fiduciary relationships informed consent can be used to reduce/waive the obligations on the more powerful entity. However, the law also imposes various safeguards to prevent against abuse. These usually take the form of specific disclosures, and in cases where consent is deemed impossible or insufficient, as in the case with minors in the context of trusts, courts are permitted to step in and act in their interests. The draft law does not specifically circumscribe the ability of the individual to consent to activities that may not necessarily be in his or her interest. This is not per se against the fiduciary concept, though, both academics and courts appear to be hesitant about recognising the entirety of a fiduciary relationship to be voluntary/subject to contractual waivers (Leslie, 2005; Union of India, 2009).
Overall, it can be seen that the PDP Bill does indeed implement duties akin to that in traditional fiduciary relationships. The duties in the draft law do try and ensure that the data fiduciary processes data in accordance with expectations of the data principal / that the data principal is aware of the processing taking place and its effects i.e. that the agency problem in the relationship is reduced.
However, the scope of some of these duties and the standard set by them are not as high as seen in cases of traditional fiduciary relationships such as trusts. One may question whether the standard used in the draft law is appropriate in the privacy context, given the extent of vulnerability in many relationships of information exchange particularly in the digital ecosystem. The difficulty for individuals in comprehending privacy risks, even when complete disclosures are made, may in fact mean that a standard closer to that used in trustee-beneficiary relationships may have been more suitable (this is also the logic behind the concept of 'data trusts' which are increasingly being spoken of as an alternative model of data governance). Further, the nature of exemptions under the draft law, particularly in the context of processing by the State and by employers appears to go against the use of the fiduciary framing in the law. There is a significant power differential in citizen-state and employee-employer relationships, which can only be exacerbated by unchecked processing of personal data.
Why use the fiduciary concept? Does it have a practical effect?
The Srikrishna Committee chooses to utilise the fiduciary framing as the basis for the draft PDP Bill, 2018, in view of the perceived vulnerability of users to data processing entities and the apparent ability of the concept to balance rights protection with business interests. The concept is said to preserve autonomy of individuals while still enabling rights protection.
Given India's constitutional framework does not necessitate a fiduciary framing to avoid constitutional restrictions (as is apparently the case in the US - due to the high standard of constitutional protection for speech rights), it makes sense to use the fiduciary framing if the concept would allow novel data protection related obligations to be imposed.
However, a summary analysis of the draft PDP Bill, 2019, with the GDPR indicates that the two laws are largely similar in terms of the nature of obligations imposed (though the exact scope/contours of the obligations are different based on the specific language used in the laws). Both use largely notice and consent based models to protect user privacy (though this is enhanced and contains safeguards that are not normally present in contract law). Both regimes attempt to ensure individuals are informed of processing activities and that individuals are given control of their personal data not least through principles of purpose limitation, high standard of consent, detailed notice requirements, provisions aimed at reducing information asymmetry, etc.
In addition, it must be remembered that the use of the term "data fiduciary" in the draft law does not in itself imply that the high standards that come with fiduciary obligations are being imposed on all data processing entities. The definitions section in the PDP Bill is not a deeming provision (unlike the definitions provisions in the two US laws referenced previously). The entities that come within the definition in the law would be subject to the (fiduciary like) obligations provided in the PDP Bill itself but would not necessarily be required to adhere to the obligations or standards typically imposed on fiduciaries (for instance, under Section 88 of the Trusts Act).
The use of the phrase "data fiduciary" is largely meaningless from a purely legal perspective. What it does achieve is in terms of its symbolic and signalling value to courts, the general public and businesses.
One may speculate that this could be an important reason in choosing to use the fiduciary concept in the draft law. It is not impossible to imagine that the PDP Bill uses the fiduciary concept to cast the illusion of crafting a new, user-centric privacy framework, without actually changing too much from notice and consent based regimes. The fiduciary concept is something that is used in many legal contexts and is a term that people are familiar with (even if the nuances of this relationship are not very well understood). Doctors, guardians and other such fiduciaries are commonly expected to act in their beneficiary's interests / display a high standard of loyalty towards them. Use of the phrase "data fiduciary" may well lead people to assume or expect that the PDP Bill also imposes such a high standard of loyalty on data processing entities. Use of the terminology could therefore make the Bill more palatable to civil society which craves greater standards of rights protection, thereby making it easier to "sell" the legislation to the general public amongst other stakeholders. The motivation for using the fiduciary concept could also be the need to differentiate the PDP Bill from laws such as the GDPR, particularly in view of the Srikrishna Committee's self-imposed mandate to find a "fourth path" to data protection.
Conclusion
The use of the fiduciary concept to enable data protection is an interesting method used to justify regulation of privacy harming practices in the US constitutional scheme. The application of the fiduciary concept to the data protection context prima facie appears a feasible way to protect user rights due to the duties of care and loyalty expected of fiduciaries.
However, the concept also suffers from certain infirmities. Notably, all data processing entities may not be in fiduciary relationships with individuals. Due to the focus on balancing state, business and data protection interests, the PDP Bill does not confer as high a standard of loyalty and care as may be normally expected in a fiduciary relationship (and in this respect, departs from the discussion in the Report). Unlike the law in the case of doctors, company directors, and particularly trusts, there is no general requirement for fiduciaries to act in the beneficiary's interest or to their benefit (except in the context of children).
Data processing entities will be required to comply with standards of good faith and reasonableness that are akin to the "fair dealing" standards found in contract law in many jurisdictions. This standard is higher than that under current Indian contract and consumer protection law, but is similar to requirements in the insurance industry. Fiduciaries will have to make all material disclosures, and act in accordance with generally accepted industry standards. Practices such as targeted advertising, tracking, etc., will not per se be barred except where children are involved (or where the data protection authority believes that such practices are likely to harm individuals and therefore bars them). The powers granted to the data protection authority to bar certain practices, while possibly useful given the low standards of loyalty cast on fiduciaries, also implies that decisions regarding permitted practices will be made by executive authorities rather than adjudicatory authorities. These issues detract from the fiduciary character sought to be established by the draft law.
But the draft law does, to an extent, meet the aim of preserving autonomy i.e. decision making power of individuals, and reducing inequality in bargaining power. This is primarily done by subjecting data processing entities to strict consent related requirements including by specifying (high) standards for notice and ensuring that consent must be granular. The provisions related to information disclosure, limited data collection, deletion, purpose limitation, data audits and privacy impact assessments, etc., are also vital in reducing the agency problem in the relationship.
However, the same ends could be achieved without using the fiduciary concept at all - as is done in the case of the GDPR. One may speculate that the use of the terminology could be necessitated by the need to differentiate the PDP Bill from the GDPR, or to take an uncharitable view, to make it appear that the law contains a higher standard of rights protection than it actually does.
References
Frankel, 1983:Tamar Frankel, Fiduciary Law, California Law Review, Vol 71, Issue 3, 1983.
Rotman, 2011: Leonard I Rotman, Fiduciary Law's "Holy Grail": Reconciling theory and practice in fiduciary jurisprudence, Boston University Law Review, Vol. 91, Issue 3, 2011.
Sitkoff, 2011: Robert H Sitkoff, An Economic Theory of Fiduciary Law, in Philosophical Foundations of Fiduciary Law, Andrew S Gold and Paul B Miller (eds.), Oxford University Press, 2014.
Langbein, 2005: John H Langbein, Questioning the Trust Law Duty of Loyalty: Sole Interest or Best Interest?, Yale Law Journal, Vole. 114, Issue 1, 2005.
Aditya Bandopadhyay: Central Board of Secondary Education and Anr. v. Aditya Bandopadhyay and Ors., (2011) 8 SCC 497.
Jayantilal Mistry, 2015: Reserve Bank of India v. Jayantilal N Mistry, TC (C) 91/2015, Supreme Court, 2015.
Treesa Irish, 2010: Treesa Irish w/o Milton Lopez v. Central Information Commission and Ors., ILR 2010 (3) Ker 892.
Miller, 2014: Paul B Miller, The Fiduciary Relationship, in Philosophical Foundations of Fiduciary Law, Andrew S Gold and Paul B Miller (eds.), Oxford University Press, 2014.
Frankel, 2011: Tamar Frankel, Fiduciary Law, Oxford University Press, 2011.
Khan and Pozen, 2018: Lina Khan and David Pozen, A Skeptical View of Information Fiduciaries, Harvard Law Review, Vol 133, 2019.
Gellman and Adler-Bell, 2017: Barton Gellman and Sam Adler-Bell, The Disparate Impact of Surveillance, The Century Foundation, 2017.
Crowther, 2012: Brandon T Crowther, (Un)Reasonable expectation of digital privacy, BYU Law Review, Vol. 2012, Issue 1, 2012.
Schneir, 2009: Bruce Schneir, Its time to drop the `expectation of privacy' test, Wired, 2009.
Makkar, 2018: Angad Singh Makkar, Doctrine of Good Faith and Fair Dealing: Lacuna in Indian Contract Law, IndiaCorpLaw, 2018.
Law Commission of India, 2006: Law Commission of India, Unfair (procedural and substantive) terms in contract, 199th Report of the Law Commission of India, 2006.
Punia, Kulkarni, Narayan, 2019: Swati Punia, Amol Kulkarni and Sidharth Narayan, User's perspectives on privacy and data protection, CUTS International, 2019.
Canbank Financial Services, 2004: Canbank Financial Services Ltd. v. Custodian and Ors., (2004) 8 SCC 355.
BPSC, 2012: Bihar Public Service Commission vs. Saiyed Hussain Abbas Rizwi and Ors., (2012) 13 SCC 61.
Subhash Chandra Aggarwal, 2010: Secretary General, Supreme Court of India v. Subhash Chandra Agarwal, AIR 2012 Del. 159.
Naresh Trehan, 2014: Naresh Trehan vs. Rakesh Kumar Gupta, WP (C) No. 85/2010, Delhi High Court, 2014.
Shri Rakesh Kumar Gupta , 2011: Shri Rakesh Kumar Gupta vs. The Central Public Information Officer and The Appellate Authority, Director of Income Tax (Intelligence), CIC/DS/A/2011/001128, CIC, 2011.
Union of India, 2009: Union of India v. Central Information Commission, WP (C) No. 8396/2009, Delhi High Court, 2009.
Pullen, 2007: Berkeley Community Villages Ltd and Anr. v Pullen and Ors., [2007] EWHC 1330 (Ch).
Dobkin, 2018: Ariel Dobkin, Information Fiduciaries in Practice: Data Privacy and User Expectations, Berkeley Technology Law Journal, Vol. 33:1, 2018.
Balkin, 2014: Jack M Balkin, Information Fiduciaries in the Digital Age, Balkinization blog, 2014.
Balkin, 2016: Jack M Balkin, Information fiduciaries and the first amendment, UC Davis Law Review, Vol, 49, Issue 4, 2016.
Balkin and Zittrain, 2016: Jack M Balkin and Jonathan Zittrain, A Grand Bargain to Make Tech Companies Trustworthy, The Atlantic, 2016.
Leslie, 2005: Melanie Leslie, Trusting Trustees: Fiduciary Duties and the Limits of Default Rules, Georgetown Law Journal, Vol. 94, Issue 1, 2005.
Bailey et all, 2018: Rishab Bailey, Smriti Parsheera, Faiza Rahman and Renuka Sane, Disclosures in privacy policies: Does notice and consent work?, NIPFP Working Paper No. 246, 2018.
Matthan, 2017: Rahul Matthan, Beyond Consent: A New Paradigm for Data Protection, Takshashila Discussion Document, 2017.