Over the past ten days, Indians have had to confront two incidents with serious ramifications for our privacy. One, the Prime Minister’s NaMo mobile app, collecting data from 22 features on users’ phones, was allegedly sharing user data with US-based analytics company CleverTap without user consent.
Moreover, the confirmation (through former Cambridge Analytica (CA) employee and whistle-blower Christopher Wylie’s testimony before a British Parliament committee) that CA had large-scale operations in India.
Events over the past few weeks have only underscored users’ vulnerability with respect to our privacy online. This, even as the Supreme Court is hearing the final arguments on the constitutionality of Aadhaar, India’s biometric linked unique identification database, and as the Ministry of Electronics and Information Technology (MeitY) appointed Justice Srikrishna Committee is set to release its recommendations for India’s forthcoming data protection law. This law cannot come fast enough. India’s current data protection model is failing.
Our current laws protect only certain kinds of information identified as “sensitive personal data or information (SPDI)” from unauthorised use by companies. Against the State, Indians have a fundamental right to privacy, including informational privacy, but this does not extend to private companies.
Rules framed in 2011, under the Information Technology Act, 2000 lists passwords, financial information, sexual orientation, health conditions, medical records, and biometric information as “sensitive personal data or information” (SPDI). Companies are required to notify users of their data handling practices through privacy policies, and require purpose-specific written consent to collect data.
User Consent is Key
This combination of a “list-based approach” and “notice and consent” framework is woefully inadequate for a big-data driven CA-like scenario. Only a small part of users’ Facebook data used to create and exploit detailed individual profiles is likely to qualify for protection as SPDI. Most users (including privacy lawyers and data scientists) do not read long privacy policies, full of legalese, let alone fully understand them. Privacy policies may also be materially changed overnight, as we also seen with the NaMo app.
Moreover, in a big-data world, where large volumes of data are collected, shared and processed at very high speeds, it is impossible to explain to users the complex ways in which their data is used.
This creates an information asymmetry problem: Without being properly informed of how data will be used, users’ informed consent is a fiction. In practice, businesses collect and re-purpose as much data as they can, and users are unable to see what happens with their data.
What is DEPA & How Will it Help Protect Data?
Imagine data to be like water. Once collected, each business sends the data down a set of pipes that it has designed. Different businesses use different pipes, the designs of which are not publicly known. As a result, users, who are unable to see what is happening to their data, suffer a loss of control while businesses gain disproportionate power.
The Facebook-CA incident is only the latest case in point where multiple parties have benefited for years from opaque data flows. Even in the NaMo app-CleverTap case, users have to trust the latter when it says that it is not renting or selling user data, with no way of knowing where their data actually is and what exactly it is being used for.
Re-balancing the business-user relationship and solving the fundamental problem of opacity in today’s data flows is key to protecting individual privacy. India’s financial sector is currently witnessing the debut of the Data Empowerment and Protection Architecture (DEPA), which aims to bring this into effect.
Born in Bangalore, DEPA re-engineers the way in which the personal data of users is shared between multiple businesses. In doing so, it aims to give users more control over their data. DEPA makes data flow through a publicly-known, standardised set of ‘pipes’.
To restore control to users, DEPA makes it technologically impossible for businesses to share data without user consent, which is recorded in a ‘consent artefact,’ an indestructible electronic record that shows exactly what users have consented to.
Users can choose the exact pieces of data they want to share, with whom, for how long, and for what purpose. When users revoke consent; businesses will lose access to that data.
Transparency in Business-User Relationship
To improve transparency, DEPA also places a tag on each piece of users’ data. As data flows from business to business, the tags make it possible for users to track exactly where their data is. Users will know how their data is being used – when it is given to advertisers, sold to brokers, or used without permission.
Data tags also enable all data movements to be logged, potentially in a ‘consent dashboard,’ which would be like a portal that users can sign-in to. Such a system will likely illuminate the modern data chain for users for the first time ever.
By prescribing a uniform set of ‘pipes’ for data flows, DEPA is trying to create a new standard. Standards are formalised norms that publicly describe how particular technologies work. For example, 4G-LTE and Bluetooth are communication standards, and USB and HDMI are hardware standards. If DEPA achieves critical mass based on how widely it is adopted, it will become a data flow standard.
By making data flows more transparent and giving users more control over their data, DEPA wants to level the playing field between businesses and users. Since there is an unequal relationship between users and businesses today, users’ data is artificially undervalued, which indicates market failure.
Levelling the field will allow the market to find the true value of user data. This is good for the economy, and of course, for users too.
The pipes are like highways. Just as highways lubricate the economy and increase trade and economic growth, standardised data architecture will do the same.
(Nehaa Chaudhari, a Harvard-educated lawyer, heads the public policy practice at TRA Law, an award-winning policy and law firm focused on startups and technology. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for them.)