This article was first published in the Quint, here
Over the past ten days, Indians have had to confront two incidents with serious ramifications for our privacy. One, the Prime Minister’s NaMo mobile app, collecting data from 22 features on users’ phones, was allegedly sharing user data with US based analytics company CleverTap without user consent. Two, the confirmation (through former Cambridge Analytica (CA) employee and whistle blower Christopher Wylie’s testimony before a British Parliament committee yesterday) that CA had large-scale operations in India.
Events over the past few weeks have only underscored users’ vulnerability with respect to our privacy online. This, even as the Supreme Court is hearing final arguments on the constitutionality of Aadhaar, India’s biometric linked unique identification database, and as the MeitY appointed Justice Srikrishna Committee is set to release its recommendations for India’s forthcoming data protection law. This law cannot come fast enough. India’s current data protection model is failing.
Our current laws protect only certain kinds of information identified as “sensitive personal data or information” (SPDI) from unauthorized use by companies. Against the State, Indians have a fundamental right to privacy including informational privacy, but this does not extend to private companies. Rules framed in 2011 under the Information Technology Act, 2000 list passwords, financial information, sexual orientation, health conditions, medical records, and biometric information as SPDI. Companies are required to notify users of their data handling practices through privacy policies and require purpose-specific written consent to collect data.
Moreover, in a big-data world, where large volumes of data are collected, shared and processed at very high speeds, it is impossible to explain to users the complex ways in which their data is used. This creates an information asymmetry problem. Without being properly informed of how data will be used, users’ informed consent is a fiction. In practice, businesses collect and repurpose as much data as they can and users are unable to see what happens with their data. Think of data like you would water. Once collected, each business sends the data down a set of pipes that it has designed. Different businesses use different pipes, the designs of which are not publicly known. As a result, users, who are unable to see what is happening to their data, suffer a loss of control while businesses gain disproportionate power.
The Facebook-CA incident is only the latest case in point where multiple parties have benefited for years from opaque data flows. Even in the NaMo app-CleverTap case, users have to trust the latter when it says that it is not renting or selling user data, with no way of knowing where their data actually is and what exactly it is being used for.
Re-balancing the business-user relationship and solving the fundamental problem of opacity in today’s data flows is key to protecting individual privacy. India’s financial sector is currently witnessing the debut of the Data Empowerment and Protection Architecture (DEPA), which aims to bring this into effect. Born in Bangalore, DEPA reengineers the way in which the personal data of users is shared between multiple businesses; in doing so it aims to give users more control over their data
DEPA makes data flow through a publicly-known, standardized set of pipes. To restore control to users, DEPA makes it technologically impossible for businesses to share data without user consent, which is recorded in a ‘consent artefact,’ an indestructible electronic record that shows exactly what users have consented to. Users can choose the exact pieces of data they want to share, with whom, for how long, and for what purpose. When users revoke consent; businesses will lose access to that data.
To improve transparency, DEPA also places a tag on each piece of users’ data. As data flows from business to business, the tags make it possible for users to track exactly where their data is. Users will know how their data is being used – when it is given to advertisers, sold to brokers, or used without permission. Data tags also enable all data movements to be logged, potentially in a ‘consent dashboard,’ which would be like a portal that users can sign-in to. Such a system will likely illuminate the modern data chain for users for the first time ever.
By prescribing a uniform set of pipes for data flows, DEPA is trying to create a new standard. Standards are formalized norms that publicly describe how particular technologies work. For example, 4G-LTE and Bluetooth are communication standards, and USB and HDMI are hardware standards. If DEPA achieves critical mass based on how widely it is adopted, it will become a data flow standard.
By making data flows more transparent and giving users more control over their data, DEPA wants to level the playing field between businesses and users. Since there is an unequal relationship between users and businesses today, users’ data is artificially under-valued, which indicates market failure. Levelling the field will allow the market to find the true value of user data. This is good for the economy, and of course, for users too.
The pipes are like highways. Just as highways lubricate the economy and increase trade and economic growth, standardized data architecture will do the same.