Former chairman of the Unique Identification Authority of India (UIDAI) and architect
of the Aadhaar initiative Nandan Nilekani recently made the case for a “data inversion” policy, requiring businesses operating in India to return the data they collect to the user.1 Over several iterations of this proposal, Mr. Nilekani has argued data of Indians is at the risk of being “colonised” by big technology corporations, and data inversion can “empower” the user.2 A strong data protection framework, he suggests, would give users the right to “pull out” their data anytime. “They can choose what they want to be part of, and what they don’t.”3
Nilekani’s comments are significant because they come in the backdrop of efforts by him and other technology evangelists — both from government and the private sector — to make India a “data-rich” economy. At the launch of Reliance Industries Ltd’s digital offering ‘Jio’ early this year, its chairman Mukesh Ambani declared “data is the new oil”4, with immense potential to “bring benefit to the people”. In the same vein, Information Technology minister Ravi Shankar Prasad characterised data-driven, “digital” governance as “honest” and “transparent”.5In a country whose digital economy has been largely serviced by American and Chinese companies, the desire among policymakers and home-grown businesses to retain agency over the data produced by consumers is acute.
Nilekani’s data inversion proposal is not an altogether radical concept. As the former Infosys CEO has himself acknowledged, there is comparable legislation in the United States.6 The Dodd-Frank Wall Street Reform and Consumer Protection Act, for instance, requires financial and banking institutions to maintain data about lending practices to small businesses.7 This information has to be made available to “any member of the public” upon requests made according to statutorily prescribed procedure. The provision, which has met with controversy,8 is aimed at ensuring “fair lending” practices through closer scrutiny of potentially discriminatory terms of financing for small businesses. But it also provides fintech startups precisely the data that they need to build digital platforms that cater to local needs.
But were such a proposal to be implemented in India, would it really “empower” the user?
At the heart of the ‘data inversion’ proposal lies the expectation that users — made owners of their data — will subsequently hand it over to Indian start-ups. Indian companies today have neither the giant data sets nor the analytics capabilities needed to create technology-driven platforms in the same manner as an UBER or AirBnB, but the ready availability of user data may level the playing field. The “data inversion” proposal is driven by the same motivations as the Swadeshi movement of the early 20th century, which sought to revive the textiles industry in Bengal and other parts of India that had suffered on account of Britain’s surging exports to its biggest colony and market. Then, cotton mills in Manchester and Lancashire had taken advantage of rising market demand in India, supplying products that were acknowledged to be imitations of Indian methods of dyeing and printing.9Unlike textiles however, data is a “non-rivalrous” resource. A swadeshi data movement would not involve any boycott of foreign digital services: to the contrary, companies based outside India too will benefit from gaining access to a larger pool of user data in the country.
Key to harvesting such data would be the ready availability of Application Programming Interfaces (APIs) upon which Indian companies can build their digital platforms. The current suite of APIs developed by the iSpirt foundation — collectively called India Stack — already hosts several tools that developers can integrate into their platforms. For instance, state and central government departments as well as major Indian businesses have already absorbed the “Aadhaar eKYC” API to digitally verify their consumers without seeking physical copies of identification documents. The eKYC API allows a business to build a software platform that taps into the Aadhaar database (with the user’s consent) to extract authentic details about her date of birth, address of residence etc, in the process removing the need to reinvent the wheel and spend lakhs of rupees in building a customer database. Similarly, the Unified Payments Interface - another API developed by the volunteer-driven iSpirit — allows businesses to create digital markers beyond just banking address to effect instantaneous transfers of money. These markers may be Aadhaar numbers, specially created UPI addresses, or just phone numbers. That platforms developed in Silicon Valley, like WhatsApp and Uber, have begun to integrate UPI-driven payments in their products is an indications that APIs developed in India can offer competitive tools for global markets.10
If India Stack currently hosts “first-generation” APIs that run on the back of large, government databases like Aadhaar, its progression into a more diverse set of tools for businesses and public agencies will be driven by developers’ access to richer data sets. The Aadhaar platform provides barebones information for personal identification, and it would neither be prudent — on account of security reasons — nor desirable to link it to other sensitive, tertiary information about a citizen such as her health records. The Indian government is the custodian of vast troves of data about its population, but until such time there is a cohesive effort to digitise this data and protect it with appropriate safeguards, software developers will have to rely on information provided by users on their existing apps. If the user were to be the “owner” of data provided to large technology companies based abroad, it is likely she will provide it to Indian app developers that can provide targeted, locally relevant services (weather patterns, mandi rates for perishable goods, public transportation timings etc). In some cases, the user may be legally required to provide this information in return for governance benefits.
This process of transmission of data — either de novo information or data that has been “returned” by other platforms — from the user to Indian digital platforms arguably marks the genesis of a swadeshi data movement. In some respects, this process has already begun with the widespread adoption of Aadhaar-enabled platforms, which allow the user to authenticate her private transactions through data shared with the government.
The availability of data for Indian companies to innovate for local needs is of course a positive development, but in the absence of a clear data protection regime, the jury is still out on the role of the citizen in this movement. In other words: what determines the success of a home-grown data movement? Is it driven by the technological innovations and bottom-lines of Indian businesses? Is another key metric the ability of governments in India to provide digital governance services at affordable cost to citizens? Or is it also the ability of Indian users to retain agency over their data, and determine precisely what can be shared with companies and government agencies?
The Supreme Court of India in its landmark ruling on the ‘right to privacy’ in August 2017 directly addressed the question of the user’s agency over her data. The verdict — which affirmed the existence of a fundamental right to privacy — acknowledged that the “state may have justifiable reasons for the storage and collection of data” but also held that Indian data laws should protect the “autonomy” of the individual or the user.11 The Court cited with approval the “privacy principles” outlined by the 2012 report submitted to the Planning Commission by a Group of Experts led by Justice A.P. Shah. These principles underline statutory limitations on data collection and access by state and non-state actors to users’ data, as well as the importance of consent in collecting and sharing data with third parties. Some of these principles have already been absorbed, albeit in a rudimentary form, in the data protection guidelines crafted under the Information Technology Act, 2008.
But for a swadeshi movement to make India a data-rich economy to succeed, the user should be more than just the passive recipient of e-governance services or innovative digital platforms. The Indian user should play a crucial and autonomous role in determining the kind of data that is shared with the government and the private sector. Often, individuals - especially first generation internet users - agree to share their data with apps and services without understanding or being informed about the exact purposes to which such data may be deployed. The Supreme Court’s recent judgement has rightly acknowledged the “centrality” of user consent, but the Indian government should go beyond consent- or permissions-based approaches in its national data protection framework. Faced with better awareness of the nature and functions of digital platforms they interact with, Indian users can make informed choices about the data they share. This in turn would spur the creation of digital products and services that address a consumer-driven demand or need. It would avoid the problem of all-pervasive collection of data, which often results in unchecked or illegal surveillance, cyber security vulnerabilities and data leakages.
The autonomy of the Indian user in digital spaces should be protected by the state through a legal framework that addresses three distinct relationships: user-government, user-private sector, and government-private sector. Of these three interactions, Indian law — through policies such as The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 — currently accounts for the collection of data by mobile applications and services, but does so in very broad terms that essentially allow companies to gather and share information they determine to be relevant to their products’ functionalities.12 The user’s consent, in such a scenario, is made perfunctory. A growing, global body of research suggests that the permissions-based model of data sharing with digital applications does little to illuminate users’ understanding of privacy and indeed, the nature of the apps themselves.13
Regulators in other jurisdictions have challenged the concept of “binary, one-time” consent given that “unprecedented amounts of personal information are collected by, and shared among, a myriad of often invisible players who use it for a host of purposes, both existing and not yet conceived of.”14 The risk of users not sharing relevant information is also real, as research suggests many will simply reject requests to access data if they are unaware of the context in which personal information is share with an app.15 The user-private sector engagement in India must take into account the unique requirements of the online population and address how the user can retain agency over the sharing and collection of her data based on the context.
Meanwhile, the relationship between the Indian government and the digital citizen is mediated by statutes like the UIDAI Act which place limits on the sharing of sensitive and biometric information. Nevertheless, this legal framework does not account for the linking of Aadhaar information to tertiary public and private databases that may be vulnerable to leaks or cyber attacks. There are also few statutory mechanisms that ensure the state’s accountability on policies around Aadhaar linkages with other government welfare programs.
Finally, there are no regulatory mechanisms currently in place to evaluate data sharing between public agencies and businesses across digital platforms. The UIDAI Act admittedly includes penal provisions for the misuse of biometric information by the private sector, but as businesses tap into public databases to provide digital platforms that deal with healthcare, transportation and education, the automated sharing of such information must be carefully scrutinised for corporate misuse. Calls for an “open data” policy in India are not new, but they must be calibrated to ensure that the user is not marginalised in choices around collection and sharing of personal information.
A national data movement — one that encourages the free flow of information across public and private platforms, thereby providing opportunities for both to create innovative digital products — can only be sustained with the user at its centre. The user must not only be made aware of the information collected from devices and platforms, but also the implications of such data sharing for her privacy. A swadeshi movement must distinguish itself from the deterministic ethos of Silicon Valley, which seeks to design and impose technologies on communities for the ostensible purpose of solving their social and economic malaises. India’s data revolution must instead be driven by contextual, local language platforms that respect both the needs and rights of the user.
1 Nandan Nilekani, “Why India needs to be a data democracy”, July 27, 2017, Livemint, http://www.livemint.com/Opinion/gm1MNTytiT3zRqxt1dXbhK/Why-India-needs-to-be-a-data-democracy.html
2 “Need law where data collected is shared back with users: Nilekani”, The Hindu Business Line, July 22, 2017, http://www.thehindubusinessline.com/info-tech/need-law-where-data-collected-is-shared-back-with-users-nilekani/article9784813.ece
3 Supra n.1
4 “Mukesh Ambani says data is new oil for fourth industrial revolution”, The Economic Times, February 15, 2017 economictimes.indiatimes.com/articleshow/57173843.cms
5 “Digital India Summit 2017: ‘Data is the new oil’; data important for new policy formulation, says Ravi Shankar Prasad”, Financial Express, March 23, 2017 http://www.financialexpress.com/industry/digital-india-summit-2017-data-is-the-new-oil-data-important-for-new-policy-formulation-says-ravi-shankar-prasad/599220/
6 “Who Owns Personal Data: Technology and Policy Frameworks”, Aug 17, 2017, https://www.youtube.com/watch?v=mwC1kjaWV6g&feature=youtu.be&utm_content=buffer1798b&utm_medium=social&utm_source= twitter.com&utm_campaign=buffer
7 Section 1071, “Small Business Data Collection”,The Dodd–Frank Wall Street Reform and Consumer Protection Act (Pub.L. 111–203, H.R. 4173) http://www.dodd-frank-act.us/Dodd_Frank_Act_Text_Section_1071.html
8 “The CFPB Wants Data On Small Business Loans. Bankers Are Outraged”, Forbes, May 29, 2017, https://www.forbes.com/sites/robbmandelbaum/2017/05/29/the-cfpb-wants-data-on-small-business-loans-bankers-are-outraged/2
9 Prasannan Parthasarathi, “The European Response to Indian Cottons” http://www.lse.ac.uk/economicHistory/Research/GEHN/GEHNPDF/PUNEParthasarathi.pdf
10 Arun Mohan Sukumar, “WhatsApp’s Integration of UPI-Based Payments Has Strategic Consequences for India’s Digital Economy”, August 9, 2017, The Wire, https://thewire.in/165881/whatsapp-upi-bhim-digital-economy/
11 Justice K.S. Puttaswamy (Retd.) &And v. Union of India & Ors., Writ Petition (Civil) No. 494 of 2012, para.181
12 Rule 3, The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011http://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf
13 Max Van Kleek, Ilaria Liccardi, Reuben Binns, Jun Zhao, Daniel J. Weitzner and Nigel Shadbolt,
“Better the Devil You Know: Exposing the Data Sharing Practices of Smartphone Apps”, http://people.csail.mit.edu/ilaria/papers/CHI2017.pdf
14 Office of the Privacy Commissioner of Canada , “Consent and privacy: A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act”, May 2016, https://www.priv.gc.ca/media/1806/consent_201605_e.pdf
15Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, David Wagner, and Konstantin Beznosov, “Android Permissions Remystified: A Field Study on Contextual Integrity”, September 2015, https://www.ftc.gov/system/files/documents/public_comments/2015/09/00013-97595.pdf
(Arun Mohan Sukumar is Head, ORF Cyber Security and Internet Governance Initiative.)
(This article is carried in the print edition of September-October 2017 issue of India Foundation Journal.)