We must create regulation for data protection not from an ivory tower, but after understanding what the individuals affected by it want.
This is the first post in our Brainstorm discussion on ‘The Future of Data Protection in India’. Read the intro post here.
On Monday this week, I was on a street corner in a lower-income neighbourhood in Chennai talking to Shanthi*, who runs a tiny shop there with her husband. “No, no,” she said confidently. “My bank would never share our information with anyone else. It is a public bank, the manager knows us, and we have taken loans before. We trust him, he will keep our records safely…” she trailed off. Shanthi is one of the people we spoke to for a small, qualitative study to understand consumer awareness and perceptions on data protection. The study is on-going, but exchanges like this are already highlighting implicit expectations and concerns that people have about how their information is treated.
The post kicking off this discussion asks many questions about the form and substance of a future data protection law. I believe any regulatory navel-gazing in India should be preceded and firmly grounded in a real-world understanding of the impact on and concerns of individuals that such a law seeks to address. How much are we thinking about the awareness, expectations and concerns that our people have about the use of their data?
I worry that we are developing a blind spot at an important moment for law-making in this area, one that fails to see the wide spectrum of Indians using information and communications technology (ICT). They are not the smartphone-wielding, app-devouring, multiplex-audience-style poster children of modern middle-class India. They are the ones reduced to attractive statistics on slides about the growth of the Indian ‘market’. These Indians form our real mainstream—likely to be part of one of the 67% of Indian households that earn less than Rs 10,000 a month, share a phone among family members, and be first-time users of data-driven services and the internet.
We do not yet have reliable and consistent data and analysis on the impact of ICT access of Indians. A few official sources have begun painting a picture for us, including the Telecom Regulatory Authority of India’s data and reports on telecom usage, new fields in NSSO surveys and the Census on computer, mobile and internet usage, together with reports from independent organisations like PRICE. But we need more data and in-depth analysis of this data to understand what it is telling us about the dynamics of ICT access in the country. There is a real need to measure the digital divides like the urban-rural, age or gender divide to build regulation that is mindful of these factors.
For instance, sources indicate that although 79% of Indian women use mobile phones, only 20% of them own a phone. Wouldn’t this be important information to consider when thinking about direct consent-from-mobile style regulatory requirements? What alternatives can we design once we have knowledge of this problem? In short, we need to commission more qualitative and quantitative research to base our policy decisions on.
And we need to begin now. While we wait for large datasets to form, existing surveys and qualitative insight must be used to get at what Indians care about when it comes to their own personal information. During my recent time on the field, I was struck by the lexicon people deployed in conversation. In Tamil people spoke about trust (“nambikai”) in their banks or the government who held their information. They believed this information would receive protection (“paadhagaapu”) and be treated with responsibility (“poruppu”). Some reflected in mostly good humour on the annoyance (“thollai”) of telemarketing, and more seriously on vulnerability or harms (“baadhippu”) connected to misuse of their details like phone numbers or account information.
We are yet to synthesise insights from other interviews across the country, but to me, it showed varying levels of awareness and understanding about how information is collected and stored by providers. People instinctively seem to have implicit expectations about the safety when their personal details are collected, and are concerned about harms from misuse of their information. We must take cues from these insights and marry them with the strong academic work that is emerging from regulatory thinkers on data protection regulations around the world. In our case, we have used this to call for a system of user data rights, which builds on existing regulatory thinking around users’ reasonable expectations use as well as the harms that they want to avoid when their data is used.
These user data rights (say, for example, a right to opt out of data collection) would result in rules that govern the obligations of a provider in each scenario, from collection to use to retention/destruction. Such an approach could also allow us to avoid making law that regulates technology as it is today rather than as it will be in the future. This could help us form a more timeless principles-based law that regulates companies, whose data practices and processes must be in line with expectations of users around safety and control, and avoid resulting in harms to users (like financial loss, discrimination or identity theft). If it is guided by a well-designed liability framework that works with the full range of regulatory incentives and penalties, we could have a real shot at meaningful data protection in India.
But that is jumping ahead in the conversation. Even a perfectly regulated space would be meaningless if it was not built on the real experiences of Indians engaging with the telecom, internet and data revolution in our country. This is not a bleeding-heart question. It is an analytical one that must be answered with rigour to build a coherent and legitimate law. It would be a great disservice to the millions of resourceful and adaptive citizens of this country if we do not ask them the right questions and listen keenly to their views before we take policy positions on data protection.
* Name changed to protect privacy. Part of a small study in four Indian geographies using human-centred design tools conducted together with Dalberg Design.