Brainstorm Think

Regulation With a Light Touch

Data protection regulation should not stifle innovation. Instead, it should focus on empowering users through information.

This is the third post in our Brainstorm discussion on ‘The Future of Data Protection in India’. Earlier posts: Intro1, 2.

This brainstorm on data protection asks some fundamental questions. How does a data protection law impact individuals? How does it impact entities managing the data? How can the law be framed in terms of principles to remain relevant in the face of ever-changing technologies? I will leave the last part to the more seasoned lawyers in this brainstorming group. Also, I would add another important actor that we need protection from – the government.

The previous two pieces in this brainstorm highlight important points. Malavika Raghavan reminds us not to limit our thinking to the top-tier of data consuming audience but also think of “the 67% of Indian households that earn less than Rs 10,000 a monthshare a phone among family members, and be first-time users of data-driven services and the internet.” For example, if law enforcement gets a warrant to tap a phone that belongs to a person then should they be bound to redact conversations that happen when another family members uses the same phone? I would say, yes. The new scenarios that come up by considering many different user profiles eventually benefit all of us.

Rahul Matthan goes beyond consent with a key assumption that a user mostly doesn’t know what he has consented to. He presents a strong focus on protecting users from any harm. The onus of the harm, as he points out, should be on the providers. I would, however, disagree with his suggestion of a new layer of auditors called the learned intermediaries. Addition of such heavy regulation in a sunrise industry would stifle innovation. This is a global world. Imagine how this would disadvantage Indian startups vs US based startups that would simply make their services unavailable in India. Once some of those startups become big, they would create special versions of their products available in India that are subject to Indian regulation. We get the eventual winners and will no longer be a laboratory where new experiments compete. In the process, we lose out on nurturing the next generation of businesses that will evolve in this data-rich world.

The drone industry is instructive. India simply banned all drones as soon as a few examples of businesses trying innovative services using drones emerged. Now the government is trying to figure out how to slowly open the space. Contrast this with US, where sensible and easy to comply regulation was put in place immediately. And this is a country that has seen a major terrorist attack that used an airplane. Risk mitigation and innovation are both important goals that need to be balanced.

Rahul does make an important point about how end-user license agreements (EULAs) are completely useless and no one can read them to make an informed decision about using the service. I have a suggestion on this count. Segregate the rights that are being asked from a user and the liabilities being protected by the company. The rights that a user is giving up (consent in other words) should be right at the top and numbered. This list won’t be too big and will be comprehensible. The dense liability protection portion can follow.

We also need to mandate some sensible defaults in agreements and in applications too. Data should be private by default and not public. Right to be forgotten should be implicit in an account deletion request. User generated content should belong to the user by default. A service should be able to request a non-exclusive license of user’s content but anything more should require a proper contract. And selling personally identifiable information (like email and phone) should require case-by-case consent. Or, if that is unworkable, perhaps a report that a user can see on how her data is being used so that consent can be withdrawn if needed. Lastly, data portability should always be possible.

While we have a lot of focus on application providers, internet service providers (ISPs) and telcos need special handling. Device makers and operating system providers fall in the same category. These are entities that have access to all user activity irrespective of which applications are being used. The recent data theft by OnePlus is a case in point. All such providers should be explicitly prohibited from logging or inspecting any data packets. Law enforcement agencies must require a warrant similar to a house search warrant before they can request such data and must be made to pay for the cost that a provider incurs for the same. Currently, India has a policy of data retention that is the antithesis of privacy.

While we can mandate a lot of safeguards on providers, the reality is that as data becomes precious it will get stolen. Hence, reporting of data breaches must be made mandatory. This will allow users to take some corrective action. Unfortunately this won’t help when a service, like Aadhaar, is using biometrics since you can’t really change or revoke it.

As the world becomes increasingly digital, we can’t wish away the need for users to become more aware of privacy and data protection concerns. No regulation will be able to take away the need for an informed citizenry. I would propose that any data regulator’s key role should be awareness and education. Securities and exchange board of India (SEBI) takes on the mantle of investor education and awareness pretty seriously. We need a data regulator with even more zeal on this count.

About the author

Saurabh Chandra

Saurabh Chandra is a co-founder at Ati Motors, an autonomous vehicle start-up, and a faculty fellow at The Takshashila Institution.