Bengaluru: Internet users pay for their online services through data and, for a long time, that has been the business model of large internet companies like Google, Facebook and others. But users are becoming more aware of how data can be misused by both governments and private entities. Private internet companies such as Google, and Facebook, in the past, have been pulled up by regulators in Europe, India and the US for not complying with privacy and several other antitrust laws.

The US regulates internet companies through sector-specific regulations, while the EU’s General Data Protection Regulation came into force in May 2018. It approached data protection with a single-fit regulation binding on all industry segments.

India is soon expected to introduce a data protection act, and according to legal experts, the regulation will simply lay down general principles that each sector regulator will later follow. At the Mint Fintech Summit 2018, Tanuj Bhojwani, venture capitalist and core volunteer at iSpirt, pointed out how user consent could be the central part of the upcoming law in India.

At the conclave, Bhojwani presented IndiaStack’s data empowerment and protection architecture (Depa), where an internet user gets unconditional control over his personal data.

“Earlier this year, people of the world realized that the internet is not free, in the sense that you pay for the internet not with money but with your data. And this data might be information like where you visit, what you shop, and others. And at some levels, it (data) can even change the outcome of the election," said Bhojwani.

Depa’s architecture looks at how online businesses should model their product so that user data isn’t compromised, and how businesses can lawfully access data from consenting users. In the context of the banking and fintech industry, Bhojwani explained that money does not move without consent, unless a user authenticates himself, and does not leave a bank account without explicit consent “Why can’t that happen with user data?" he asked.

The consent mechanism under Depa specifies that user data should be open-sourced, revocable, auditable, granular and securely stored. “Unlike privacy policies today, which are over 800 words long, Depa specifies the purpose of data collection upfront in a standardized format in which you (companies) can’t lie, manipulate, cheat about what you are going to do with that data," said Bhojwani.

“If you are a lending company, and if the user is willing to share their data such as bank statements with you, then Depa also specifies some meta details on how long the document can be shared, how long you (companies) can keep it," added Bhojwani.

When it comes to algorithms that track and record user data, Jayanth Kolla, founder of research and consulting firm Convergence Catalyst, pointed out that early algorithms designed for artificial intelligence (AI) and machine learning (ML) required massive amounts of data to run, but that’s not the case any more.

“Going forward, AI and ML algorithms might not need that (massive amounts) of data requirement to learn and better themselves, but I believe there will be a balance that will be drawn (when it comes to data collection) and we are still in evolutionary stages," said Kolla.

Close