Data subject first
We have a design choice to make: Are we going to place the data subject at the centre of our new privacy framework?
In America, in the early 1800s, you could only get credit with familiarity. If you were a regular customer, traders knew your business and the reputation of your family, and on that basis were happy to extend you credit. However, thanks to galloping urbanization, there was a rapid influx of strangers into cities, and traders were forced to start dealing with people they didn’t know.
It was into this milieu that Lewis Tappan, a Massachusetts businessman better known for his role in freeing the African slaves on the Amistad, introduced a new business model that would so radically transform the way in which businesses operated, that its repercussions are felt to this day.
As a strict Calvinist, Lewis Tappan used to insist on transacting in cash, following the Biblical strictures against charging interest. As a result, he lost a lot of money and, after a few poorly timed investments in woollen and cotton mills left him bankrupt, he decided to adopt a more flexible, secular approach.
Even so, whenever he extended credit, Tappan kept detailed records of his customers and their credit-worthiness. So accurate were his records that his fellow merchants began to turn to him for advice before extending credit to their customers.
Tappan spotted a business opportunity and started to sell his credit ratings. As business began to grow, he used his abolitionist connections across the country and built a network of correspondents tasked with generating up-to-date, comprehensive records of people in their communities. By 1845, his firm, The Mercantile Agency, had offices in Baltimore, Boston and Philadelphia, and businesses all over New England were using his credit reports to extend credit to people they’d never met. Others quickly jumped on to the bandwagon and, before long, the business of credit reporting was booming. In order to stand out among the competition, credit rating businesses began to collect information that, while not directly financially relevant, were nevertheless indicative of their ability to pay. For instance, married men were considered to be responsible and therefore more likely to repay debts, while an injury or a medical condition suggested a diminished ability to work and represented a greater credit risk. In time, rating agencies started to include hearsay and opinions into their reports in their desire to provide a more wholesome picture of the person. Credit rating agencies today control some of the most detailed databases of personal information, having built deeply personal profiles of individuals and businesses that affect your ability to obtain a loan, buy a house or get a job.
Tappan had to make a fundamental design choice when he first set up his business. On the one hand, he could organize it so that he issued individuals a certificate representing his endorsement of their credit rating. This would have allowed the person to secure credit by just displaying the certificate to whoever they did business with and, more importantly, would have kept personal information within the control of the individual to whom it pertained. On the other hand, he had the option of creating a directory in which he recorded the credit score of every person he had assessed, selling it to businesses who could refer to the book before extending credit to strangers.
We might never know why he chose the latter model, but he did and, from that point onwards, personal information has been treated as a commodity controlled by intermediaries who collect, process and present it in ways that are beyond the ability of the individual to whom it relates, to influence. This has resulted in an acute data asymmetry between data collectors and the data subjects that has only been exacerbated with the advent of networked computer databases and powerful search algorithms.
India has never really had a significant credit rating business. Until relatively recently, trade took place based on informal trust—a system that has worked surprisingly well even as businesses scaled. But with globalization and computerization, things have changed. We are, today, as dependent on personal data in this country as anywhere else on the planet.
What is different is that India is only just beginning to formulate, for the first time in its history, a full fledged privacy legislation for the country. We are faced, today, with much the same design choice that Lewis Tappan was confronted with over two centuries ago. In response, we can either focus our regulations on the information collectors and intermediaries, defensively prescribing greater and more specific restrictions on what they can or cannot do—or we can place individuals at the centre of the data ecosystem empowering them fully to determine how their data should be used.
Blessed as we are with the benefit of hindsight, I hope the government sees fit to do the latter.
Rahul Matthan is a partner at Trilegal. Ex Machina is a column on technology, law and everything in between. His Twitter handle is @matthan
Editor's Picks »
- NCLT allows extension of the deadline to evaluate bidders of Mandhana Industries
- Smart Cities Mission is too project-based and lacks integrated vision: Report
- West Bengal chief minister Mamata Banerjee cancels China visit
- Chai Point expects aggressive growth in its vending machines business
- Symphony to buy out Climate Technologies