3 min read.Updated: 27 Mar 2021, 11:52 AM ISTSushant Kumar
The consultative process for the personal data protection bill, intermediary liability, ecommerce rules and the report on non-personal data have played critical roles in advancing both scholarship and practical ideas
Over the past few months, many of us have been part of various WhatsApp group debates about migrating to platforms that provide better privacy. The root of these concerns lies in new terms of service circulated by WhatsApp, informing users that data about chats with business accounts would be shared with Facebook. These policies seemed unfair to India as they were not applicable to the European Union (EU), given their strong data protection WhatsApp has provided clarifications regarding the nature of data sharing and reaffirmed its commitment to privacy, backed by an extensive media campaign.
Whatever the outcome, it is clear that existing ideas about acceptable levels of data exchange are being challenged. Default norms provide power to the tech platforms to collect, analyse and monetize data with complete control. This undergirds business models that seem undesirable for society—with harms to privacy and free speech. Increasingly, users are aware of risks and are not shy of taking their business elsewhere. Global discussions about alternatives to the “exchange of data for free services" are becoming nuanced. The discourse in India is mature, and we are not just accepting global norms in data governance but actively challenging and shaping them as they emerge.
Norms are the fundamental beliefs and ideas that guide conformity to a set of behaviours by people, governments and businesses. For example, in the early decades of their evolution, the automotive and aviation sectors were not regulated. Over decades, norms about safety emerged and were internalized through regulatory institutions and processes. For data governance, we are living through the decades when norms and ideas related to society’s relationship with data have started emerging. Overall, there are three norms in data governance that can move the needle on catalysing better societal outcomes.
First, the recognition of individual and collective rights related to data has seen a foundational shift in framing. Data was seen as the property of the collector—the tech platforms. It was generally accepted that extraction of data to access free services was a fair exchange with individuals. Emergence of existential threats related to privacy and democracy have highlighted the role of guaranteeing human and civil rights. There has been significant global progress through regulations on individual data rights. A United Nations Conference on Trade and Development (UNCTAD) report claims that 128 of 194 countries have put in place legislations for data protection and privacy. However, this protection is insufficient as it is centered on individuals and does not account for safety of groups. Data about one individual can provide deep insights about behaviors of another individual in related groups, without their knowledge or consent. This can lead to collective harms, especially for vulnerable communities. The next wave of data governance ideas will seek to protect collective harms and build on the foundation of individual agency and control.
Second, one-size-fits all global norms of data governance are making way for ideas nuanced for each region. Greater acceptance for “data sovereignty" assertions across India and Europe is a welcome shift towards crafting governance that is respectful of local nuances and inclusive of civic participation. Further, the role of each country’s constitution, institutions, and state capacity will have appropriate weightage. The EU general data protection regulation (GDPR) had created an early lighthouse example. On the other hand, the US has adopted a light regulation approach—there is no comprehensive country-wide data protection law, rather a mosaic of sector-specific and state-specific laws that govern data. Closer home, India is finalizing the contours of a country-wide and cross-sector personal data protection bill, which reflects local norms.
Third, anchoring of data economy on private profits at the expense of public value is under scrutiny. So far, data economy has operated in a completely unregulated space, creating a “winner takes all" market, with concentrated profits and little contribution to local taxes. A healthy economy requires value creation for all stakeholders. As tech platforms take up the profitable role of acting as the gateway to all information and social connections, they have a greater accountability and responsibility to contribute to the economy. India’s digital tax through the 2% “equalization levy" is an attempt to make the tech giants pay for revenues earned in India.
India is marching in step with the world in fostering a rich debate around new ideas for data governance. The consultative process for the personal data protection bill, intermediary liability, ecommerce rules and the report on non-personal data have played critical roles in advancing both scholarship and practical ideas. Formal adoption of regulations and setting up of enforcement institutions will lead to meaningful progress in the right direction. Eventually, we hope the arc bends towards an equitable data economy, which works fairly for everyone.
(Sushant Kumar is principal at Omidyar Network India.)