A significant part of our #NAMAprivacy session on data collection was dedicated to the kind of approach businesses should take if there was data misuse and the implications of the same. Mrinal Sinha, chief operating officer at MobiKwik, wanted harsh punitive action on companies which cause harm due to data misuse. “The moment you find any sort of misdemeanor, you need to come down so heavy on them that it acts as a deterrent for anybody else doing it,” he said.
Sinha was against overregulation on data collection as it could potentially kill future use cases for businesses.
“I would err more on the side of better implementation rather than regulation. That’s where we are more effective and that’s where we are weak. There’s a reason why I am saying that: all the ways that data can be misused, no regulator even knows about it. Nor can around 80% of the use cases get together and say “these are the ways that data can be misused let’s create regulation around it.” I think the human mind is highly creative and people who want to misuse it can misuse it in a lot of ways. So to figure out proactively the ways that data can be misused and create regulations around it, that’s not a good way for things to proceed and is self-defeating,” he said.
Sinha also pointed towards overregulation in a microfinance sector which virtually killed the industry. MobiKwik is also looking to build credit profiles of its users and introduce credit to them as well. “Another type of data we are reading is financial data on what sort of EMIs people are paying because a lot of people who access MobiKwik have lower income and do not have CIBIL scores and this allows us to introduce credit for them,” he said.
Kushan Mitra, Managing Editor, Digital Coordination and New Projects at The Pioneer, however, countered Sinha and pointed out that online cab hailing company Uber had been violating many data collection rules – pointing out that they were tracking users even after the app was uninstalled – but the only difference here was that they were caught. “Uber has been playing around with permissions and tracking phones, and this is fairly well-known company, and there are smaller apps and I use an iPhone for the same reason where there is a greater level of app security. What do you do then? You said come down hard. What if an app is cheating and does not get caught? Uber just happened to get caught. I’m sure there have been other instances where people have been taking data and not gotten caught. What do you then?”
Process based regulation?
Aditya Berlia of the Svrán Group later pointed out that there are a lot of industries which actually demand regulation. “To a very simple point, if the liability if you lose someone’s data and you do harm which is huge and potentially cost you millions of dollars. There is an argument to go for what a lot of pharmaceutical companies are going for and what the oil and gas companies are going to the government and saying ‘look we want a process-based regulation where you set in a process for us to follow, we will follow this process and we will certify this process. If we follow this process and any out come which is harmful we will not be be held liable because we followed the process.’ And for a lot of industries this is a very calming influence where you have removed liability. ”
Prashant Singh countered this idea by saying that “It’s always an incumbent who wants regulation, as this is a barrier [to entry in a market]. Incumbent players with lobbies get regulation.”
Rights-based approach versus a rules based approach
Sinha pointed out how the way people think about certain data changes over time: “At a certain point in time, people treated location data – this was 6-7 years ago – as sacrosanct. People said that users shouldn’t give data even if the consent to it. If that had continued, an Uber would not exist. This is a country where public transportation no government has been able to solve it. The point I’m trying to make is that if you put too many punitive and strictures around data, you will prevent genuine problems from being solved.”
To this, Malavika Raghavan from the IFMR Finance Foundation said that there needs to be a principles based approach, rather than a prescriptive case-by-case approach: “And this is why examples are terrible in any discussion, where every example will have a counter example. So you need to move a level up to a principles based approach.”
“There are two parts of policy, or any legal model. One is that regultions need to be set up on a principle based level, and supervision needs to take place in order to ensure that there are no bad guys acting against the rules. And finally let people play in an ecosystem. There is an assumption that things operate in a vacuum and people assume that transactions happen in a market with no society around it.”
Essentially we need to set the floor on personal data and what can be done and what can’t be done around it.
So when it comes to setting the rules of the game, I do think about the ex-ante [approach] where you need to think about the harms for the consumer. So this would address if Uber charges a consumer and then you need to see if they broke the rule or not. Instead we can have principle that you don’t charge the consumer in a way which would burden them financially. This is a principle where you need to say that consumers should not be charged exorbitant fees and beyond that they can play however they want.”
“So part of the problem is that we need to figure out ex-ante- what are the harms we don’t want. And what kind of data collection that leads to that harm. And therefore find out what kind of data practices we are not okay with.”
She explained that her work in financial inclusion showed that due to information asymmetry, people in the bottom of the pyramid should not have to give up their privacy to access technology.
“We wandered into this space, and we all know that roughly 70% of Indians live in villages and make less than Rs 10,000 a month. And there’s this big digital initiative to reach out to them. Personally, I would say that the adoption of digital is not high. Transaction data of digital transaction shows that there was an uptick after demonetization and we know that it has gone down again. Most apps are targeting the upwardly mobile people in tier 1 cities. So if 70% of our compatriots are accessing this technology, [we need to think about] what needs to be in place to protect them. Because, [people in this room] can take a hit when a transaction goes bad and we are down, say, Rs 1000 for three days while the complaint settles, but what happens when you’re operating on a thinner margin,” she explained.
Incentive alignment for rights-based approach
However, Prashant Singh, a product manager at Paytm pointed that there are issues in businesses taking the rights-based approach and often might clash with the interest of the business.
“I mean it’s very simple to finger point on big business. So today, I handed out 10 business cards. Now these guys can send me a LinkedIn invite and add me on Facebook and follow me on Twitter as well. They can also start sending me SMS as well.
When an industry is nascent, it’s easy to take an absolute principles-based approach but who will take lead when the principles need to be changed. Even the Constitution has provisions for revisions, right? Often the ideological people can afford to be ideological because they have no stake in the game. What if my adherence to good data policy will lead me to losing my customer. The background location tracking of Uber – when your battery is low- has a clear and well-defined user benefit when you load the app, it doesn’t take long to define your location and find the nearest cab to you,” Singh opined.
Raghavan countered saying that principles mean principles and not specifics. “So I agree with the point that this is not what a business is supposed to do. And it shouldn’t be because the incentives are not aligned. And that’s the job of regulation. So we both agree but from different perspectives. And that’s why I think that we need a principles-based approach. Principles mean principles and not specifics. Specifics need to evolve for each industry and each data type. So the kind of principle you take when it comes to proxies or data,” she added.
She pointed out an intersection of data collection when it comes to health information. “So when you say a principle on data collection, it will vary from industry to industry. So I might not care that Burger King knows that I like Coke with my burger, right? But I might care that my health insurer knows that I have six burgers a day,” she added.
Do we get data stewards in companies?
Jochai Ben-Avie, Senior Global Policy Manager at Mozilla said that in addition to the “do no harm” principle, businesses should also consider “No surprises” as a data principle.
“I think you need to have people in every team who look at the data being collected and for which the purpose for which consent was given. Mozilla has a number of data stewards where every engineering team has someone who is on point to look at those data collection and processing decisions who works closely with our compliance and legal teams,” Ben-Avie said.
“So when we all sit down – whether it is the engineers, policy staff, legal staff and compliance staff – and look at these data collection decisions and decide what is the user benefit here and what is the business benefit. It’s okay if there are differences sometimes but we ought to make sure that they are pretty close to each other and you have a strong user benefit story behind every data collection exercise that you can tell. I think when you have that, it’s really not difficult to tell the user in a transparent way that this is the data we want to collect and this is how we are going to do it and why we’re doing it,” he argued.
Hitesh Oberoi, CEO of Info Edge, agreed with Ben-Avie. “People at the top may not know what is happening when it comes to data collection. Maybe it is a good idea where every company has a designated data person who is very verse in data protection policy and what changes are there. Like in a public company, where you have a company secretary and where the person is also responsible for the department of company affairs,” said.
Updates: Malavika Raghavan sent in slight modifications to what she said, to provider greater specificity, and this post has been updated to reflect that.
The #NAMAprivacy conference was supported by Google, Facebook and Microsoft. To support/sponsor #NAMAprivacy discussions, contact firstname.lastname@example.org