Lessons From EU’s Data Regulation: India’s Data Policy Must Not Kill Ease Of Doing Business

While testifying before lawmakers from the European Union (EU), Facebook’s Mark Zuckerberg faced questions about his social platform. Blaming Facebook for the death of a young boy who was a victim of cyber-bullying, one of the lawmakers emphasised how little Zuckerberg had done to prevent hate speech and bullying online. Another lawmaker saw the ideal solution in breaking down Facebook’s monopoly as the single largest social network.

Given that the platform encompasses the virtual interests of 2.2 billion people across the globe, is it fair to attribute a death that was a result of an interaction personal in nature, to the platform? Using the same logic, can authorities in the United States (US) blame McDonald’s, KFC, or Burger King for the prevailing obesity?

After the Cambridge Analytica episode surfaced, it has become harder to have a sensible debate around data policy. Attributing the victory of Donald Trump to social media manipulation, people have not only overestimated the potential of data-oriented digital networks, but also questioned the right of small, medium, and large businesses, across the world, to grow by inculcating user data in their operations.

In India, the Aadhaar programme has been at the receiving end of such hysteria. People with vested interests have confused Aadhaar for a surveillance programme by the Indian government. While the government has been aggressive in its pursuit of having Aadhaar as the sole identity requirement for an array of services, they have faced stiff resistance in its implementation on multiple fronts, including the Supreme Court.

Read More: How To Protect The Online Privacy Of 500 Million Indians

Irrespective of the fact that Aadhaar has helped the government in its programme of financial inclusion, public distribution services, and elimination of leaks that existed in the supply chain of subsidised products like urea, sceptics, much like the German lawmaker, choose to view Aadhaar as the enemy of individual privacy.

While constructing India’s data policy, lawmakers must take into account the resistance they have faced themselves while implementing Aadhaar. Data, as a by-product of operations and usage, is indispensable to the enhancement of any business. For instance, one cannot expect Uber to improvise on its supply against an increased demand if it does not have data in advance. Similarly, for online utility startups to serve their customers better, data mining is essential. However, how do governments and data regulators get businesses to comply with rules and regulations that prevent exploitation of user data?

The EU’s General Data Protection Regulation (GDPR) solves this problem to some extent. By inculcating data minimisation, they now warrant service providers to collect only data that is essential to the service being offered. Thus, a cab company has no business asking for one’s date of birth, occupation, or even saved destinations. A food ordering app can no longer ask for one’s health vitals unless they are looking to process their data to curate customised menu options for them.

However, this approach can work against the scalability of a business. For instance, most virtual retail stores, apps, and other services are now using targeted advertising to reach out to potential clients. For a small- or medium-sized industry in India looking to operate across a city or state, having to choose what data they can collect could lead to problems in scalability, advertising, and improving quality of services. In the long run, it could lead to a serious dent in revenues for many ventures.

Targeted advertising has now become the subject of an elaborate debate among experts. Is it legal for an online store to show ads related to what a user searched for on a different platform? Can one’s Amazon search history reflect in one’s Instagram feed via ads? Clearly, there is no one right answer to this question, for every user would view the perils or perks of a customised user interface differently. Hence, India’s data policy must offer users the freedom to opt out of targeted advertising for a specific business. Lawmakers cannot have the final word when it comes to the nature of interaction between a business and their users.

India’s data policy must take cues from the GDPR, but without following it blindly. Even though India exceeds the EU in the number of internet users, the existing digital infrastructure, number of virtual startups, and prevailing literacy about data privacy warrant a flexible data policy that takes both user and business interests into account.

For starters, the data policy must censor the transfer of user data outside India while encouraging inter-state data transfer. For instance, the government, in collaboration with private players, can use data mined via programmes linked to Aadhaar in one state to improve services in another. However, there must be laws against the likes of Walmart, Amazon, and Uber when it comes to transferring the data of users in India outside the country.

The data policy must have a place for commercial fairness and equality. Corporations, irrespective of their size or strength, must be governed by the same data protection and privacy laws. However, to not alienate local, small, medium, or state companies operating online, the penalties or fines imposed must be divided into slabs. The bigger the company size, the greater is the responsibility, and even greater penalties must follow. This is not about punishing the leader in the market, but making an example of them when it comes to accountability. As a nation of 500 million internet users in 2018, the government of India can surely afford to tighten the straps around data.

In their meeting with Zuckerberg, EU lawmakers were quite vocal in their demand for a segmented Facebook – that is, without Messenger, WhatsApp, or Instagram. However, breaking down a bigger social, retail, or any online platform will only lead to more pockets of user data. While monopoly of one platform may stifle competition, breaking it down is no solution either, for it will only enhance its vulnerability. Instead, these platforms must be governed by regulations, as the EU has done.

Another solution lies in having an independent rating agency for service providers that employ user data for their services. From Uber to a local grocery store in Lucknow, each and every online service provider must be rated for its handling of user data and relevant data protection practices. The ratings can be based on verified feedback provided by users, audits by data experts and agencies, and even a data ministry in the future.

For India, which shall follow China in having a billion internet users in the 2020s, a thriving data policy is indispensable. In their approach, the government of India must be considerate of user and commercial interests, and their objectives, given that the “Jan Dhan, Aadhaar, Mobile” trinity are integral to digital inclusion in rural India.

Implementing the ‘CAT’ combination, the policy must allow for ‘control’ of data by users and ensure ‘accountability’ of the platforms operating in India and ‘transparency’ in all data transactions. The government’s pursuit of privacy and data protection must not come at the cost of ease of doing business.

Regulate the medium. Don’t constrain it.

This is the second of a three-part article on data protection and privacy laws in the context of EU's GDPR.