Have you ever wondered why you get spammed phone calls, emails and text messages from service providers of all kinds?
Short answer: because India has not put in place a comprehensive Data Empowerment and Protection Architecture (DEPA). But there is one in the works that recognizes an individual’s right to privacy as fundamental. At any rate, that was the stated intention of the Personal Data Protection Bill (PDP), which was withdrawn after much work earlier in August this year. The official position was that it had become obsolete. Word is now circulating in political circles that a new version of this bill will be tabled in Parliament by December. Once fully implemented, all spam can stop.
So what could the new bill look like?
Conversations with people like Sharad Sharma, a volunteer at the iSPIRIT think tank, offer some insights. He suggests that we start by asking questions such as: what happens to the financial details shared with a bank after applying for a loan? Besides, what about personal health records that continue to reside in a pathology lab once your diagnoses have been made? Or just how do e-commerce companies continue to track us after we’ve visited a site?
As it stands, Sharma explains, every time you access their services, they keep a copy of our data. And there are thriving marketplaces that process this data. Simply put, people’s personal data is exchanged by third parties. This is a global problem that no one has been able to solve.
As an example, Sharma shows how most people access the Internet. More than 90% of Indians use the Chrome browser built by Google to do this. Although the browser is free, the data Chrome collects about each user is used by another division of Google to serve users with highly targeted ads. All funds generated from these ads go to Google.
“Most people turn their heads the other way and assume that maybe it’s not as bad as it gets because individual user data is anonymized,” Sharma says. This argument is extrapolated to all other areas such as finance, health, e-commerce. But the problem here, he explains, is that “if I anonymize with a lot of vigor, then the patterns in the data are adequately masked and the usefulness of that data diminishes.” It is then inevitable that smart technology will find ways to anonymize data and identify individuals.
This is why governments around the world have worked to adequately limit the amount of data an entity collects and limit it to the purpose for which they are requesting it. This is the thorny issue that the upcoming PDP Bill will address, and India’s fintech and healthcare sectors are where it will be implemented for the first time.
Once operationalized in a bank, Sharma explains, in the new scheme of things, bankers will be able to see a fully digital version of a borrower’s repayment history and any other assets that may be dispersed. This, in turn, gives them a more informed perspective than just the credit scores they know now.
What this will give them is not only a view of the borrower’s “current ability” to repay a loan, but also whether they may have the “propensity” to repay a loan in the future. And when that data is available in digital form, a lender can’t reuse it as it currently does. There is a “lens limitation”. This restriction protects a user’s privacy unlike now where data is shared and often exchanged. This, says Sharma, is because data providers will have access to “silver copies” which cannot be reused, unlike “golden versions” which can be reused.
Pilot projects have also been rolled out in the healthcare industry to track how user data is stored. Next, experiments are underway to determine if money earned from a user’s data can flow back to the user. But all this will take time because the whole ecosystem must be digitized.
Policy makers around the world will closely follow the unfolding of this Indian experiment, the largest of its kind in contemporary times.