Smart Regulation

There is a growing recognition of the fact that we can use technology tools to make our regulations smarter. There are 2 categories of tools to do this. The first gives users more control over what can be done with their data by placing data in pods and only allowing them to be accessed in accordance with the privacy management protocols. The second unlocks data silos allowing data to move between them with the consent of the user. While these tools seem contradictory they operate at opposite ends of the data spectrum can can be combined to augment statutory frameworks.

This article was first published in The Mint. You can read the original at this link.


In my book Privacy 3.0, I had suggested that we are entering the third age of privacy—a period in which increasingly stringent privacy regulations could, if we are not careful, deprive us of some benefits that data has to offer. Since the time of its publication, a number of countries seem to have come to similar conclusions, recognizing that unless they can come up with a better solution for protecting personal privacy, they will never be able to unlock the value inherent in personal data.

The EU, whose General Data Protection Regulation (GDPR) is widely recognized as today’s gold standard for privacy regulation, has tacitly acknowledged the need for additional techno-legal solutions that data subjects can use to better control their data. The European Data Strategy, adopted in February 2020, states that individuals should be given tools so they can take control of their data and decide, at a granular level, what is to be done with it. This strategy is going to be implemented through the enactment of the EU Data Governance Act, which will establish “common data spaces" that will, through the combination of technical infrastructure and governance rules, make data more widely available for use in society while ensuring that entities which generate it remain in effective control of it.

Australia, for its part, has launched its Consumer Data Rights (CDR) initiative, aimed at ensuring that citizens have greater access to their own data, allowing them to obtain this data in a usable form so that they can direct it to be securely transferred to trusted third parties. The first implementation of the CDR has been in the country’s banking sector, where granular data transfers between participant banks have been made possible through a centrally-defined protocol. Similarly, India’s implementation of the Data Empowerment and Protection Architecture (DEPA) in the financial sector (with the launch of the Account Aggregator framework), offers tools through which users can more effectively manage the flow of their personal financial data.

Types of Tools

While there are clearly a number of different normative technologies being developed to make existing data protection regulations “smarter”, they all fall into two broad categories.

The first provides data subjects with tools they can use to manage personal data right from the moment it is created, thus allowing them to determine how it is subsequently shared to the point of even controlling how insights generated from this data are used. Examples of this approach include the Solid project (promoted by Sir Tim Berners-Lee) and the MyData model of human-centric design.

Both these sets of tools operate on data from before it is collected, granting individuals full control over the data’s entire life-cycle and giving them tools with which to manage its creation, storage and use as well as to control its flow between different data controllers. However, in order for these tools to proliferate, they need to be widely adopted by such a large enough number of users that data controllers are convinced of the necessity to implement these protocols into their offerings.

Tools in the second category are designed to unlock personal data already under the control of data controllers operating in different sectors of the economy, so that the data they control can be securely transferred to others with the consent of users. Australia’s CDR and India’s DEPA frameworks are examples of this, offering users technology tools through which data sharing has, to start with, already been implemented in the financial services sector.

While there are several differences between the Indian and Australian frameworks, broadly speaking, tools in this category operate on the data silos, unlocking data that has already been collected by making it easy to transfer it to other entities with the required consent. For this approach to have a substantial impact, these frameworks need to be adopted by institutions that control data. This might seem daunting, except that when that happens, the benefits of safe and convenient data sharing would be unlocked for all customers of participant entities.

Compatibility

On the face of it, these two approaches may seem contradictory, given how they focus on opposite ends of the data spectrum. However, closer examination suggests that they are not mutually incompatible. With so much data already stored in silos that are effectively beyond the ability of individuals to control, we need a DEPA-like approach to unlock that data for the benefit of the consumer. Absent such an intervention, users will be unable to utilize their data that has already been aggregated in sectors such as finance and health or generated in the process of their interactions with these companies.

At the same time, tools like Solid are necessary to implement personal data stores in which newly created data can be managed so that the information contained within them can be more effectively used without detrimentally affecting personal privacy. In time these tools will also help manage data that is uniquely generated by individuals.

No technology can, of itself, deliver the data-driven future I had written about in my book. As promising as these tools are, they need to derive their legitimacy from privacy principles embedded in the law. At the same time, laws alone are incapable of delivering the level of data governance required in a world increasingly dependent on data. They need to be augmented by technology solutions that are compatible with statutory frameworks.

We need to combine normative technologies with smart regulations in order to develop sustainable solutions for governance. Thankfully, we have more than just a few options to choose from.