There are concerns over India’s digital public infrastructure and the role of self-regulatory organizations like the National Payments Corporation of India (NPCI). In particular that these entities, lacking oversight, could become “Alt Big Tech,” potentially harming users and stifling innovation. While these organizations are privately operated, function under regulatory supervision and could represent a new model for governing modern techno-legal ecosystems.
A reflection on the tech policy developments in India during 2022. While my initial predictions about data protection laws and tech sector reforms didn’t unfold as expected, there have been positive strides in India’s digital public infrastructure, like the UPI payment system and Account Aggregator ecosystem. India’s upcoming G20 presidency could further spotlight its techno-legal approach to regulation.
As India prepares for its G20 presidency, the focus on its Digital Public Infrastructure gains momentum. India’s DPI, built on open, interoperable principles, offers a new approach to data governance that benefits both developing and developed economies. It aims for equitable data use, empowering individuals and enabling market innovation.
Larry Fink, Chairman of BlackRock has based on the Western response to Russia and the rapid termination of business with the country, declared that globalization is over. These events highlight the existing global interdependencies and vulnerabilities, prompting calls for reevaluation and redesign of global financial infrastructure. And ultimately a shift towards self-reliance.
Francis Fukuyama coined the term “vetocracy” to describe a gridlocked decision-making system where individuals can prevent policy implementation through vetoes. But while the physical world may suffer from excessive vetocracy, the digital sphere often leans towards autocracy. We need a balance between these two extremes and that is even more important in the context of India’s digital infrastructure. Vetocratic processes can be used to protect core principles, while maintaining flexibility to foster innovation.
The design of digital data sharing infrastructure must be federated. Where there is a need for data availability beyond the duration that data fiduciaries will retain it we need to build data storage alternatives that data principals can use. We should resist the temptation of getting the government to build these data stores as a public good because the role of the government is to govern - and it should not get into the business of data storage and data management. Instead we should take a market approach and encourage private data storage providers to offer federated, inter-operable solutions.
The reason why email is the most widely used messaging protocol is because it uses an open interoperable protocol that allows messages to be exchanged freely regardless of the underlying operating system. If we are to take advantage of the benefits of data we need to enable open interoperable protocols that will break down the silos of our digital infrastructure.
A number of countries have realised that they need to extend their data protection frameworks through new measures that will unlock data silos in order to make it easier for data to flow from one entity to another with the permission of the data subject. However, if these measures are adopted solely through legislation they will fail. Technology businesses must be regulated through a mixture of law and technology - strong principle based laws and protocol based technology guardrails to ensure compliance.
The proliferation of micro-entrepreneurs in India has been enabled by India’s radically unbundled e-commerce ecosystem. However, given the expansive wording of the new Consumer Protection (E-Commerce) Rules, the flourishing of this important ecosystem is threatened as the platforms enabling these entrepreneurs will have to comply with so many obligations as to make their operations commercially infeasible.
The DEPA framework encodes most of the privacy principles that run through most privacy regulations into the framework of data transfers. However, while it solves the questions of notice, consent and purpose limitation, once the data is in the possession of the transferee, the traditional DEPA framework has no control over what is subsequently done with it. This means that it will no address issues of use restriction, data minimisation and retention limitation. If we can integrate into the traditional DEPA framework the concept of Confidential Clean Rooms we should be able to address these remaining privacy principles as well.
