In this episode of Virtuoso, listen to a conversation between NS Ramnath and Rahul Matthan, a partner at TriLegal.
Matthan has been working on a data protection law since 2011. He recently published a discussion paper at think tank Takshashila Institution, offering a new model for data protection that’s based on rights and accountability.
In this episode, he talks about
- Why India needs a data protection law: He says, the time is ripe. We already have a good draft law. Though, looking for an ideal solution that fits all views is futile. All stakeholders need to come together and agree to a less than ideal framework.
- The need for global consistency in data protection: Because today there is free movement of data across national borders.
- The complexities around data localisation: There’s a need for balance in the debate on data localisation as well. “India is going to have to recognise that in some circumstances, having data in India is efficient. In some circumstances, it is highly inefficient,” Matthan says. “And we’ve got to allow data to go where it needs to go in the most efficient way.”
- The trade-offs between innovation and privacy: It’s a trade-off that is happening across the world. It’s very hard to fully understand the unintended consequences of any innovation, or disruption. And in this lies the trade-off. As companies became more and more digitised, they have to be more cognizant of the privacy issues. And India is being thrust into a world where there are going to be very stringent privacy restrictions.
- Why regulatory sandbox may be the way to go: It’s very difficult for lawmakers to fully understand all the unintended consequences. A regulatory sandbox is a sort of playground, where they can test out a policy and its impact at various levels.
- Matthan’s recommendations: The people and entities to follow for a better understanding of what’s changing at the intersection of technology, law and society.
Founding Fuel: Do you think that India will pass the data protection law this year in 2019?
Rahul Matthan: I sincerely hope so. I first started working on a data protection law in 2011. It's 2019. It has taken eight years, and we haven't got a law. But more than any time in the past seven or eight years, the time, I think, is right now for a data protection law. We've come back from a very bruising battle on both sides, around the right to privacy as well as Aadhaar and there’s heightened sensitivity around the need for privacy.
What’s more, we actually have a draft, which even though is not without its controversy, or without disagreements, is a good draft, and at least to a large percentage, that is a draft that we could pass into law.
FF: What factors are driving it? And what are the opposing forces that you see?
RM: I think that the big factor driving it is the right to privacy judgment where they clearly say that there needs to be a privacy law. And that's exaggerated by all the issues around Aadhaar where a lot of the question marks on Aadhaar was that it was conceived and implemented outside our framework of privacy.
Some people would even argue that had there been a privacy law, a lot of the issues that have come up around Aadhaar may not have been there. Or at least, if they were there, we would have had a framework within which to question what the government was doing or what other players were doing.
What would work against it are the fact that everyone — there are many stakeholders, and people are constantly looking for an ideal solution that fits their particular view of the universe. And until all the stakeholders can come together and agree to a less than ideal framework, we're never going to get a consensus.
Without consensus it can still go through. But there will be a lot of detractors saying that this is not the best kind of thing. But, I don't believe that we can come up with a solution that perfectly addresses all the concerns of everyone. And so whatever the final shape this law will take, it will have to be some sort of a compromise.
FF: But given that the law is expected to set a global standard — GDPR impacted tech companies across the world — and I'm sure whatever law India comes up with will also have a global impact. And it also needs to set or comply with a global standard. You just mentioned how difficult it is to get even a national consensus. To what extent will the local factors — India's own history, including that of Aadhaar, economic factors, cultural issues — would drive the law itself? How do they balance that? On the one hand, it has to be of global standard. On the other hand, you have all these local constraints.
RM: I don't know if there’s a perfect formula by which we can balance it. Everything that you said is absolutely accurate. There is a need for global consistency in data protection, because today, we are talking about the free movement of data across national borders. Now, as a result of that, you can't have inconsistent treatment of data in different places because that just leads to huge complexities in even managing it.
So, on the one hand, there is that need and GDPR seems to achieve that, by making everyone who interacts with the European Union comply with the standard. That's the way they look to achieve it. And since we're a globally hugely interconnected world, chances are more and more people will say, ‘look, it's better to adopt a higher standard already’. We’re seeing a lot of countries, states — California has passed a law, which is very similar to GDPR, a lot of people are coming up changing their laws to make that the highest standard.
But at the same time, there are strong cultural reasons and historical reasons why nation states might want to chart a slightly different path for their citizens. In India, we’re seeing a lot of discussion around the whole concept of data localisation. That is stemming from the feeling that some of the big tech companies or some of the international players have access to data and keep it in a remote place that law enforcement can’t get access to. And law enforcement says, ‘we want access to that because it pertains to our people’. So this is the classic example of a local issue.
And in this, I think it's important for everyone to be sensitive about what the real challenges are. International companies need to be sensitive about the fact that there is a need for law enforcement to get access to this. And law enforcement can’t just do a fishing expedition asking for generic data and ask for more specific data.
In India, they do these things, and it’s only in various circumstances that they object. But when they go outside the country, if these large tech companies will say, look, we’re not going to comply with and you can’t make us comply, of course, then there’s a push and pull. I think that we’ve got an intermediate solution to solve this problem. Law enforcement is probably more pointed in its requests, big tech companies will be more forthcoming with parting with the information. And at the end of the day, India is going to recognise that in some circumstances, having data in India is efficient. In some circumstances, it is highly inefficient. And we’ve got to allow data to go where it needs to go in the most efficient way.
So, it doesn’t benefit anyone to have multiple servers in every place that they are established. In some cases it does. So if you are Netflix or Amazon Prime in serving movies, you need to be close to where the people are watching the movies. In other cases, if your Google Maps or TomTom that’s serving map information, you want to be processing those map requests in one place. To do that in multiple places is highly inefficient. So to come up with a sledgehammer and say, all data must be local, is not solving any problem. It’s just flexing muscles. That’s got to stop. I think that’s the balance.
FF: Is there anything that we can learn from China? China seems to be flexing its muscles, because of economic or political reasons. And when people talk about India’s data protection law, they usually refer to GDPR, and not so much laws and other countries, including China.
RM: To me, no. I think China is a completely different type of country. China built its tech industry domestically. They built large replicas of what the rest of the world used, but focused entirely on China. We’ve never done that. We’re much more global and much more open and constantly doing things that other countries do. There’s a strong cross-pollination. Our film industry copies heavily from Hollywood. And now vice versa. So that’s the way it is. It’s a big crossover culture. And we’ve never been built with these big firewalls. So I don’t think that model naturally fits us.
The Srikrishna Committee [which submitted its report on data protection in July 2018] actually considered four different models — three different models and suggested the fourth. One was the US [model], which is reasonably laissez faire, where big corporations are allowed to pretty much do what they want with data. And the restriction is more on the government to see that the government does misuse data. GDPR is different. GDPR focuses on the big corporations, saying that they need to be more sensitive about the data. China is very much focused on 'the state is right, and the state can look out for the interests of its citizens. And so if the state needs to take your personal information, it's fine. We are doing it to protect you.’
And Justice Srikrishna committee wanted to tread a different path. To the best of my knowledge, the only difference I can see is it’s GDPR-focused with localisation. And those sorts of norms. Not necessarily sure that’s the correct way. I think GDPR is a leapfrog that India should not be making. Europe gave the GDPR after 40 years of working with data protection, regulations, building up their protection infrastructure. India has none of that. So, to leapfrog directly into that, the problem with the leapfrogging is that for the people who gradually got on the road [over] 30 or 40 years, they built a culture and an understanding of what it takes to work in this world where there are privacy restrictions, as well as tech innovations and things like that are happening.
For us to parachute directly into that highly regulated sphere is going to be very, very difficult, because we’re not equipped with all the learnings that come over time. And so, sometimes we will be very poorly equipped to deal with what the regulations asked us. I think we've got to agree with them that we've got to chart a fourth path. But I disagree with the path that they have spelt out.
FF: In what way?
RM: Because this GDPR is a prescriptive law. And it works very well for an economy in a jurisdiction that has been doing this for some time. We will struggle in India, to even get the infrastructure that is capable of dealing with this. I mean, data is everywhere today. So there isn't a single business that we interact with, that isn't touched by data in some area. And that is not how Europe was when they started on this journey. They gradually got to the point where we all are and so their regulations evolved over the past 10 years. As companies became more and more digitised, they realised they have to be more and more cognizant of the privacy issues. India has got to this point. And now it is being thrust into a world where there are going to be very stringent privacy restrictions. And everyone says that we’ve got to come up to speed quickly. It’s easier said than done. So we want to find a path that will allow us to get there easier.
FF: So the trade-off between innovations and privacy. Where will India find it difficult to move towards — innovation or privacy?
RM: As far as this is concerned, I actually think we’ve got a very good advantage. And this is the leapfrog advantage. There is a disadvantage to leapfrog, which is you don’t have the learned experience. The advantage is you’re not tainted by any of the baggage that comes. On your point about the trade-off between innovation and privacy, that is a trade-off that is happening in every part of the world. In the most advanced parts of the world, as well as in parts of the world where people are just about coming to understand what technology can do for them. And it's a trade-off that will continue for as long as we try to innovate.
Innovation and disruption are by definition rocking the boat, changing the equilibrium, shifting the balance, and you can’t do any of those things without impacting an entire ecosystem. As much as you may think that the direct objective of the innovation is a particular thing, which is good for everyone, it’s very hard to fully understand that by the time that you do it, what the unintended consequences of that innovation, or that disruption could be. And in this lies the trade-off.
So we either learn instantly, or we take the effort to understand what the unintended consequences are, in which case, you have to make a trade-off between the good that you want to achieve and how to mitigate the hump that will result. Very often, it’s very hard to do before you launch something and so you launch it and you run it for some time. And then you realise that this advertisement engine that you built, it can actually be misused by people who are looking to sabotage an election. It’s impossible to think so far, hey, this is what would happen.
So, what I think we need to do, and this is generally around the world, and I will come to India in a bit, is we’ve got to be constantly mindful of the fact that every innovation that we do, is likely to have good and bad consequences. And so long as we are aware that this is the case, and agile enough to be able to rapidly adjust our technology or adjust our innovation or adjust our policy, whichever level we’ve got, use it to reorient ourselves in the correct direction. That’s when we will be successful in innovation.
Why India I think is going to actually benefit from this is because, at least at this point in time, India has the benefit of seeing the mistakes that everyone else is making. We’ve historically been in this position, we’ve leapfrogged landline communication with mobile communication. We’ve been able to — maybe because we have lagged behind a little bit — been able to leapfrog by taking advantage of all the learned experiences of other nations. And perhaps creating a framework which is better, unencumbered by the baggage of the past.
So if you’ve been doing something for a long time, it’s actually harder to change. If we are now parachuted into this new place, we can chart a different path entirely. So I think if we are smart, we can actually get the better balance between innovation and privacy, than a lot of other countries that will struggle to get that balance just because of the path dependence that they've been on for so long.
FF: One of the ways to look at the purpose of the law is, it’s to draw the lines around innovation so that it doesn't harm people. Would that be a good way to look at it?
FF: And because of technology, we don't know where exactly to draw that line and so it’s hard for lawmakers, and it puts them in some kind of a dark room.
RM: It does.
We’ve got to rethink policymaking in the technology context. The impact of regulations today can instantly be felt across a much larger catchment of people, just given the nature of technology. And as much as you may have good intentions, it’s very difficult for lawmakers to fully understand all the unintended consequences. So the lines that you say we need to draw, [it’s] very difficult to draw it accurately.
One solution that is being experimented with, particularly in the financial services world, is this concept of regulatory sandbox. It’s a sort of a playground, where the regulator says, look, for a limited period of time, for limited jurisdiction of a limited number of people, I will relax the law, or I will change the law so that you’re given some benefit, or you have some ability to do certain things. And we’ll see for a six month period how it works. If it does work, well, then we’ll say okay, let’s make this law permanent. If it doesn’t work, well, we’ll change it or will say, look, we need to add a little more regulation here and there.
We can only do this with tech, because the only way a regulatory sandbox will work is if you’ve got accurate metrics of the impact. So if it’s a larger sort of social impact legislation, of course, you can do it. But you’ve got to be very aware of the need to measure, and measure a wide range of parameters. It’s no point measuring just the immediate parameter with it, because it is the unintended consequences that you’ve got to measure. And with a policy that focuses on tech, it should theoretically be possible to gather every relevant metric. And then in hindsight, analyse that to say ‘this is the direct consequence. But how does it skew other behaviours’? So that’s an interesting thing.
FF: It's a randomised trial for regulation.
RM: Sort of like a clinical trial for a drug. Hopefully, it works in a similar way here. Many regulators around the world are trying it. It’s not the be all and end all. Also, just because you’ve got a regulatory sandbox, if you haven’t efficiently worked it, you’re not going to surface all the issues. So it’s a tool. And I think, to answer your question, if they are in a dark room, when they’re thinking of drawing these lines, this is at least like a candle to let them figure out, this is some additional things that we’ve got to learn. And I think that’s something that regulators really should think about.
FF: Do you think that the draft that India is working on will have space for such regulatory sandboxes?
RM: I don't know if we need to look at this only in the context of the privacy bill. When I worked on the RBI committee for household finance, that committee report recommended regulatory sandboxes in the context of household finance, and so in the context of all of the four financial sector regulators, and I think that we will be able to implement this in pockets. So, different ministries could potentially pick it up. TRAI [the Telecom Regulatory Authority of India] or DOT [Department of Telecommunications] can pick it up in the telecom context.
Let’s say, we want to do cell phones and Wi-Fi in airplane, which is something that we’re about to do now. We try it out, try it on, and not just test to see if the planes are going to fall out of the sky, which I would imagine that the technology would solve, but the other implications there. Is network congestion happening, is there a disturbance to passengers, are there other unintended consequences and the sorts of things that we should probably test for a little while. Before we do that this is a really extreme example, because it is fairly elitist. It’s only for those who are flying, but there could be many other sectors that can try these things. And, I would say, anywhere where you can gather a large amount of data to validate whether all the unintended consequences are addressed. And do it scientifically. So if you’ve got a long enough period of time to be able to test it properly, those are the things that we will need to do.
FF: Can you recommend three names that we should follow? To get a sense of what's happening at the intersection of law and technology and society?
RM: Sure. The one civil society organisation that has been working on these issues for a really long time in India, is probably Centre for Internet Society. So CIS is a really good place to pick up a lot of these issues that are coming up, They’ve been around for such a long time that they actually have a lot of history. And that’s really important in properly understanding these issues. So, Sunil Abraham is a good person to follow.
Pranesh Prakash is no longer with CIS but his writings are also good to follow. The team at CIS and probably the handle itself is a good place to pick up these sorts of things.
The other people that I try and follow are the folks at Dvara Research, formerly IFMR on financial inclusion, who are thinking around those sorts of issues, because I think that's an important perspective that sometimes gets lost. Malavika Raghavan tends to pick up these sorts of issues from financial perspective.
And internationally, there are a number of people who I look to, to get insights into this new tech that I think is a really important way to speed up on what is changing around the world. And the person who I have always got value out of is Kevin Kelly, former editor of Wired magazine. He surfaces some of the most interesting viewpoints on what is happening around the world with tech. He has written several fabulous books, each of which are really worth reading. That’s a voice that is worth following as well.