Listen to this article:
This is the second of a two-part series explaining India’s plunge into digitising healthcare data and the ecosystem on which this is being built on, the key players involved and the set of governmental and private interests behind this push. Read the first part here.
So what if the United Nations finds that around 36.4 crore Indians are actually very poor? Or, that an otherwise upbeat World Economic Forum concludes that poor Indians will take seven generations to reach the country’s mean income level? “Indians will be data rich before they become economically rich,” believes tech billionaire Nandan Nilekani.
“To benefit from data, one must be able to access it and assert ownership over it… [they] must be allowed to obtain their data and use it any way they see fit,” the co-founder and non-executive chairperson of Infosys Limited wrote, in 2018, in a column for Foreign Affairs.
Just when the Rashtriya Swayamsevak Sangh mouthpiece Panchjanya was attacking Infosys for colluding with ‘Naxals, leftists and the tukde tukde gang’ to destabilise the nation, Nilekani’s dream could not be closer to reality, courtesy of its political wing, the ruling Bharatiya Janata Party (BJP).
This week, Prime Minister Narendra Modi announced the launch of the Ayushman Bharat Digital Health Mission for public healthcare data and earlier, on September 3, the Reserve Bank of India gave the go-ahead to expand the technology behind the mobile Unified Payments Interface into commercial lending activities. Both these platforms depend on a framework for sharing citizens’ personal data with governmental and private agencies called the Data Empowerment and Protection Architecture (DEPA).
Monitoring consent manipulation
As described in the first part of this series, while the legislation-backed Data Protection Authority (DPA) for monitoring health and other personal data is yet to take off, the influence afforded to self-regulatory industry bodies over regulating consent managers, such as the finance sector organisation Sahmati, has raised many red flags. Researchers from the Centre for Internet and Society (CIS) warn that the relation between the DPA and such self-regulatory bodies remains unclear.
In its comments to the NITI Aayog last year, the Bengaluru-based tech advocacy organisation submitted, “It is also unclear why the functions that are to be performed by the self-regulatory organisation cannot be performed by the DPA.”
Sahamati, the non-profit entity whose co-founder Siddharth Shetty worked closely with NITI Aayog in drafting the DEPA, is not the only private entity to have been granted a disproportionate sway over shaping India’s personal data management ecosystem. iSPIRT, a technology policy lobby group that was involved in designing India Stack, also appears to have been collaborating on DEPA since May 2019. Shetty, along with Kamya Chandra, who worked on the National Health Stack earlier, are senior iSPIRT ‘volunteers’ acknowledged in the NITI Aayog’s report.
iSPIRT’s involvement has raised questions of financial impropriety in the past. Several of its members having worked on governmental projects related to UIDAI’s Aadhaar and India Stack before kick-starting their own profit-making ventures which would leverage this public data infrastructure. The group’s donors include top functionaries of finance technology and e-commerce giants, such as the Flipkart-owned payments merchant PhonePe, and entrepreneur Vijay Shekhar Sharma’s Paytm, which counts the Alibaba Group, SoftBank and Berkshire Hathaway among its investors.
Apart from iSPIRT, the contributions of a digital payment providers’ collective called DICE India, and a consortium of lenders, CredAll, which represents HDFC, ICICI Bank, Axis Bank, SBI, and IDFC First Bank, among others, have also been acknowledged in the DEPA report. Other individual ‘thought leaders’ who contributed to drafting this framework include Justice B.N. Srikrishna, Arundhati Bhattacharya, and Rahul Mathan.
Justice Srikrishna headed the parliamentary committee which drafted the Personal Data Protection Bill. Bhattacharya, the former chairperson of the State Bank of India, has joined the board of directors of Reliance Industries shortly after her retirement. Mathan is a partner at the law firm Trilegal.
The DEPA story ties together a host of financial and political interests who, more often than once, have come together to decide how citizens’ personal data will be managed in India. With the range of powerful actors involved, the ideal of an informed, rational Indian deciding for herself how her data will be shared with a series of taps on her smartphone screen seems far from the reality.
Privacy, not a private matter
Academics who study consent and data sharing have termed the DEPA’s approach towards personal data as ‘privacy self-management’. This has been grafted from the North American context, based on the US health department’s Fair Information Practices, adopted in 1973, when concerns first arose over the digitisation of public records. The influential Organisation for Economic Cooperation and Development (OECD) later popularised these as the data governance norm by adopting similar guidelines in 1980. Privacy self-management, as the name suggests, argues that individuals are the best authority to decide what happens to their personal data and ought to be free to trade it for perceived benefits.
Counterintuitively, such a dated approach may prove insufficient in protecting an individual’s consent from the threat of manipulation made possible by great leaps in computational abilities since then. The National Law University, Delhi’s Sangh Rakshita and Shashank Mohan flagged these concerns when responding to the NITI Aayog’s call for public comments on the DEPA draft. The duo, who are part of the law school’s Centre for Communication Governance, argued that “data asymmetries, cognitive biases, consent fatigue, and technological advancements, such as big data analytics” may curtail an individual’s ability to know what she is sharing or exercise substantive control over her data.
Hundreds of thousands of data points about an individual may be collected over the course of her lifetime. While each of these in isolation may not reveal much, collating this information using powerful computational tools makes it possible to draw inferences about a person which she herself may not be cognisant of. This may include new information which she is not comfortable sharing. While more granular controls over what data is shared may reduce such a possibility, mandating such controls for every data exchange, paradoxically, may make the exchange even more incomprehensible and time-consuming for the layperson. In effect, it may grant an illusion of control without adding substantive safeguards for individual freedom.
Legal scholar Daniel Solove at the Washington University Law School, writes, “Privacy self-management addresses privacy in a series of isolated transactions guided by particular individuals. Privacy costs and benefits, however, are more appropriately assessed cumulatively and holistically — not merely at the individual level.”
He argues that the benefits to society for protecting privacy from encroachment by governments and private corporations extends beyond individual interests, and may form the bedrock of intellectual innovation and material progress. Substantive protections of what personal data is used for, at a societal level, and more public intervention in such spheres, may do far more to protect individual liberties than any check-box on a smartphone.
Who is DEPA really protecting?
Who owns our personal data and how its use has entered public debate recently, in the wake of several international scandals surrounding how advertisers tracking our behaviour online may put this information to use in unforeseeable ways. A British consultancy called Cambridge Analytica’s role in tilting the outcome of the hotly contested 2016 US Presidential elections, using behavioural data from five crore social media users, had first set off the alarm. In India, senior Facebook executives Shivnath Thukral and Ankhi Das have come under the scanner for favouring the BJP in the run-up to the 2014 general elections, and thereafter. Das turned in her papers, last year, after a Wall Street Journal investigation raised questions over her role as go-between for the ruling party and the social media monopoly.
DEPA’s authors seem to be aware of this churning over how personal data is used. Nandan Nilekani, whose contribution as a ‘thought leader’ has been acknowledged in the NITI Aayog’s report, has warned that the call for anti-trust measures against major technology conglomerates will force governments to rethink their relationship with data. “As they do so, they cannot afford to ignore the one country leading the way in developing a new model of how citizens relate to the Internet, a place that treats digital infrastructure as a public good and data as something that citizens deserve access to: India,” Nilekani wrote in 2018.
Creating such a public good in India, however, may not be an entirely selfless concern for the team of technocrats who have moulded the country’s personal data protection policies. The financial incentives of major private corporations interested in accessing this data have been more closely aligned with the government’s interventions from the get-go than is widely acknowledged.
Nilekani’s vision for sharing his fortune with his fellow countrymen has roped in government agencies, repeatedly, over the past decade. An ambitious public digital infrastructure to gather, store and process terabytes of personal information was proposed by a Finance Ministry committee chaired by Nilekani in 2012. This consisted of Aadhaar, the expansion of formal banking institutions, and putting smartphones with fast internet in the hands of Indian citizens.
India Stack, a number of privately developed software platforms that makes use of the UIDAI database, formed the next layer that would leverage this basic infrastructure. NITI Aayog’s DEPA framework, appears to be the final launchpad. Speaking about the Indian path to data empowerment and protection, Nilekani has displayed a keen awareness of what lies at stake in getting this mammoth public project up and running.
“What happened in the United States and Europe was that the new business models with data began after these countries were already rich… Therefore, the business models that emerged were those that used data to sell to you. So globally, in the US and Europe, advertising is a few hundred billion dollar market… In China, the advertising market is $50 billion. In India, the advertising market is just $2 billion. So clearly, those models of business… won’t work.”
While advertising companies such as Alphabet Inc., which owns the search engine Google, and the social media consortium led by Facebook may have led the charge in gathering citizens’ information for private clients in richer countries, this project would not be able to make inroads without active government support in poorer countries such as India.
For this to happen, the government’s executive actions may bypass law-making, if necessary, Nilekani has previously argued. Sprawling digital enterprises, such as UIDAI’s Aadhaar ecosystem, the Finance Ministry’s Goods and Services Tax (GST) Network, or, more recently, the Unified Payments Interface, and the National Digital Health Mission, are harder to wrap up once they have been implemented, even if the law is yet to catch up.
The launch of Ayushman Bharat’s Health IDs earlier this week is yet another chapter in the Indian story of how citizen’s personal data is being extracted. This is being done through governmental agencies but will also benefit a host of multinational private interests. The objectives of this massive data gathering project are still unclear. But what is certain is that they far exceed the immediate goals stated for each such venture.
Breaking apart data silos and linking them for new yields is not just a technical problem either — it remains connected to the turn in our economic and political sphere, over how citizens can claim rights over healthcare, education, banking, public spaces, and other civic amenities. These are also on the radar for those who have framed the DEPA. How the ordinary citizen or small-scale business enterprise will be able to benefit from this will remain hotly contested. That is another story, and it is far from over.
Sourya Majumder is an independent researcher.