top of page

SECURING PRIVACY WITHOUT MONOPOLY IN INDIA: JUXTAPOSING INTEROPERABILITY WITH INDIAN DATA PROTECTION

Cory Doctorow, Dhruv Jain, Kshitij Goyal, Sarthak Wadhwa


Abstract


The privacy harms of internet market concentration are extensive and well documented, and interoperability can help alleviate the competition crisis by allowing small competitors to take on larger dominant companies. However, despite the potential for transforming the digital landscape with a new range of data-driven products and services, interoperability may also create new risks to user privacy and data security. With tech giants monopolizing data collected over years of market dominance, the ‘privacy paradox’ of allowing new and untested third-parties has diverted the interoperability debate away from a user-centric privacy-preserving policy regime. As the tech companies are looking South-ward to capture ‘the next billion’ users, it is imperative that any policy of digital competition and data protection policy accounts for the unique circumstances of the Global South. In this piece, we seek to reignite the debate on privacy and interoperability for the Global South, and specifically India, by – first, contrasting the Indian experience with data protection with the European GDPR; second, determining the scope and guiding principles of interoperability for the region; and, third, locating these guiding principles in the Indian constitutional jurisprudence and industry practices – to, finally, conclude how interoperability tools can provide India with de facto platform regulations in the backdrop of a forthcoming consumer data protection legislation.



Introduction


Internet market concentration is among the most important tech policy issues of our time, and we believe that interoperability can help alleviate the competition crisis in tech. Increasing interoperability between dominant companies and their smaller competitors fosters greater choice for their users, improving the quality of their online lives by facilitating deliberate online identities and freedom of expression. A crucial collateral benefit of interoperability and competition is their potential to improve user privacy. The privacy harms of the tech monopolies are extensive and well-documented. Competition gives the users more power to decide how their information is shared and with whom: users can “vote with their feet” to move to different services when one is not sufficiently respectful of their privacy, and chip away at the multifaceted surveillance networks that a handful of large companies operate. Contrary to major platforms’ assurances, we cannot trust dominant companies to act as unilateral stewards of user privacy. To the extent that companies have to worry about users taking their business elsewhere (especially if users have low switching costs), they will be pressured to be better stewards.


A new regime of interoperability can revitalize competition in online services, encourage innovation, and allow users to exercise more agency over the collection and processing of their data. Interoperability also allows users and the toolsmiths who serve them to alter their digital tools so they suit their own use cases, something that’s especially important for users who are not given due consideration by firms when they design their products and services. Interoperability offers a range of self-help remedies to these users, who can directly alter the functioning of their technology rather than petitioning a distant corporation to take consideration of their equities.


Notwithstanding all of these benefits, interoperability may also create new risks to user privacy and data security. The problems of corporate concentration and privacy on the Internet are inextricably linked. Despite a chorus of voices calling for governments to intervene and rein in the tech giants’ power, there is less consensus on how exactly that should be done to address the current problems to avoid causing new ones. After all, more interoperability also means companies have new ways to share and collect personal information. This is an argument that the tech monopolies have themselves presented in defence of their behaviour, and as part of a promise to behave better in the future. As Mark Zuckerberg told the U.S. Congress, “It's not enough to just connect people, we have to make sure that those connections are positive.”


This presents a paradox: market concentration is central to the privacy crisis online, but the path to more competition creates new risks to privacy. One response could be to give up the fight, accept Facebook, Apple, Google, et al. as the best-placed defenders of personal privacy, and regulate them into that role on a presumed permanent basis.[1] However, our goal is to present a better alternative, one that doesn’t deputize notoriously abusive monopolists to act as a private arm of the state. We can and should have both competition and privacy, and users should be able to enjoy the many other benefits of interoperability as well. We treat the risks to user safety and security with appropriate gravity, and argue for a user-centric interoperability policy regime that goes hand-in-hand with privacy. A previous post for the Electronic Frontier Foundation considers these risks, and argues that they are outweighed by the benefits of interoperability viz. access, innovation, and more competitive digital markets. In our opinion, new interoperability can create a new benefit for user privacy rights - both in the Global North and the Global South.


Interoperability and the Global South


In the aforesaid post for the Electronic Frontier Foundation, we primarily dealt with interoperability as a policy tool, and how to bolster interoperability with consumer privacy laws; an appendix addresseshow this combination would play out in the context of the EU and its General Data Protection Directive (GDPR). But there are more internet users in the Global South than in North America and Europe. Those users are heavily dependent on US-based tech monopolists such as Facebook and Google (as well as their Chinese rivals), and US tech giants have focused their growth strategies on signing up “the next billion users” from poorer countries that lag the wealthy world in internet penetration. In contrast with the Global North, however, the nascent Indian discourse on privacy and data protection foresees more fundamental issues than competitive interoperability.


US-based tech giants are frank about their desire to dominate the digital lives of ‘the next billion.’ In some ways, these designs are no different from the way that tech giants have treated their users in wealthy, industrial nations - rich or poor, north or south, Big Tech would like to capture, control, and define the digital existence of us all. But there are key differences between tech giants’ subjugation of users from wealthy, industrialized nations and their dominance of the peoples of the global south. Tech firms are frank in their view of the opportunity presented by these users: the chance to make ‘the internet’ synonymous with their company and its products. Facebook has aggressively courted tie-ups with mobile phone companies and ISPs (Internet Service Providers) in developing nations for its “Free Basics” scheme, in which it offers a subsidy to a telecommunications operator in exchange for preferential network treatment for Facebook and Facebook-selected services, usually in the form of exempting Facebook services from customers’ data caps. Facebook claims that this network discrimination is benign and offers access to economically disadvantaged users who might otherwise ration their internet access, but the research is clear that the primary users of these subsidies are affluent professionals who become habituated to using Facebook and the services it includes in its zero-tariff package. Not coincidentally, those users are also highly prized by the advertisers on whom Facebook relies for its revenues.


This claim can also be supported by WhatsApp’s differential privacy protection standards for users in Europe and users in Global South. In January 2021, WhatsApp released a new privacy policy for its non-European users. It aimed to change how WhatsApp would process data of its users across jurisdictions. It would be pertinent for us to have a brief look at how WhatsApp treated the users differently. Users of WhatsApp in Europe could opt out of the new privacy policy changes without the fear of losing their account. Users’ data would not be shared with Facebook for the purposes of improved targeted ads. This is mainly because of the existing stringent laws – the General Data Protection Regulation (‘GDPR’), which obliges service providers to collect only essential information necessary to provide services. This regulation protects EU users from being coerced into having their data collected and processed; the same privilege is not extended tonon-European users. This difference in the treatment of users in India mainly arises from the lack of data protection legislation that could effectively protect the rights of the users.


With no consumer privacy legislation in force, an application was clubbed with the ongoing Karmanya Singh Sareen v. UOI (‘Karmanya Singh’) that challenged the aforementioned WhatsApp privacy policy. This time, the application argued that WhatsApp is offering different standards of privacy protection to the European and non-European users. The application is still pending before the Supreme Court of India. One of the issues that the Court undertook for consideration was “whether a privacy policy should have specific ‘opt-out’ provisions without the user having to ‘opt-out’ of the application in totality? In this case, whether WhatsApp is obligated to provide a specific option of ‘Not to share data’ with Facebook?” The Court is supposed to deliver a judgment in the matter in April 2023.


The recently re-drafted the Digital Personal Data Protection Bill, 2022 (‘DPDP Bill) published by the Union Ministry of Electronics and Information Technology (‘MeitY’), can provide some insight into how the WhatsApp privacy policy is perceived by the government. In an ‘itemized notice,’ which outlines the nature of the personal data sought and the intended use for which it will be processed, Section 6 of the DPDP Bill envisages obtaining the data principal’s prior consent. The data fiduciary can only access such personal data with the data principal's consent, according to Section 7 of the DPDP Bill. A potential weakness in this proposal is that consent may either be express - or inferred, according to “the circumstances.” If express consent is given, it must be unambiguous, legally binding, and made available to the data principal in the event that access is sought as per Section 7(3) of the DPDP Bill. Additionally, according to Section 7(4) of the DPDP Bill, the data principal reserves the right to revoke its consent at any time, in which case the data fiduciary shall stop processing the personal data. As per the proposed Bill 2022, once the original purpose for collection has been fulfilled or the retention is no longer required, Section 9(6) of the proposed Bill contemplates erasing personal data. This means that personal data shall not be kept for any longer than is required, in addition to the data principals' (already indicated) right of withdrawal. The right to be deleted is acknowledged as both an obligation on data fiduciaries and a separate right on the part of data principals under Section 9(6) and 13(1) of the proposed Bill respectively. So, the new Privacy policy of WhatsApp will be in violation of several provisions of the DPDP Bill if its new policy does not provide the non-European users (Indian users) with the option to opt out of their data being shared with Facebook.


However, no positive mandate to facilitate data portability is envisaged in the DPDP Bill, 2022. The right to data portability enabled the data principal to obtain all personal data they had given to the data fiduciary and information the data fiduciary generated about them while processing it to deliver its services in a structured format. By giving data principals a wider range of platforms, this increased consumer welfare by fostering competition among data fiduciaries. For instance, the data principal may ask for the transfer of their data to another social networking platform if they were displeased with the one they were presently using and use that platform's services without having to re-enter all of their personal data. So, the right to data portability should have been included in the DPDP Bill, 2022.


India’s response to the questions in Karmanya Singh highlights several issues that the State may have with the way Big Tech is evolving in the country. First, there is the matter of agency. Facebook, Apple, and Google are notoriously indifferent to their users’ interests, but in those rare instances where the companies do modify their policies in response to user uprisings, the users in question are almost always wealthy people from wealthy countries. That means that while all users suffer when platforms make mistakes, users from the Global South are less likely to get relief from the platforms when they petition for redress.


The inability to get companies to take your complaints seriously is bad enough on its own, but this situation is exacerbated by the gap between the experiences of users in the global south and the experiences of the technologists, designers, and product managers who have the final say in how dominant tech platforms’ tools will work. When the person designing your digital tools lives in a radically different built environment, speaks a different language, comes from a different culture, is unfamiliar with your faith traditions, works under a completely different political system, shares few or none of your dietary preferences, and enjoys a material standard of living (including reliable infrastructure and utility services) unlike your own, that person is bound to create tools that are not fully suited to your purposes. The fact that users in the global south have needs that are poorly met by digital tools, multiplied by the fact that those users are worst situated to convince tech giants to change those tools, creates a strong case for interoperability.


"Nothing about us without us”: is a bedrock of policymaking; While it has its origins in 16th century Polish Constitutional debates, where it served as a demand that rulers be accountable to the governed, it has expanded to become a rallying cry of marginalized groups who feel that they are being regulated without consultation or agency, from indigenous groups in the US and Canada to disability rights groups round the world. It’s a demand that the users of systems, services, and products be included in their design and management. This ethos is not the sole purview of people with disabilities - everyone who’s ever had a tool imposed on them without their guidance or consent intuitively understands that they know their needs better than anyone.