Securing Privacy without Monopoly in India: Juxtaposing Interoperability With Indian Data Protection

-Cory Doctorow, Dhruv Jain, Kshitij Goyal, Sarthak Wadhwa*

Abstract

The privacy harms of internet market concentration are extensive and well documented, and interoperability can help alleviate the competition crisis by allowing small competitors to take on larger dominant companies. However, despite the potential for transforming the digital landscape with a new range of data-driven products and services, interoperability may also create new risks to user privacy and data security. With tech giants monopolizing data collected over years of market dominance, the ‘privacy paradox’ of allowing new and untested third-parties has diverted the interoperability debate away from a user-centric privacy-preserving policy regime. As the tech companies are looking South-ward to capture ‘the next billion’ users, it is imperative that any policy of digital competition and data protection policy accounts for the unique circumstances of the Global South. In this piece, we seek to reignite the debate on privacy and interoperability for the Global South, and specifically India, by – first, contrasting the Indian experience with data protection with the European GDPR; second, determining the scope and guiding principles of interoperability for the region; and, third, locating these guiding principles in the Indian constitutional jurisprudence and industry practices – to, finally, conclude how interoperability tools can provide India with de facto platform regulations in the backdrop of a forthcoming consumer data protection legislation.

Introduction

Internet market concentration is among the most important tech policy issues of our time, and we believe that interoperability can help alleviate the competition crisis in tech. Increasing interoperability between dominant companies and their smaller competitors fosters greater choice for their users, improving the quality of their online lives by facilitating deliberate online identities and freedom of expression. A crucial collateral benefit of interoperability and competition is their potential to improve user privacy. The privacy harms of the tech monopolies are extensive and well-documented. Competition gives the users more power to decide how their information is shared and with whom: users can “vote with their feet” to move to different services when one is not sufficiently respectful of their privacy, and chip away at the multifaceted surveillance networks that a handful of large companies operate. Contrary to major platforms’ assurances, we cannot trust dominant companies to act as unilateral stewards of user privacy. To the extent that companies have to worry about users taking their business elsewhere (especially if users have low switching costs), they will be pressured to be better stewards.

A new regime of interoperability can revitalize competition in online services, encourage innovation, and allow users to exercise more agency over the collection and processing of their data. Interoperability also allows users and the toolsmiths who serve them to alter their digital tools so they suit their own use cases, something that’s especially important for users who are not given due consideration by firms when they design their products and services. Interoperability offers a range of self-help remedies to these users, who can directly alter the functioning of their technology rather than petitioning a distant corporation to take consideration of their equities.

Notwithstanding all of these benefits, interoperability may also create new risks to user privacy and data security. The problems of corporate concentration and privacy on the Internet are inextricably linked. Despite a chorus of voices calling for governments to intervene and rein in the tech giants’ power, there is less consensus on how exactly that should be done to address the current problems to avoid causing new ones. After all, more interoperability also means companies have new ways to share and collect personal information. This is an argument that the tech monopolies have themselves presented in defence of their behaviour, and as part of a promise to behave better in the future. As Mark Zuckerberg told the U.S. Congress, “It's not enough to just connect people, we have to make sure that those connections are positive.”

This presents a paradox: market concentration is central to the privacy crisis online, but the path to more competition creates new risks to privacy. One response could be to give up the fight, accept Facebook, Apple, Google, et al. as the best-placed defenders of personal privacy, and regulate them into that role on a presumed permanent basis.[1] However, our goal is to present a better alternative, one that doesn’t deputize notoriously abusive monopolists to act as a private arm of the state. We can and should have both competition and privacy, and users should be able to enjoy the many other benefits of interoperability as well. We treat the risks to user safety and security with appropriate gravity, and argue for a user-centric interoperability policy regime that goes hand-in-hand with privacy. A previous post for the Electronic Frontier Foundation considers these risks, and argues that they are outweighed by the benefits of interoperability viz. access, innovation, and more competitive digital markets. In our opinion, new interoperability can create a new benefit for user privacy rights - both in the Global North and the Global South.

Interoperability and the Global South

In the aforesaid post for the Electronic Frontier Foundation, we primarily dealt with interoperability as a policy tool, and how to bolster interoperability with consumer privacy laws; an appendix addresseshow this combination would play out in the context of the EU and its General Data Protection Directive (GDPR). But there are more internet users in the Global South than in North America and Europe. Those users are heavily dependent on US-based tech monopolists such as Facebook and Google (as well as their Chinese rivals), and US tech giants have focused their growth strategies on signing up “the next billion users” from poorer countries that lag the wealthy world in internet penetration. In contrast with the Global North, however, the nascent Indian discourse on privacy and data protection foresees more fundamental issues than competitive interoperability.

US-based tech giants are frank about their desire to dominate the digital lives of ‘the next billion.’ In some ways, these designs are no different from the way that tech giants have treated their users in wealthy, industrial nations - rich or poor, north or south, Big Tech would like to capture, control, and define the digital existence of us all. But there are key differences between tech giants’ subjugation of users from wealthy, industrialized nations and their dominance of the peoples of the global south. Tech firms are frank in their view of the opportunity presented by these users: the chance to make ‘the internet’ synonymous with their company and its products. Facebook has aggressively courted tie-ups with mobile phone companies and ISPs (Internet Service Providers) in developing nations for its “Free Basics” scheme, in which it offers a subsidy to a telecommunications operator in exchange for preferential network treatment for Facebook and Facebook-selected services, usually in the form of exempting Facebook services from customers’ data caps. Facebook claims that this network discrimination is benign and offers access to economically disadvantaged users who might otherwise ration their internet access, but the research is clear that the primary users of these subsidies are affluent professionals who become habituated to using Facebook and the services it includes in its zero-tariff package. Not coincidentally, those users are also highly prized by the advertisers on whom Facebook relies for its revenues.

This claim can also be supported by WhatsApp’s differential privacy protection standards for users in Europe and users in Global South. In January 2021, WhatsApp released a new privacy policy for its non-European users. It aimed to change how WhatsApp would process data of its users across jurisdictions. It would be pertinent for us to have a brief look at how WhatsApp treated the users differently. Users of WhatsApp in Europe could opt out of the new privacy policy changes without the fear of losing their account. Users’ data would not be shared with Facebook for the purposes of improved targeted ads. This is mainly because of the existing stringent laws – the General Data Protection Regulation (‘GDPR’), which obliges service providers to collect only essential information necessary to provide services. This regulation protects EU users from being coerced into having their data collected and processed; the same privilege is not extended tonon-European users. This difference in the treatment of users in India mainly arises from the lack of data protection legislation that could effectively protect the rights of the users.

With no consumer privacy legislation in force, an application was clubbed with the ongoing Karmanya Singh Sareen v. UOI (‘Karmanya Singh’) that challenged the aforementioned WhatsApp privacy policy. This time, the application argued that WhatsApp is offering different standards of privacy protection to the European and non-European users. The application is still pending before the Supreme Court of India. One of the issues that the Court undertook for consideration was “whether a privacy policy should have specific ‘opt-out’ provisions without the user having to ‘opt-out’ of the application in totality? In this case, whether WhatsApp is obligated to provide a specific option of ‘Not to share data’ with Facebook?” The Court is supposed to deliver a judgment in the matter in April 2023.

The recently re-drafted the Digital Personal Data Protection Bill, 2022 (‘DPDP Bill’) published by the Union Ministry of Electronics and Information Technology (‘MeitY’), can provide some insight into how the WhatsApp privacy policy is perceived by the government. In an ‘itemized notice,’ which outlines the nature of the personal data sought and the intended use for which it will be processed, Section 6 of the DPDP Bill envisages obtaining the data principal’s prior consent. The data fiduciary can only access such personal data with the data principal's consent, according to Section 7 of the DPDP Bill. A potential weakness in this proposal is that consent may either be express - or inferred, according to “the circumstances.” If express consent is given, it must be unambiguous, legally binding, and made available to the data principal in the event that access is sought as per Section 7(3) of the DPDP Bill. Additionally, according to Section 7(4) of the DPDP Bill, the data principal reserves the right to revoke its consent at any time, in which case the data fiduciary shall stop processing the personal data. As per the proposed Bill 2022, once the original purpose for collection has been fulfilled or the retention is no longer required, Section 9(6) of the proposed Bill contemplates erasing personal data. This means that personal data shall not be kept for any longer than is required, in addition to the data principals' (already indicated) right of withdrawal. The right to be deleted is acknowledged as both an obligation on data fiduciaries and a separate right on the part of data principals under Section 9(6) and 13(1) of the proposed Bill respectively. So, the new Privacy policy of WhatsApp will be in violation of several provisions of the DPDP Bill if its new policy does not provide the non-European users (Indian users) with the option to opt out of their data being shared with Facebook.

However, no positive mandate to facilitate data portability is envisaged in the DPDP Bill, 2022. The right to data portability enabled the data principal to obtain all personal data they had given to the data fiduciary and information the data fiduciary generated about them while processing it to deliver its services in a structured format. By giving data principals a wider range of platforms, this increased consumer welfare by fostering competition among data fiduciaries. For instance, the data principal may ask for the transfer of their data to another social networking platform if they were displeased with the one they were presently using and use that platform's services without having to re-enter all of their personal data. So, the right to data portability should have been included in the DPDP Bill, 2022.

India’s response to the questions in Karmanya Singh highlights several issues that the State may have with the way Big Tech is evolving in the country. First, there is the matter of agency. Facebook, Apple, and Google are notoriously indifferent to their users’ interests, but in those rare instances where the companies do modify their policies in response to user uprisings, the users in question are almost always wealthy people from wealthy countries. That means that while all users suffer when platforms make mistakes, users from the Global South are less likely to get relief from the platforms when they petition for redress.

The inability to get companies to take your complaints seriously is bad enough on its own, but this situation is exacerbated by the gap between the experiences of users in the global south and the experiences of the technologists, designers, and product managers who have the final say in how dominant tech platforms’ tools will work. When the person designing your digital tools lives in a radically different built environment, speaks a different language, comes from a different culture, is unfamiliar with your faith traditions, works under a completely different political system, shares few or none of your dietary preferences, and enjoys a material standard of living (including reliable infrastructure and utility services) unlike your own, that person is bound to create tools that are not fully suited to your purposes. The fact that users in the global south have needs that are poorly met by digital tools, multiplied by the fact that those users are worst situated to convince tech giants to change those tools, creates a strong case for interoperability.

"Nothing about us without us”: is a bedrock of policymaking; While it has its origins in 16th century Polish Constitutional debates, where it served as a demand that rulers be accountable to the governed, it has expanded to become a rallying cry of marginalized groups who feel that they are being regulated without consultation or agency, from indigenous groups in the US and Canada to disability rights groups round the world. It’s a demand that the users of systems, services, and products be included in their design and management. This ethos is not the sole purview of people with disabilities - everyone who’s ever had a tool imposed on them without their guidance or consent intuitively understands that they know their needs better than anyone.

The movement for inclusion in tech boardrooms has made important strides in developing products and services that are more thoughtful about users’ needs, but a priori determinations of those needs will always run up against the limits of our ability to predict all the ways that they will change in the real world. Technology has an answer for this unknowable and variable future: rather than designing tools so that they can manage every contingency out of the box, we adapt them to our circumstances. Sometimes, we reconfigure them (say, by turning on closed captioning so we can enjoy a streaming video when our Bluetooth headphones’ battery dies), and sometimes we alter them (as when a medical technician repairs a ventilator with a broken screen by swapping in a screen from a broken ventilator with a working screen). Reconfiguration and adaptation are important everywhere, but nowhere more so than in the global south, where western assumptions about the supply of parts, the reliability of internet and mains power, and the need to extend the duty-cycle of devices are wildly disconnected from the conditions on the ground.

This is where interoperability comes in. Jugaad may be an Indian phenomenon, but every part of the global south - and every place the world over where people have to mend and make do - there are equivalents, for example, jua kali (Swahili), gambiarra (Brazilian Portuguese) and bricolage (France and its former colonies). All of these words refer to a form of interoperability: the imaginative reconfiguration of diverse components to adapt or repair a system to suit local needs and conditions.

As US and Chinese Big Tech companies have vied to turn “the next billion users” into captives of their locked-in silos, clever engineers and toolsmiths have assisted their neighbours to adapt to local conditions the hardware and software that wealthy empires push over their borders. Take GBWhatsApp, an app with truly global provenance. It has its origins in conflict-torn Syria, where free/open-source developers created an alternative client to plug into Facebook’s massive WhatsApp messaging service. Its core is a software library, libwhatsapp, that is maintained by a global community, playing a cat-and-mouse game with Facebook engineers who seek to break compatibility between these unofficial clients and the main network.

Though GBWhatsApp users can be found all over the world, they are most concentrated in Africa, where the unofficial WhatsApp client is also a de facto standard. Now, Africa is obviously not a monolith: with 1.2 billion residents in 54 countries, the spectrum of African use-cases is indeed broad. Accordingly, GBWhatsApp has exploded into a whole constellation of variants, each adapted further to some niche where it fits perfectly. These variants sport enhanced privacy features (like the ability to turn off “read-receipts” asymmetrically, so that you can see when conversation partners read messages, but not the other way around) as well as expanded support for local dual-SIM phones, allowing a user to log in to more than one WhatsApp account from a single device.

As GBWhatsApp demonstrates, interoperability is a means by which local toolsmiths can create a locally appropriate technology without having to do so from scratch. Rather, they can build atop, existing technologies. The false dichotomy of “local” or “global” is thus revealed: the global tool can take on local characteristics and form a blend of both: bricolage, or if you prefer, jugaad. But there is a significant problem with the GBWhatsApp variants: because they are distributed outside of the official, Google-run Android App Store, it is difficult for a user to know whether they pose a privacy risk. Indeed, some of these variants come chock-full of spyware.

In the preceding sections, we set out the remedy for this problem: a democratically accountable, freestanding privacy regime, based on the law of the land and not the whims of Facebook’s product managers. If a GBWhatsApp variant violates its users’ privacy, it should face legal sanction. Likewise, if Facebook abuses its users’ privacy in WhatsApp, or any other product, it, too, should face sanction. Facebook has a long history of abusing its users’ privacy. It cannot and should not be trusted to decide when a local toolsmith’s reconfiguration of its products presents a privacy risk to those users. Much of the skepticism about the global south’s ability to create and enforce good privacy rules stems from a paternalistic and colonial view of the poor world’s human rights norms. The reality is a far more mixed bag.

It’s possible to look at India, the largest democracy in the world and the world’s second-largest internet userbase, and its human rights record, the internet blackouts in Kashmir, or in response to the farmers’ protest of 2020-21, and declare it to be a land with weak regard for human rights. But by the same token, it’s possible to look at India’s exemplary constitutional privacy protections and the Supreme Court’s ruling in Puttaswamy v. India, that the right to privacy was a constitutionally protected right, and see a country where human rights are both enshrined in the nation’s foundational documents and the judiciary’s deliberations. The landmark decision in Puttaswamy v. India compelled the Indian government to begin deliberations for a data protection regime.

A nine-judge Supreme Court bench in K.S. Puttaswamy v. Union of India (‘Puttaswamy’), unanimously decided that the right to privacy is protected as an essential part of the right to life and personal liberty under Article 21 and other freedoms guaranteed by Part III of the Constitution. In Puttaswamy, the descriptive and normative dimensions of privacy were explicitly acknowledged by Justice Chandrachud (who wrote the plurality judgement on himself and three other judges-para 322) and Justice Bobde (in his concurring opinion-para 407). Thus, according to Justice Bobde, the right to privacy is relational and context-dependent. It enables a person to decide whether to engage in a certain activity and who they want to be present with. In contra, Justice Kaul concentrated on the unique privacy claims made against both State and non-State actors, particularly in a context with a variety of social and cultural practices. In respect of non-State actors, he accentuated the impact of technology and big data on pervasive data generation, collection, and use in a digital economy. Also, as per Justice Kaul (Para 70): “The State must ensure that information is not used without the consent of users and that it is used for the purpose and to the extent it was disclosed”. Thus, WhatsApp’s new privacy policy will infringe on the right to privacy recognised under Article 21 and contravene the Puttaswamy judgment through the chilling effect it may have on free speech and expression of an individual by not providing the user with the option to opt out of their data being shared.

In addition to legislative and judicial policy, the administrative machinery in India is also making headway towards operationalizing consent for commercial application. For instance, the Data Empowerment and Protection Architecture (DEPA) is ‘Privacy Enhancement Technology’ (PET) that seeks to enable efficient data-flows while protecting user autonomy in the sharing of their private information. DEPA presents users with a ‘Consent Dashboard’ that allows users to see, enable, or block the sharing of their data between data-processors via a regulated sector of data fiduciaries. This model arises from the Data Protection Committee report, and has its origins in the Reserve Bank of India's 2015 plan for a system to present users with a consolidated view of their accounts at competing financial institutions. Out of this prototype, DEPA's developers extended into a more general framework that has since been deployed to allow patients to control the flow of their health information among health providers.

The DEPA is a joint project of the Indian Ministry of Finance, the Pension Fund Regulatory and Development Authority (PFRDA), the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), and the Insurance Regulatory and Development Authority (IRDAI). DEPA is best understood as a response to the criticisms of Aadhar, which was billed as a welfare-improving technology that would enhance privacy, but fell short of this mark in practice, as did Aadhar's predecessors, some of performed so badly, and exposed users to so much risk, that they had to be scrapped altogether. Against this backdrop of failure and disappointment, DEPA's proponents hope to lure Indians out of a nihilistic rejection of the very idea of data-sharing, by promising a genuinely consent-driven, transparent system that will at last reap the gains of efficient data-sharing without the privacy debacles of earlier efforts.

Designed as it is to span systems managed by different corporations and agencies across multiple sectors, DEPA could serve as the privacy-management complement to adversarial interoperability remedies such as reverse-enginnering, scraping, bots and other self-help measures. If new interoperators are to be required to obtain consent for the data-flows between incumbents' systems and the new ones, DEPA could serve as that consent-management tool. For DEPA to step into this role, it will require legislative support; such as was offered from the (sadly defunct) Personal Data Protection Bill 2019 (‘PDP’). Its Sec 19(1) laid out a privacy and consent framework for data-portability that provides the data principal the right to receive the personal data in a structured, commonly used and machine-readable format where the data processing has been carried out through automated means.

While Sec 23(3) of PDP affords ‘data principals’ (users) the right to withdraw their consent to data fiduciaries by means of a ‘consent manager’, providing for "a data fiduciary that enables a data principle to gain, review, withdraw, and manage his consent through accessible, transparent, and interoperable platforms" – again, this is significantly reminiscent of the DEPA. The PDP would have brought GDPR-like notions of data sovereignty into Indian law. When the law enshrines the principle that users have the right to determine how their information is used and by whom, interoperability flows naturally out of that principle. If users have the right to control the use of their data, they must have the ability to exercise that right.

PDP builds on data protection jurisprudence. Although the Puttaswamy decision significantly advanced the legal basis for a privacy right in India, it was supplemented and clarified by subsequent legislation, including the SPD (Sensitive Personal Data) Rules, issued according to Section 43A of the IT Act, which governs the transfer of personal data that is classified as sensitive personal data. However, these rules, like the IT Act itself, treat consent as a matter of obtaining a user's click on an ‘I Agree’ button beneath a long scroll of complex legal language[2] that the user has almost certainly not read, and, if the user has read it, they likely do not understand it, and if they understand it, they likely do not agree with it, but feel they must click because they are given no opportunity to bargain for revisions. This ‘consent theatre’ was the backdrop for the passage of the GDPR, and has been thoroughly discredited as being fit for the purpose of producing a data privacy regime which the public feels well-served by.

Conclusion

India has a spectrum of unique use-cases stemming from the country’s distinctive circumstances - its path to post-colonial independence, its mix of faith communities, its cultural norms, and legal protections for disfavoured minorities (including scheduled castes) all add up to the need for locally appropriate adaptations to technology from elsewhere, to suit local needs and circumstances. And of course, India has a thriving tech sector of its own, as well as some of the world’s most-respected technical universities. In other words, India has the motive, means, and opportunity to make use of interoperability. Made-in-India interoperable tools represent a wholly new class of de facto platform regulations – regulations that can be applied even to firms with no enforcement nexus within a nation’s borders.

Nations could authorize their own technologists to create interoperable tools. As with GBWhatsApp, these tools could provide the filtering and other adaptations that local users prefer, without having to administer a complex, hard-to-monitor set of intermediary rules that offshore giants either can’t or won’t comply with. But as with the US and EU cases laid out above, an Indian interoperability renaissance can’t be a free-for-all, lest criminals and privacy-invaders exploit Indian technology users under the banner of “interoperability.”

Whether the Indian state seeks to impose interoperability on tech products and services through mandates similar to Europe’s Digital Markets Act or the US’s ACCESS Act, or whether it clears a path for domestic competitive compatibility add-ons by creating affirmative defences in law for inter-operators (or both!) it will need to backstop these changes with freestanding privacy and consumer data protection laws that hold inter-operators accountable as they adapt existing technologies. At the same time, a national privacy law should not be used to smuggle in press regulation, surveillance, and speech control duties for intermediaries or exempt government agencies from their data protection obligations.

A functional privacy law would be consistent with Indian constitutional principles and have applications beyond the questions of interoperability and competition, reaching into the wider relations between Indian technology users and companies - both domestic and offshore - that have grown accustomed to sucking up huge amounts of personal, sensitive data, under the thinnest of pretences of ‘consent.’ This data is then sold or stored without adequate security so that it leaks onto the internet, to circulate forever.

The priorities and needs of marginalized people, poor people, people in the global south are too often missing in action when it comes to design choices. US-based tech giants are frank about their desire to dominate the digital lives of ‘the next billion.’ In some ways, these designs are no different from the way that tech giants have treated their users in wealthy, industrial nations - rich or poor, north or south, Big Tech would like to capture, control and define the digital existence of us all. The people designing digital tools for the global south live in radically different built environments, speak a different language, come from a different culture that is out of touch with other faith traditions and political systems, and enjoy a material standard of living (including reliable infrastructure and utility services) unlike ‘the next billion’ they are catering to. It is no stretch of the imagination to suggest that such people are bound to create tools that are not fully suited to the purposes of the global south.

Even when gaps in policy design are revealed and, in a rare instance, platforms seek to rectify their policies in response to user uprisings, the users in question are almost always wealthy people from wealthy countries. That means that while all users suffer when platforms make mistakes, users from the Global South are less likely to get relief from the platforms when they petition for redress. The fact that users in the global south have needs that are poorly met by digital tools, multiplied by the fact that those users are worst situated to convince tech giants to change those tools, creates a strong case for interoperability.

*Cory Doctorow is a science fiction author, technology activist, and editor of the blog Craphound. He is the former European director of the Electronic Frontier Foundation and co-founded the UK Open Rights Group.

Kshitij Goyal is a fourth-year student at the National Law School of India University, Bengaluru. His interests lie in politics and policy-making in general, apart from the intersection of law and technology.

Dhruv Jain, a fourth-year student at the National Law School of India University, Bengaluru, is interested in learning the interface between of law and technology and how it impacts everyday human life.

Sarthak is a Fourth Year law student at the NLSIU Bangalore. He is interested in tech-markets and digital competition.

[1] Tim Wu, The Master Switch: The Rise and Fall of Information Empires (Atlantic, 2010). [2] RBI Working Committee Report, at 53.