Beyond legal compliance: Timing and path for adoption of privacy preserving data processings and collaborations for value creation
By Dr. Jay Prakash, Co-Founder and CEO, Silence Laboratories
India’s remarkable journey in Digital Public Infrastructure (DPI), especially through initiatives like the UPI, Account Aggregators, and ONDC exemplifies a commitment to
leadership in framework-driven digital transformation. These platforms have not only
democratised financial transactions but have also set a global precedent in efficient and secure digital payment systems and collaborations.
A unique and responsible position:
The distinctive position has two key aspects- a) a proven track record of designing and
scaling to unprecedented adoption, and b) still in the early years of unified digitisation. While this promises huge opportunities for business and value creation for citizens, it also
brings a unique chance to avoid mistakes made by developed nations. I am particularly talking about adding privacy, through the early adoption of privacy-enhancing technologies
(PETs), to the digital DNA of continuously rolling architectures by these institutions of national importance and regulatory bodies because privacy guarantees have a lot to offer to our economy beyond compliance and consumer trust.
Gleaning Insights from the oversights of mature digital economies:
The continual clash and power struggle between data-driven companies and lega authorities in developed countries demonstrate that privacy is treated as a superficial addition and an afterthought, rather than being intrinsically woven into the fabric of products and infrastructures. This is something that architects of digital India can avoid and make technological strives towards & privacy by design – integrating privacy at the foundational level of architecture and technological development.
Beyond compliance to privacy bills:
We can classify the digital growth to a few stages:
Stage 1: Inclusion– India has done unprecedented work in fundamental infrastructure leading to inclusion with DPI initiatives leading to penetration of banking from 17% to 80% in just 8 years, UPI transactions hitting 10 billion transactions per month and DigiLocker being used by 195 million citizens. The private sector has been complimented as it is full with of innovations and adaptations to their products.
Stage 2: Data Sharing and Governance Framework and Opportunity to Fix for Privacy- The next wave of growth vectors, driven by responsible and user-informed data, is poised to significantly enhance the Digital Public Infrastructure (DPI) and catalyze the creation of value-added services. We are already witnessing notable strides in standardising the movement and utilisation of financial and healthcare data through innovations in the Account Aggregator (AA) framework and the Ayushman Bharat Digital Mission (ABDM) healthcare data exchange. The systematic approach fostered by AA and ABDM presents an opportune moment to embed privacy at the heart of system architecture and design.
In these ecosystems, Financial Information Users (FIUs) and Healthcare Information
Users (HIUs) are particularly vulnerable to risks associated with the handling of users and
business data. India stands at a critical juncture, with the potential to revolutionise how data is circulated through such aggregator systems. While these institutions access data streams with user consent, there is a risk of falling into the same conflicts observed in advanced digital economies. The crux of the issue lies in the intricate relationship between consent, data exploitation, and the often opaque interpretation of privacy with consent.
Addressing this challenge is essential to avoid replicating the contentious dynamics seen in more mature digital markets and to pave the way for a more transparent, user-centric data ecosystem. User consent is not a proxy for privacy guarantees, at least impossible with how consent functions as a one-time opt-only disclosure. This scenario presents two critical challenges: Firstly, enterprises that extract data for aggregated analysis and build services atop this information become highly attractive targets for cyber-attacks, given their centralised nature. Secondly, the current model of consent is fraught with limitations, requiring significant advancements in both user interface design and technology.
Presently, consent mechanisms are often non-interactive, characterised by rudimentary user interfaces, static, unidirectional, and lack integration. Moreover, they fail to provide mathematical assurances that data will be used strictly for the intended purposes and only by authorised entities. To navigate these complexities effectively, it is imperative to draw lessons from the experiences and regulatory approaches of other nations and techno-legal frameworks. This approach will not only address current vulnerabilities but also pave the way for a more secure and user-centric data ecosystem.
I strongly advocate for the integration of secure data collaboration frameworks as a
fundamental component of both private enterprises and Digital Public Infrastructures
(DPIs). A key principle is that data should remain with its original custodian, never
leaving the source. Thanks to significant advancements in privacy technologies,
institutions can now engage in collaborative analysis and derive joint insights without
consolidating data streams.
This can be achieved through secure multi-party computation and other distributed computing approaches. Additionally, our frameworks should support computations on encrypted data, ensuring service providers have no access to the content. This can be realised using fully homomorphic encryption (FHE) or a combination of SMPC and FHE. The adoption of such Privacy Enhancing Technologies (PETs) should not be an afterthought; their full potential and seamless integration are best realised when incorporated at the inception of system development, as is the case currently with emerging systems.
Stage 3: Value Creation through Privacy Guarantees: Privacy-preserving computations and collaborations can significantly enhance both local and international trust, opening new business opportunities previously unattainable. Transparent digital inclusion promises economic growth and better access to vital services. Studies indicate that adopting privacy technologies boosts the volume and quality of data shared by users and institutions. The assurance of zero data exposure provided by these technologies is a major catalyst for value creation across economies of all sizes. Privacy Enhancing Technologies (PETs) further enable programmable, transparent data usage authorisation. This paves the way for UI/UX and (human-computer interactions) HCI researchers to develop dynamic, fully transparent consent management interfaces, allowing users to monitor, control, and revoke data usage consents.
2024 and beyond:
India stands at a pivotal point where such innovations can be adopted on a massive
scale, transforming privacy from a mere legal requirement to a key value-creation
metric. This shift calls for leveraging our R&D and engineering capabilities towards
creating secure, privacy-preserving collaboration platforms and use cases beyond our
current imagination.