A policy tool that tries to hit two different targets is bound to miss both. India’s Personal Data Protection Bill, 2019 aims for several. One of them, both directly and indirectly, is digital competition. To be fair, policymakers and regulators the world over are grappling with the increasing overlap of data protection with competition regulation. But there are no effective answers that can be found here.
Two of the bill’s provisions that blur the regulatory boundary most directly have to do with unbundling data and consent, and data portability. Both borrow heavily from the European Union’s General Data Protection Regulation (GDPR), a directive that aims to “harmonise data privacy laws across” the EU member states. Unbundling means that when a company offers a service for which a user has to hand over personal data — say, registering on a new app — it has to offer a bouquet of choices. Users should be able to opt out of a category of service while retaining another, based on the sensitive personal data they want to share. The company also can’t make any service conditional on personal data that isn’t necessary for it.
Also read: Modi govt’s data protection bill harms anonymous social media users, not fake news
The problem with Facebook and Google
Compelling companies to give users such choices without withholding service serves an obvious data privacy end. It also pulls double duty on the competition regulation front where preventing dominant companies from abusing their market position is a core objective. The Facebooks and Googles of the digital economy have shown that they are entirely capable of using the lack of viable alternatives as leverage to make users part with data much beyond what they need to provide their services. There’s the potential downstream effect too. By clamping down on the data that lets them build comprehensive user profiles and corner the digital advertising market, the thinking goes, perhaps the regulations will create more of a level playing field for potential competitors.
But the idea falls short of the ideal. Austria and Italy, which are EU member states, have already interpreted unbundled consent in different ways. Establishing regulatory precedence in such a murky area isn’t easy; beyond the obvious transgressions, deciding what data is needed to provide a service, or improve it, and what isn’t, can get tricky. Most importantly, unbundled consent elides the very real problem of consent fatigue.
The ‘consent managers’ the Bill envisages — third parties who will run interference for users — can change consent dynamics only to an extent. Making users jump through more consent hoops is unlikely to move the needle on dominant companies’ data collection much.
Also read: More power & data access to govt — all about personal data protection bill
The mistake of taking a brute force approach
The second provision, data portability, is similarly messy. The bill gives users the right to demand personal data from any company that has gathered it in a “structured, commonly used and machine-readable format”. The EU’s GDPR aside, the UK’s Digital Competition Expert Panel also recommends it in its ‘Unlocking Digital Competition’ March 2019 report. It serves a straightforward data privacy end, giving users more control over their data. The competition dynamics are ostensibly simple too. If companies in the digital economy derive value from personal data, letting users transfer their data from one company to another will allow scrappy newcomers to take on data-rich behemoths.
Except that it isn’t that easy. For all the ‘data is the new oil’ bromides, this is just one part of a complex marketplace puzzle. It isn’t particularly difficult for companies that offer truly useful services to get users to hand over personal data. It’s the algorithmic processing that the company uses to derive insights from the user or tailor the service that adds real value. And network effects — the more users a service has, the more value it offers to new users; think LinkedIn, for instance — provide stickiness. There is a reason Google, for all the access it has to people’s personal data, has failed every time it has tried to take on Facebook in the social media game.
The Personal Data Protection Bill, 2019 almost makes the mistake of taking a brute force approach here. It classifies inferred data — for example, the profile a news app builds of users based on the kind of articles they like to read — as personal data and includes it in the data portability provision. Such enthusiasm to give users control over their digital selves runs roughshod over market dynamics. Digital companies, big and small, compete on the back of the unique value they offer users — and the inferred data they derive helps build that value. Making it portable is like fishing with a grenade; you wind up with a lot of dead fish, not just the one you wanted.
Also read: The era of data-globalism is over. Where does this leave India?
No easy answers
Thankfully, the Bill promptly offers a loophole by building in an exemption from portability in case complying would reveal a trade secret or be technically unfeasible. The end result: companies will have to jump through another hoop to avoid complying with a provision they should never have been asked to comply with in the first place.
Regulation as broad and sweeping as the PDP Bill cannot ignore the potential effect on market dynamics. It must make numerous calculations.
Also read: Lost in the data localisation debate: Does India have full power to exploit its own data?
Will interoperability serve better than data portability to enable a level playing field or will it degrade firm efficiency? Should the different treatment of significant data fiduciaries mandated in other sections of the bill extend here too? There are no easy answers. But ignoring such questions altogether could stifle innovation, skew the market more heavily towards tech giants — and compromise the “free and fair digital economy” the bill aims at.
Vikram Sinha is Junior Fellow and Head, Strategic Communications, IDFC Institute . Views are personal.
This is the fourth in an IDFC Institute-ThePrint partnership series, part of the Data Governance Network’s work on data governance policies and infrastructure in India.