IT Rules: Content moderation, an alternative

Author: Rohit Kumar
Published: July 16, 2022 in the Economic Times. Full version below. Photo by Jeremy Bezanger on Unsplash
A lot has been written about the proposed amendments to the IT Rules. Many commentators have raised concerns that the rules go beyond the remit of the IT Act and seek more control of content moderation even as challenges are still pending in the courts. There have also been questions about the government setting up Grievance Appellate Committees and whether that will lead to political interference in moderation and censorship of critical voices.

While all of these are pressing concerns that merit deep consideration, there is also a need to examine the likely impact of the proposed rules on businesses – especially India’s digital startups – and the many administrative challenges that their enforcement may entail.

The press note accompanying the amendments explicitly says that the proposed changes are aimed at establishing stronger accountability standards, especially for the larger social media intermediaries who are perceived to be dragging their feet on compliance. The goal is to get all such intermediaries to set up better systems for grievance redressal and address the challenges presented by unlawful and harmful content being uploaded to their platforms. While this is a well-intentioned aim, the legal framework being proposed to fix the problem is likely to present many operational challenges, besides risking the freedom of speech of India’s digital citizens.

An example is the requirement to remove content within 72 hours of complaint if it is unlawful or harmful under the 10 prescribed (and very broadly defined) categories.

This change is specifically meant to address the issue of virality to ensure that the spread of unlawful or harmful content, including misinformation, is curtailed before it causes significant damage. While it is certainly important to cut the circulation of problematic content, the amendment is overzealous in that it extends the requirement to all intermediaries, irrespective of their size or the potential of virality. Content is usually likely to go viral on social media platforms with significant user bases that allow for large scale dissemination and sharing of information. Therefore, it is not necessary that smaller social media platforms or intermediaries such as enterprise communication software, video conferencing services and platforms that allow only one-on-one communication such as matrimony apps be required to implement 72 hour redressal timelines.

Even on large social media platforms, all complaints may not require expeditious redressal if there is limited risk of virality. The government should therefore consider explicitly defining virality in terms of the width of spread and the pace at which information is getting shared. In the event of a complaint, content that crosses prescribed thresholds could be reviewed on priority. Such a provision is likely to help reduce compliance costs and also increase the efficacy of the grievance process.

Another issue to consider is the structure of the Grievance Appellate Committee (GAC). While the creation of an alternative forum of appeals – outside of the already overburdened judicial process – is well-intentioned, if set up in its proposed form, it is likely to encounter several challenges in its functioning.

Given the volume of users on the internet, the GAC is likely to be inundated with an unmanageable number of requests. Intermediaries also have varying terms of use and functionalities, which could make it difficult for the GAC to assess complaints arising from widely varying contexts. For example, content takedown decisions by social media intermediaries are likely to be different from those taken by online marketplaces or enterprise software like Slack, Zoho etc. Decision making in such a situation is likely to be both cumbersome and time-consuming, making the entire exercise administratively expensive and burdensome.

A potential solution to these issues could be a redesigned, tiered intermediary-industry led appellate mechanism that culminates in the judicial system. To reduce distrust between regulators and intermediaries, and to force platforms to apply their terms of service uniformly, Evelyn Douek of the Harvard Law School proposes that intermediaries be required to put a wall between teams handling grievance redressal and those responsible for profitability/ growth and political lobbying. Evelyn’s proposal can be further strengthened by requiring intermediaries to create the first-level appellate committees in-house with independent stakeholders from outside (such as in the case of the Sexual Harassment Act). The second level of appeal could potentially lie with an industry-wide appellate body, though it might be challenging to create a truly independent body that can be insulated from both business interests and political pressures. The final appeal, therefore, must lie with the courts to protect freedom of speech and to insulate the process from interference. This thinking is also reflected in the draft shared by MeitY.

The government could also call for compliance reports on the decisions of appellate bodies to be made publicly available. This is likely to help align incentives for compliance and fairer decision-making.

While policymakers are undoubtedly operating in a challenging environment, the proposed amendments may have several unintended consequences. The government is already consulting stakeholders to overhaul the IT Act in its entirety to equip itself with new tools to deal with the changing tech landscape. Perhaps it is time that this conversation be taken forward at full steam, so that alternative regulatory models can be built ground-up, instead of patchwork through amendments.

The tokenisation regime will affect all businesses that accept cards

Authors: Rohit Kumar and Aishwarya Viswanathan
Published: June 08, 2022 in the Economic Times. RBI has since postponed the deadline to 1st October, 2022.

The payments ecosystem in India is in for a stir. Reserve Bank of India’s no-card-storage directive initiated in March 2020 is set to kick-in from July 1st, 2022. Starting July, both authorised payment aggregators and merchants will not be allowed to store customer card credentials. Instead, transactions will have to be processed through a card ‘token’ – an alphanumeric code unique to every combination of card and merchant.

Industry insiders largely believe that this move to tokenise is well-intentioned. With access to sensitive card information restricted to fewer players in the ecosystem, the likelihood of a data breach is reduced. However, with less than four weeks left for implementation, many maintain that the transition is unlikely to be seamless and will adversely affect both customer experience as well as payment completion rates.

Note: TQH undertook a range of work on ecosystem readiness for tokenisation, including representations to the RBI, panel discussions, technical explainers and opinion pieces. Please scroll down for the links to these pieces.

The payments ecosystem requires sequential interaction between players (merchants, payment aggregators and gateways, card networks, banks) for smooth end-to-end transaction processing. For the tokenisation regime to take shape, it will require the ecosystem as a whole to demonstrate a certain degree of ‘readiness’. As per industry body NASSCOM, this would mean banks managing at least 80% of the cards in circulation to have tokenisation solutions, with stable APIs made available for merchants to integrate with their backend systems. Other bodies such as the Merchant Risk Council add that ‘readiness’ should also mean the ability to simultaneously create and process tokens, while being able to do so at high volumes and across use-cases, especially on days that see heavy traffic such as during e-commerce sales.

Voluntary disclosure on readiness, but hard to verify

So far, a few major card networks, some banks and payment aggregators have stated that they are ready with tokenisation solutions. Some have also indicated that compared to 6 months ago, their systems are much better equipped to handle token provisioning and processing. But while such disclosure by key players is welcome, available information still remains fragmented and superficial; it is also hard to verify. This coupled with the lack of any official information being made available by the RBI is creating a trust-deficit in the ecosystem at large, and more ominously between co-dependent players.

For instance, it is still not clear if the ecosystem is ready to use tokenised transactions for use-cases such as promotional offers and cashbacks. Merchants are also unsure if they’ll be able to process refunds for customers who choose to make online purchases as guests on a website i.e., without saving card details. Since acquiring banks will not be allowed to store customer card data starting July 1st, they may have no means to track transactions to fulfil refund requests in case of guest checkouts.

The anxiety being caused by this information asymmetry is being further aggravated by the ecosystem’s recent experience with RBI’s e-mandate on recurring payments. A media report published in May this year, after 7 months of the e-mandate regulations coming into force, highlighted that success rates for recurring transactions vary between 30-75% and the experience has been extremely damaging for smaller businesses. An important use case that has still not been solved for is international payments; many foreign developers who sell software subscriptions over the internet have found RBI’s compliance requirements cumbersome and have altogether suspended payments from Indian cards.

Unintended consequences

In this regard, it may be worth noting that the tokenisation regime will affect all businesses that accept cards, unlike the e-mandate which was only applicable to those offering subscriptions. Given that we are still seeing disruptions 7-8 months after the e-mandate kicked in, the disruption post-tokenisation may be significantly more widespread than what was previously experienced.

As the deadline approaches, players in the payments ecosystem are finding other ways to cope with the uncertainty. Some are taking pre-emptive steps to avoid disruption and circumvent compliance requirements. For instance – in a first, Apple said that they will stop accepting debit and credit card payments for both app purchases and subscriptions in India, as well as for payments on ad campaigns – a matter of concern for many small businesses who leverage credit to smoothen cash flows and ensure continuity of operations.

At a time when post-pandemic economic activity is slowly picking up pace, the RBI must recognise that forcing compliance in this manner is likely to disincentivise credit usage – a move that could have broader adversarial effects on the economy as a whole.

RBI should demonstrate readiness

The idea of pushing hard for compliance and hoping that the ecosystem will fall in line may not be the best approach to adopt at this time. The RBI needs to demonstrate that the ecosystem is confident of transacting at scale, and across use-cases. As a first step, the central bank must clarify what it considers to be ‘readiness’, and then proactively seek information from ecosystem players to demonstrate the same. Additionally, it must also consider introducing some flexibility in the transition period – perhaps by allowing acquiring banks to store card data till the system stabilizes. This will go a long way in reducing anxiety and ensuring a smooth transition. Moreover, it will guard against other inadvertent consequences for the economy that might stem from impulsive actions by ecosystem players – all of whom are in a haste to comply, no matter the cost.

Related pieces of work

Evaluating Ecosystem Readiness: RBI’s No-Card-Storage Mandate [Medianama, 15 Jun, 2022]

Technical Explainer on Ecosystem Readiness [The Print, 16 Jun, 2022]

Will India Pay for RBI’s hurry [Times of India, 23 Dec, 2021]

Experts weigh in on how RBI’s new digital payment guidelines can impact small businesses [YourStory, 09 Dec, 2021]

The Data Protection Bill puts Indian children at a disadvantage. Here’s how

Over-reliance on parents for consent may curtail internet access for teenagers. The discussion on what is a good age-verification mechanism has been missing from the discourse.
Authors: Aparajita Bharti & Nikhil Iyer
Published: July 02, 2022 in The Economic Times
Imagine a 16-year-old boy getting his first smartphone in a tier-3 city. He has attended school online for two years of the pandemic. He helps his parents download and use new apps. His primary means of shopping is online and he orders for the family.

Contrast this with his 70-year-old grandmother, also a new smartphone user. Like many women of her age, she has had limited formal education and is learning to use messaging and social media apps to keep in touch with her family. Who is likely to be more vulnerable on the internet? And is age, then, a good indicator of a person’s ability to make decisions when it comes to their privacy and safety online?

This is a point of contention for policymakers across the world. Currently, as the Personal Data Protection Bill 2019 stands, any child below 18 years has to effectively obtain consent from their parent(s) or guardian(s) in all cases of their data being processed on the internet. Further, there is a blanket ban on profiling based on children’s data. If this provision remains unchanged, India will be an outlier globally.

In Britain and the US, for instance, parental consent is needed for those below 13, while in China this threshold is at 14. In the EU, the threshold age is 16, with an option for member-states to reduce it to 13. At the other end of the spectrum is Australia. Its Privacy Act, 1988, mentions no age of consent. Instead, consent is valid if the individual has ‘capacity to consent’. Entities handling individuals’ personal information have to decide on a case-by-case basis whether there is capacity to consent and take parental consent if they think fit.

In comparison, the high threshold of 18 years in India is out of touch with reality, and can seriously hamper Indian teenagers from fully experiencing the digital age. Nearly one-third of all internet users in the country were under 18 as of 2020. This number is likely to have increased in the Covid context.

Over-reliance on parents for consent may curtail access for teenagers due to various reasons, including parents’ lack of exposure, gender bias and unhealthy relationships. Further, the discussion on what is a good age-verification mechanism has been missing from the discourse, even as privacy experts concur that it should not itself lead to collection of more personal data and IDs.

Ctrl + Shift to Enter

To resolve this, policymakers could turn to the Convention on the Rights of the Child (CRC), 1989. It exhorts states – their legislative, executive and judicial arms – to act in the ‘best interests of the child’ in all matters pertaining to the realisation of their socioeconomic and political rights. India has upheld the principles of CRC in various legislations, such as the Commission for Protection of Child Rights, 2005, the Right of Children to Free and Compulsory Education, 2009, and the Protection of Children from Sexual Offences, 2012. This approach should also be applied to children’s data protection and privacy.

Britain’s Age-Appropriate Design Code (AADC), in force from September 2021, presents a model. AADC entrusts entities handling children’s data with a positive obligation to give primacy to the interests of the child. It lays down 15 standards, instead of strict dos and don’ts, directing entities to implement ‘age-appropriate’ design. This design should rest on principles of data minimisation, purpose limitation, transparency, avoiding usage of nudge techniques, default settings that safeguard children’s privacy, and so on.

Virtually all entities providing online products or services – apps, programs, websites, connected toys – are covered. AADC acknowledges that the ‘best interests of the child’ may differ on different platforms, depending on each platform’s use-case. For example, risks on a gaming platform may be different than on a video-streaming platform. The code, therefore, encourages platforms to consider their impact on children and build in mitigation strategies.

For example, while evaluating whether and how to process children’s data, entities must consider risks such as physical harm, mental health issues, excessive screen time, exposure to inappropriate content, etc. AADC also gives guidance on different age-verification mechanisms, including self-declaration, artificial intelligence (AI; by assessing usage patterns), third-party verification, and hard identification (through government-issued IDs), which can be applied proportionately to the risks faced by children on the platforms.

While India has a unique socioeconomic context, there are useful lessons from such models. In place of a blanket imposition, the data protection law must make room for a principles-based approach that allows both regulation and innovation to deal with online risks to children. Entrusting all responsibility to adults can prove to be ineffective, given the well-recorded consent fatigue, and lack of understanding among adults themselves.

Instead, regulation must make way for honest conversations among developers, regulators and parents on ‘what constitutes best interests’ of children, and how best can it be enabled on each platform while balancing their security and agency on the internet.

Privacy Policies and Consent are Broken – Here’s How We can Fix Them

Authors: Rohit Kumar & Avi Krish Bedi
Published: June 15, 2022 in The Hindu Business Line
Our data is more valuable than ever. With increased digital penetration, data has undoubtedly unlocked human potential to do a lot more – and efficiently. However, with more data comes a greater risk of misuse, often exemplified by data leaks and the illicit selling of personal data. The discourse on safeguarding our data, including the discussion on the PDP Bill, is emphasizing the primacy of privacy policies and user consent as our key bastions of defense. But, as we become more aware of how businesses and other entities collect, share, and monetize our personal data, we must revisit the structural shortcomings of this approach and consciously work to devise meaningful alternatives to safeguard our privacy and autonomy.

Try recalling the last time you earnestly read through a verbose and jargon-laden privacy policy before consenting to share your data – but don’t beat yourself over being lax about it. Multiple studies have demonstrated that privacy policies and informed consent are broken. They suffer from three behaviourally-linked problems. First, the transparency/ comprehension problem – wherein the verbose legalese used in privacy policies is often incomprehensible to laypeople; this problem is further compounded by low digital literacy in India. Second, the data repurposing problem – where entities do not overtly disclose all the additional purposes for which user data could be used, thereby resulting in ‘function creeps’. And third, the consent fatigue problem – where users, by virtue of having to repeatedly consent to data sharing, are tired of doing so, thereby unwilling to expend the time and effort required to meaningfully consent.

An over-reliance on this approach has led to the prevalence of a binary “tick-the-box” approach to data protection, rendering “informed consent” perfunctory: while users have the choice to share their data, it is far from being a meaningful choice.

Some solutions posit that data collecting entities should remain legally accountable for any breach or misuse of personal data regardless of whether they obtained consent. To give this approach some teeth, a set of inviolable ‘data rights’ are envisaged. However, the problem remains in implementing and enforcing such rights. As it stands, India still does not have a data protection law, and such rights do not have legal grounding. Moreover, it can be difficult and time-consuming to prove infringements. For instance, if my data is used by AI and IoT for purposes other than what I consented to, how would I actually know? And if I somehow found out, will it be straightforward to mount a legal challenge? Moreover, by the time such a matter is adjudicated on, will any recourse offered be enough to offset the harm already done?

If we were to step back and take another look at the problem, we may be able to find some potential alternatives. Many of the core issues around data privacy are also behavioral in nature; users may wish to secure their data but their intention doesn’t always translate into action. So, by nudging human behavior through better design principles we may be able to unlock human-centric design as a potential solution to better data privacy. By placing people rather than the service-contract at the center of this relationship, we can enable better decision-making.

While designing privacy policies, for instance, UI/UX designers should be included at the very outset of the design process. Their inputs should be used to represent privacy policies visually – to show users how their data is going to be collected and utilized if they consent. Studies have shown that visually representing data flows – through short videos / animations – can make users more aware of what happens to their data when they consent, thereby reducing incomprehensibility and increasing transparency, while also tackling consent fatigue. This also has the added benefit of tackling limited literacy and linguistic diversity in a country like India.

Device makers and operating systems can also be encouraged to implement a ‘master privacy preference setting’ on user devices. Effectively, this will allow users to have a master control panel to preconfigure their data sharing preferences – where they can decide the frequency and type of data they are comfortable sharing in the normal course of online activity. And if a user’s master data sharing preferences do not meet the requirements of an app, they can either choose not to use it, or take time to specifically consent to its additional requirements. On the supply side, such a structure would incentivize the app to minimize data collection or even provide a ‘Lite’ version of their app – with basic functionality requiring only essential data from users – to prevent large-scale user drop-off.

Businesses and other entities can also be incentivized to ethically and responsibly collect data by creating a government approved market of accrediting agencies. These accreditors can carry out assessments on an annual basis to evaluate privacy policies and other data collection practices on a range of metrics including data minimization, purpose specificity, etc. – to provide score-based certifications / star ratings. A similar mechanism is also envisaged through the ‘Data Trust score’ in the PDP Bill. If well implemented, it can go a long way in addressing the shortcomings we see in the current context.

Privacy policies today remain complicated and inaccessible for many. There is a case to be made to behaviourally nudge users to invest more energy into comprehending and consenting to how their data is collected and used. Even as our lawmakers work towards devising a robust data protection law, we must also empower people and incentivise businesses to meaningfully safeguard privacy and autonomy in the digital realm – creating a win-win for all in the long term.

India’s road to a digital El-Dorado

Authors: Deepro Guha & Aishwarya Viswanathan
Published: April 29, 2022 in the Mint
As of 2021, India had issued over 1.31 billion digital identity cards via its Aadhaar platform, and over 1.1 billion digital vaccine certificates via its CoWin platform. More recently, its Unified Payments Interface (UPI), crossed the $1-trillion mark in transaction values after it recorded 5 billion transactions in a month for the first time in March 2022.

What makes these numbers come alive is the sheer speed at which these digital platforms have achieved this scale of operation. And while this digitisation journey began in 2010 with Aadhaar to empower Indian citizens, in recent times India has discovered that its home-grown digital solutions can not only be leveraged to further its own development agenda, but also support its wider diplomatic efforts.

Aadhaar’s open architecture that allows for scalability and vendor neutrality has already resulted in several countries approaching India to either replicate the model or at the very least take note of its technology to develop their respective digital ID systems. The most recent development on this front includes a grant to Sri Lanka to implement its own digital ID program, modelled on the Aadhaar experience.

In a similar vein, India’s National Payments Corporation of India (NPCI) – the developer of UPI – is also providing technological assistance through licensing and consulting for building real time payment systems to countries across the world. This is being done to both help countries establish their own payment systems, while also further integrate UPI with international payments infrastructure. So far, Bhutan has adopted UPI standards for its Quick Response (QR) deployment and Nepal has fully deployed the UPI platform – becoming the first country outside of India to do so, and the RBI and the Monetary Authority of Singapore MAS have announced a project to link their respective fast payment systems, UPI and PayNow. In April 2022, BHIM UPI went live across the UAE.

These recent collaborations hint at India’s commitment to nurturing ecosystem efforts to build and strengthen its digital diplomacy. There are two key factors that have enabled India to emerge as a leader in building and exporting such technology.

First, India’s IT sector, with an estimated value of over US$ 150 billion, and an employer of nearly 4.5 million people – has consistently remained a key driver of economic growth. In fact, India’s talent pool in the ICT ecosystem is also increasingly participating in developing and maintaining India’s digital infrastructure. For instance, the Digital Infrastructure for Vaccination Open Credentialing (DIVOC), an open-source vaccine management platform created by a private collective of technologists, eGov Foundation of India, has been leveraged by other nations, including Jamaica, Sri Lanka, Indonesia and the Philippines, to streamline their Covid-19 vaccination process.

Second, India’s strong political will and deliberative policy making – has been crucial in providing high-level direction to steer ecosystem efforts. For instance, Ministry of Electronics and Information Technology’s decisions to incentivize the use of open technology, through Policy on Adoption of Open Source Software, Policy on Open APIs, Policy for Open Standards etc., has expedited the creation of digital public infrastructure and digital public goods. An example of the benefits of such technology is the use of open APIs to leverage the Aadhaar database for providing services like eKYC, DigiSign etc.

The government has also recognized the importance of including diverse stakeholders in the initial decision making for building such digital infrastructure. This is crucial, as these are parts of highly technical ecosystems, and thus require specialized administration, which goes beyond traditional bureaucratic expertise. A prime example of this is the creation of an ONDC Council, which comprises experts from bureaucracy, finance, retail trade, coding etc. Once activated, the Open Network for Digital Commerce (ONDC) will allow various e-commerce entities to showcase their products/services on a common platform, thus potentially introducing greater competition in e-commerce in India.

The governments recognition of the importance of digital public goods led diplomacy also highlights the key role these instruments will play in an emerging new world order.

For example, in light of growing global risks (like wars, pandemics etc.), creation of such infrastructure in areas critical to the functioning of the global economy (like finance), will both increase India’s resilience and further its strategic advantage. This is why in December 2021, a parliamentary panel proposed India building an alternative to the SWIFT network (which has now been used to impose economic sanctions against Russia in retaliation against its invasion of Ukraine).

Furthermore, building indigenous digital solutions that can create interoperable systems between jurisdictions (like UPI), and potentially reduce compliance, transaction costs etc., can garner global goodwill for India. For example, Estonia’s X-Road open software ecosystem, which has recently allowed for cross border data exchange between Estonia and Finland, is a marker in global standard setting and has allowed Estonia to build impressive soft power in the technology domain.

As the world navigates a new wave of rising geopolitical tensions, the need for building resilience while fostering new forms of cooperation becomes more relevant than ever before. In this regard, India’s advances at laying out its own digital Belt and Road have been noteworthy, and something worth keeping our eyes on.

Data Protection Bill: Don’t mule the unicorn

Authors: Aparajita Bharti & Nikhil Iyer
Published: May 19, 2022 in the Economic Times
The Justice Sri Krishna Committee Report on a Free and Fair Digital Economy, which was the basis for the Personal Data Protection Bill, was released in July 2018. Until then, India had 16 unicorns – startups with a valuation of US$ 1 billion or more. Since then, there have been 84 more unicorns (as of May 2022). The upcoming law on data protection, currently under deliberation by the Ministry of Electronics and Information Technology, must create a conducive growth environment so that India’s startup ecosystem keeps thriving.

Broadly speaking, this law will set industry standards for data protection, resulting in enhanced customer trust in the digital economy. However, some provisions in the Personal Data Protection Bill 2019 and the Joint Parliamentary Committee’s (JPC) 2021 report merit a deeper discussion around the implications especially for India’s start-ups.

Startups around the world use various services and plug-ins to conduct their business efficiently, ranging from services that help with sending emails to customers, shipping, marketing, payments, etc. Often, these services are offered by global tech companies, who may be using foreign servers for their purposes, and who send processed data back to India to the concerned startup. Going by the JPC’s suggestions, these entities may need to obtain the DPA’s approval for each contract or scheme to be used for cross-border data transfers, which may deny approval on grounds of ‘public policy’ or ‘state policy’. This is an onerous requirement, which will require substantial resources from both the startups, and the Government. It is especially worrisome as the export-focused Information Technology/ IT enabled Services industries are crucial cogs in India’s growth story. Over half of these exports are to the USA, with another quarter to Europe.

There is also immense uncertainty over how non-personal data (NPD) will be regulated. NPD is data which is stripped of any personally identifiable information or which is anonymised, e.g. weather data, geospatial data, telemetry data, travel data, etc. The ability to process this data in innovative and creative ways, often through proprietary methods is important for startups, for which they invest significant technical and financial resources. Any law which mandates sharing of NPD, is bound to affect their incentives to invest in data collection, storage, analytics, etc., as it will interfere with the companies’ intellectual property rights over their datasets. This provision can also make Indian start-ups less attractive to global funders.

Further, neither does the current Bill, nor the JPC’s suggestions, forbid the Central Government from accessing foreign data once it is in India. This has raised concerns that India may not meet data adequacy requirements – essentially, it may fail to offer adequate protection to data that is imported into India for processing. Indian startups that look to process the world’s data will find these as impediments, as other countries may forbid their companies from sending citizens’ data to India.

Another cause of concern is for start-ups focused on building products for children. According to the Bill, Indian companies creating products and services for children in edtech, gaming, social media, etc. will have to contend with a high age of consent at 18 years, even as other countries allow children to consent to data processing at a much younger age- 13 in the USA, or 16 years, as under the GDPR in Europe. India’s current Bill also puts a blanket ban on profiling children, making customisation of services difficult, e.g., to use AI to offer customised programs for children in a classroom as per their learning abilities – further disincentivising innovation for this target group.

With regulatory ambiguity on key issues, the Indian startup story is at a crossroads today. On the one hand, recent months have indicated that the market is bullish about their prospects, going by the investments they have attracted. Investors have backed startups across a range of sectors – fintech, SaaS, e-commerce, travel, healthcare, education, etc., many of which have become unicorns. On the other hand, by imposing such requirements, we risk tempting Indian founders to register their startups outside India to avoid onerous compliance. An overzealous data protection framework can, therefore, undo decades of progress that the Indian start-up ecosystem has made.

While the Indian government’s aspiration to be a global thought leader in tech regulation is appreciable, straying too far from global benchmarks can have unintended economic consequences. One hopes that the next version of the Bill that the Government brings to Parliament, will take into account the aspirations of India’s entrepreneurs, to whom we are looking to create millions of jobs of the future.

Root out the prejudices in the Hindu Succession Act

We owe it to India’s daughters and their parents the same right to care for each other and be cared for by each other as we have for sons in our society, in life or in death.

Author: Aparajita Bharti
Published: June 03, 2022 in the Hindustan Times
Imagine a married couple without any children. The husband and wife work their whole lives, build their property and stash away savings in a joint bank account – hoping it will help in taking care of their ageing parents. Yet, when they die suddenly, without a will, all of their movable and immovable property is transferred to the husband’s parents. The wife, although economically independent and empowered, fails to provide for her parents because the 1956 Hindu Succession Act (HSA) which applies to 80% of India’s population including Buddhists, Sikhs, and Jains, dictates different schemes of property devolution for men and women if they do not have a surviving spouse or children: All of the husband’s property goes to his natal family, but the women’s property devolves to her in-laws.

Sections 15 and 16 of HSA are a point of contention in two landmark cases, one before the Supreme Court (SC) and another before the Punjab and Haryana High Court. In the first case earlier this year, the SC asked the government for its views. Shockingly, the government backed these provisions, failing to take into account the increased role of women in the economy, vastly changed family structures since 1956, and the blatant gender discrimination that this law legitimises.

On the one hand, we have laws such as The Maintenance and Welfare of Parents and Senior Citizens Act, 2007 which holds ‘all children’ equally responsible for the welfare of their aging parents and based on which successive judgements have emphasized that married daughters are responsible for their parents. On the other hand, we have provisions such as Section 15 in the HSA which systematically take away the right from daughters to provide support for their parents in the event of her untimely death. When the law exhorts daughters to care for their parents at par with sons, it also needs to provide an equal footing to both sons and daughters in the case of devolution of property after their death.

The changing demography adds more urgency to the need for reform. India’s Total Fertility Rate (the number of children an average woman will bear in her life) is 1.6 in urban areas and 2.1 in rural areas, indicating that fewer couples have children, and those who do have fewer children. In addition, the proportion of couples with only two daughters who accepted sterilisation more than doubled from 16% 1992-1993 to 33.6% in 2015-2016 (National Family Health Survey-4/NFHS-4), indicating higher acceptability of daughters as only children than earlier. Further, 42% of women own a house, and 32% of women own land jointly or independently. All these numbers indicate that women now hold more assets, they are the sole providers for their aged parents more often, and they do not leave behind children after their death as often. So, the number of people affected by HSA will only increase over time.

The Hindu Succession Act in its current form perpetuates the belief that women solely belong to their ‘married household’ after their marriage – a commonly cited reason for the preference for a male child as parents consider sons a safer insurance for their old age. No wonder, according to NFHS 5, the number of married people who want more sons than daughters is still several times the number who want more daughters than sons.

A paper published by National Institute of Public Finance and Policy in 2020 examined these provisions in HSA and suggested an amendment along the lines of the Goa Succession, Special Notaries and Inventory Proceeding Act, 2012, and the Indian Succession Act, 1925, which put men and women on par when it comes to devolution of property. The existence of these legislations points to the fact that legal precedents for an equal scheme of devolution already exist and parts of Indian society have already had years of experience with them.

One hopes that taking cognisance of the scholarship available on this topic, the government will revise its stance and bring an amendment to the Hindu Succession Act in the Parliament to correct this injustice. In the meanwhile, one also hopes that progressive states will amend these provisions given that succession is a concurrent subject. In absence of sincere efforts to root out the patriarchal biases from our laws, campaigns such as ‘Beti bachao, Beti padhao’ will fail to change long-held prejudices. We owe it to India’s daughters and their parents the same right to care for each other and be cared for by each other as we have for sons in our society, in life or in death.

Author: Aparajita Bharti is a daughter, also the Founding Partner of The Quantum Hub, a Delhi based policy research and consulting firm

Image credit: Feminism in India

Towards Regulating App Stores

Published: May, 2022

The App Store ecosystem

Mobile devices such as smartphones and tablets are an indispensable part of modern life. They enable internet connectivity and provide a range of products and services such as instant communication, access to music, news and gaming through mobile software applications or “Apps”. Much like computers, all mobile devices run using an operating system. iOS and Android (run by Apple and Google respectively) are the major mobile operating systems, having a combined worldwide market share of 99.28% (as of April 2022). In India, Android dominates the market with its market share being 95.1%, while iOS has 3.93%.

Users usually download apps from digital marketplaces known as app stores. All smartphones come with at least one native app store pre-installed on the phone – on iOS, it is the App Store and on Android, it is Google Play . By virtue of the large market shares of their underlying OS, App Store and Google Play have today become the dominant stores through which developers distribute apps to mobile users. Though some other app stores such as the Amazon App Store, Indus App Bazaar, Microsoft Store, F-Droid etc. exist, and one can sometimes also download apps via websites, the volume of downloads through these channels pales in comparison with the downloads through the App Store and Google Play. As a result, these stores are often termed “gatekeepers” of the app ecosystem.

App stores provide a wide variety of services to both users and developers. They do this by helping developers connect with users, and by subjecting all apps to checks before they can be published in the stores. These checks help reduce inappropriate and illegal content. As a result, users can easily find and securely purchase, download and update their apps. Developers gain too – app stores give them access to a large market, support app development, and provide various types of feedback through reviews, etc.

App stores charge a fee to cover the costs of providing these services and for facilitating transactions between developers and users. While many developers only pay a nominal listing fee to publish their app, the developers who sell digital goods and services are required to pay a set rate of commission on the purchase of paid apps, subscription services and purchases made within the app – known as “in-app purchases” (“IAPs”). The commissions charged vary depending on the type of app and sometimes, according to the jurisdiction where it operates. The Apple App Store charges either 15 or 30% commission on purchase of paid apps and IAPs, depending on the type of app. Similarly, Google Play charges either 15 or 30%, but this was not strictly enforced until recently. Other stores like the Microsoft Store charge 12% for games and 15% for other apps and the Epic Games Store charges 12%.

App Store policies and concerns around abuse of dominance

Given the extensive market share and user base of Google and Apple globally, their policies affect a wide swathe of users and developers, and changes to their policies can alter market dynamics for many participants. One policy that has received a lot of attention (and criticism) in the recent past has been Google’s decision to enforce a high commission on IAPs and paid apps by mandating the use of its proprietary payments system. Under this policy, developers will be effectively barred from using any other system to accept payments from customers. Several Indian developers have objected to this move and criticized the quantum of commissions as well as the lack of choice in picking a payments system, terming the proposed policy change unreasonable. Google’s new rules – which are already in force in some parts of the world and scheduled to come into force in India in late 2022 – could significantly dent developers’ profit margins, affecting both business viability and innovation.

While commissions are important for the operation of the stores themselves, it is difficult to determine the fair rates of commission. In the absence of competition, what is fair is not a straightforward question to answer, especially given the information asymmetry that plagues the relationship between developers and app store operators.

The problem is further compounded by the bundling of services – both the dominant app stores offer a multitude of services beyond any standard payment gateway available in the market. Because services are bundled, it becomes difficult to determine the fair fee for each service. The size and ubiquity of the dominant app stores, which benefit immensely from being pre-installed on their own operating systems, makes it almost impossible to ascertain a reasonable quantum or threshold for commissions.

Antitrust action around the world

Taking cognizance of these issues, several regulators around the world have expressed concerns with the policies of the dominant app stores. Apple is currently under investigation from regulators in the USA, Europe, Japan, Australia and India, while Google is also facing proceedings in the USA, Europe and India, among other countries. In India, cases were filed against Google and Apple with the Competition Commission of India (CCI) which is currently investigating them for abuse of market power in the country. In December 2021, the Netherlands competition regulator (ACM) found Apple’s App Store in violation of its competition laws. It has since levied a series of (weekly) penalties against Apple for what it asserts is continued non-compliance with its order. By the 28th of March 2022 these fines had totaled €50 million with the regulator threatening another round of fines “with possible higher penalties”. On the 28th of March 2022, France also joined the fray with the Paris Commercial Court levying a fine of €2 million on Google and asking it to rewrite clauses in its developer agreements that were deemed unbalanced within three months. The court said that Google could not provide it with any real justification for the commission charged.

But even as competition regulators are assessing the potential abuse of market power, several commentators have noted the limitations of this approach and called upon policymakers to rethink regulation of digital markets like apps stores.

Limitations of antitrust regulation

Competition cases such as the ones currently under investigation require in-depth technical research that usually results in lengthy proceedings leading to delayed regulatory action. This can lead to aggrieved parties facing irrevocable harm in fast-moving digital markets where speed of innovation and quick uptake of products is critical for success. A case in point is France where the competition authority had started legal proceedings in 2018 to examine the contract clauses introduced by Google in 2015 and 2016. Some of these disputed contract clauses had already been changed while the proceedings were underway.

Therefore, to minimize damage and ensure competition in digital markets, some governments have considered the enactment of ex ante regulation that can guide the behaviour of market actors by prescribing practices such as unbundling, to help prevent negative outcomes before they occur. In August 2021, South Korea passed a law barring app stores from forcing developers to use the app stores’ proprietary billing system, becoming the first major legislation worldwide to impact app store policies. A bill introduced in the US Senate also seeks to impose similar curbs. Another legislation – The Digital Markets Act – is currently under consideration in the EU.

Our Study

It is in the above context that The Quantum Hub worked with the Alliance of Digital India Foundation (ADIF) to assess the competitive landscape in the app store market in India, highlight pressing concerns of developers, and determine the need, if any, for government intervention.

Access the study here

COVID-19: The Gendered Impact on Urban Informal Workers in Delhi NCR

Published: February 2022

A year into the pandemic, its devastating impacts have disrupted social and economic infrastructure and have further marginalized millions of people. In many ways, the epicentre of the pandemic was felt among the urban informal workers in the country, particularly women. Already existing at the edge of precarity with respect to livelihood, social security, and shelter – all of which lay on the spectrum of informality – the humanitarian crisis brought about by the pandemic further widened the fault lines of their pre-existing social and economic vulnerabilities. As the government urged people to stay at home and the economic cogwheels of the country came to a grinding halt, India witnessed one of the worst recessions since independence, with the economy shrinking by a historic 7.3% in the first year of COVID. Overnight, urban informal workers across the country lost their jobs and incomes.

As a result of the loss in livelihood and income, it is estimated that about 400 million people, working in the informal economy in India, were at the “risk of falling deeper into poverty”. During this period, the number of people living below the minimum wage threshold of Rs. 375 per day had increased by 230 million. In addition, with the rise in COVID infections, urban informal settlements with their tightly spaced living conditions and poor sanitation were at the heightened risk of becoming a tinderbox for infection, thus making it unviable for large groups of migrant workers to stay in the cities. However, to arrest the spread of infection, the government placed heavy restrictions on mobility, including border restrictions across state lines and the suspension of public transport. As a result, thousands of migrant informal workers were left with no choice but to walk hundreds of kilometres to reach their hometowns, away from the cities where they were no longer able to afford food and rent.

While the impact of the pandemic was universal, several studies have observed that this was felt more harshly among women who were caught at the intersection of traditional gender norms, COVID-19 induced socio-economic challenges, and the general precarity associated with the informal sector. Not only were the total job losses higher among women (especially urban women), they also experienced an increased burden of care work during this period. Reports have also observed that violence against women and girls, particularly domestic violence, intensified during the lockdowns, leading to a ‘Shadow Pandemic’.

When tracing the progress of policies for informal workers, it is evident that the crisis began long before COVID-19 hit the country. The heightened challenges that women informal workers have been facing during the pandemic are thus an extension of their earlier precarious state. As a result, despite several relief measures announced by the government, many households had to reportedly cope by cutting down on their food intake, selling assets, borrowing money, or returning to their villages where they had some socio-economic support.

While several studies have been conducted on how workers can be best supported during such periods, there are gaps in existing data and research around the subject of women informal workers. This study hopes to fill those gaps and bridge the distance between research on pre-pandemic vulnerabilities, and institutional policy responses through the course of COVID-19 by looking at such workers in the context of the Delhi National Capital Region (NCR). In the absence of clear policy safeguards, the report also delves into informal channels and actors that organized during the pandemic and how similar such interventions can be supported.

Read the report here

Covid-19: Prioritise gender-responsive recovery

This International Women’s Day is a reminder that we must strive for a gender-inclusive economic recovery and not lose the strides made in women’s empowerment in the last few decades on account of the pandemic

Authors: Sona Mitra, Mayank Mishra & Nikhil Iyer
Published: March 05, 2022 in the Hindustan Times
The Covid-19 pandemic has caused serious economic disruptions. As we celebrate International Women’s Day (IWD), a focus on gender-responsive economic recovery is imperative to counter the disproportionate impact of the pandemic on women, especially in India.

The majority of the working women (around 91%) in India are in informal employment, characterised by job insecurity, income volatility, and the absence of social safety nets that prevent and assuage the impact of economic shocks. According to the State of Working India Report 2021, by December 2020, nearly 47% women suffered a permanent job loss, compared to 7% men.

Even though the Periodic Labour Force Survey (PLFS) 2019-20 reported an improvement in female labour force participation rate (FLFPR) for women aged 15 and above – 30%, against 24.5% and 23.3% the previous two years – scholars have disputed these gains. As per the latest official data, FLFPR had dropped to 21.2% in January-March 2021, with the female unemployment rate increasing to 11.8%, against 10.6% a year ago. (PLFS Quarterly 2021).

The informal sector lacks access or awareness of financial services, new modes of payment banks/platforms, and the requirements needed to access credit. For women workers, the hurdles to access are compounded by a lack of access to smart gadgets and the knowledge of using them.

The pandemic has also severely hit the women-owned MSMEs. The disruption caused by the successive lockdowns has led to a loss of revenue and business discontinuity for MSMEs, including women-owned ones. The Indian entrepreneurial ecosystem is heavily skewed – the last published economic census (2013-14) revealed that women-owned enterprises comprised only 13.8% of the total number of enterprises. Most of them are small businesses. Further, women entrepreneurs in India face issues like lack of skills, training, and support, adversely impacting their professional journey. In such a scenario, the pandemic may push women entrepreneurs out of the market, who may find it harder to return.

For a gender-responsive recovery, targeted and accessible government assistance is important to improve women’s access to jobs and earnings. Moreover, it is not only important to arrest the decline in FLFPR but also sustain the gains made in women’s economic empowerment, which clearly leads to positive spill-over effects on family planning, maternal and child health, investment in child’s education, etc. In this context, we outline a few proposals from our paper on a Gender Responsive and Inclusive Economic Recovery in the COVID-19 Context.

Let us begin with urban employment. There has been a discussion around the need for a national urban employment programme to complement the National Rural Employment Guarantee (MGNREGA) since the later part of 2020.

States such as Tamil Nadu have also implemented similar programmes. The scheme could inbuild minimum workdays guaranteed for women, with mandates on urban local bodies to pursue gender-responsive works and IEC campaigns. Such programmes have the potential in facilitating women back into the labour force.

Women are also securing opportunities in the emerging digital-enabled gig economy, particularly in platform work in the service domain. However, this form of employment is still precarious and needs social security coverage. The Code on Social Security was passed in 2020, which includes mention of platform and gig workers; however, its implementation is yet to be felt. Recent reports suggest 10 crore unorganised workers have registered on the e-Shram portal, of which about eight lakh are gig workers. The Government of India may consider providing incentives for platforms to offset the implementation costs that digital platforms will have to incur to provide social security to their workers.

To prepare women for industry 4.0, India has to provide skilling and training in digital and business skills tailored to the future of work. In line with the government’s priority to bring India online, women should be equipped to exploit the internet’s opportunities. Existing gender resource centres under the National Rural Livelihoods Mission (NRLM) and National Urban Livelihoods Mission (NULM), where women access information on schemes, entitlements, etc. could be upgraded to impart these skills. The PMKVY should include provisions for digital training of young girls.

And finally, prompt action is necessitated to redress the disproportionately (six times) high time Indian women spend on care work, which has worsened during the pandemic and has driven many women to withdraw from the labour force. Therefore, it is imperative that infrastructural provisions that reduce time spent on household chores and enable child and elderly care be provided to women at every nook and corner of the country. This would entail ensuring basic infrastructure such as water supply, road connectivity, energy, and clean fuel access. In addition, the universalisation of creches needs to be approached with utmost seriousness.

Further, as India has one of the worst health/education worker to population ratios, these are areas in which women can potentially find opportunities. Researchers at the Azim Premji University estimate that regularising the jobs of anganwadi workers, Accredited Social Health Activists (ASHA), etc. and filling existing vacancies can create up to 3 million jobs.

As the country strives to get back to normal, the government has an important role in ensuring that women do not get left behind. This IWD is a reminder that we must strive for a gender-inclusive economic recovery and not lose the strides made in women’s empowerment in the last few decades on account of the pandemic.

Authors: Sona Mitra is principal economist, IWWAGE, and Mayank Mishra and Nikhil Iyer are public policy manager, and policy analyst at The Quantum Hub Consulting