The Quantum Hub

The principles of the ‘best interests of children’ and ‘more responsibility on platforms’ should inform India’s approach to data protection for minors.

Authors: Aparajita Bharti and Nikhil Iyer
Published: January 24, 2023 in The Hindu

How freely should Indian teenagers access the internet and what responsibilities do platforms have towards their minor users? These are important questions to answer correctly for achieving India’s digital ambitions.

The draft Digital Personal Data Protection Bill, 2022 currently provides for mandatory parental consent for all data processing activities for their children, defined as any person aged under 18 years. This approach however misses the mark on two fronts.

First, instead of incentivizing online platforms to proactively build safer and better services for minors, the Bill relies on parents to consent on behalf of the child in all cases. In a country with low digital literacy, where parents in fact often rely on their children (who are digital natives) to help them navigate the internet, this is an ineffective approach to keep children safe online.

Second, it does not take into account the “best interests of the child”, a standard originating in the Convention on Rights of the Child, 1989, to which India is a signatory. India has upheld this standard in laws such as the Commission for Protection of Child Rights, 2005, the Right of Children to Free and Compulsory Education, 2009, and the Protection of Children from Sexual Offences, 2012. However, it has not been applied to the issue of data protection.

The Bill does not factor in how teenagers use various internet platforms for self-expression and personal development and how central it is to the experience of adolescents these days. From taking music lessons to preparing for exams to forming communities with people of similar worldviews – the internet is a window to the world. While the Bill does allow the Government to provide exemptions in the future from strict parental consent requirements, profiling, tracking prohibitions, etc., this whitelisting process does not acknowledge the blurring lines between what a platform can be used for. For example, Instagram is, strictly speaking, a social media platform, but is regularly used as an educational and professional development tool by millions of artists around the world.

Another issue in the current draft of the DPDP Bill is that each platform will have to obtain ‘verifiable parental consent’ in case of minors. This provision, if enforced strictly, can change the nature of the internet as we know it. Since it is not possible to tell if the user is a minor without confirming their age, platforms will have to verify the age of every user. The Government will prescribe later whether verifiability will be based on ID-proof, or facial recognition, or reference-based verification, or some other means. Whatever form verifiability takes, all platforms will have to now manage significantly more personal data than before, and citizens will be at greater risk of harms like data breaches, identity thefts, etc.

We thus need to shift our approach with respect to children’s data before this Bill is brought to the Parliament. To avoid the folly of treating unequals equally and blocking off access to the internet for teenagers, first, we should move from a blanket ban on tracking, monitoring, etc. and adopt a risk-based approach to platform obligations. Platforms should be mandated to undertake a risk assessment for minors and not only perform age-verification related corresponding obligations but also design services with default settings and features that protect children from harm. This approach will bring in an element of co-regulation, by creating incentives for platforms to design better products for children.

Second, we need to relax the age of mandatory parental consent for all services to 13 in line with many other jurisdictions around the world. By relaxing consent requirements, we will minimize data collection, which is one of the principles that the Bill is built on. This relaxation in age of consent in tandem with the risk mitigation approach elucidated above will achieve protection for children online while allowing them access.

This solution draws on the experience and deliberations in United Kingdom, California, New York, etc. where Age Appropriate Design Codes have been introduced. To tailor this solution to the Indian context, the government should also conduct large scale surveys of both children and parents, to find out more about their online habits, digital literacy, preferences and attitudes.

We must design a policy in India that balances safety and agency of children online. We should not put the onus of keeping our young safe only on parents, but instead it should make it a society-wide obligation. We have to get this part of the data protection framework right as India’s ‘techade’ cannot be realised without its young.

Aparajita Bharti is a Founding Partner and Nikhil Iyer is a Senior Analyst at TQH, a public policy consulting firm in Delhi.

‘Work-near-home’ centres being developed by the government must at the very least address infrastructure related challenges.

Authors: Shreya Ghosh and Suhani Pandey
Published: December 25, 2022 in The Times of India

Hon’ble Prime Minister Shri Narendra Modi recently evoked his vision of a flexible work ecosystem for women to improve the Female Labour Force Participation Rate (FLFPR). At a National Labour Conference organised by the Ministry of Labour & Employment, he said, “The country’s labour ministry is preparing its vision for the year 2047 in Amrit Kaal. Flexible workplaces, work from home ecosystem and flexi work hours is the need of the future. We can use systems like flexible workplaces as opportunities for women labour force participation.”

There is no doubt that the pandemic has made work more flexible and this is especially relevant for a country like India, which has a massive services sector and a focused attention on building digital capabilities. A new normal is evident, with hybrid work arrangements continuing even as COVID-19 infection rates are seemingly receding.

In 2021, the Microsoft Work Trend Index predicted that hybrid work was “here to stay”. According to a BCG and Nasscom survey, approximately 65% of IT sector employees want to relocate outside of major cities to bring offices closer to the hometowns of some of their employees. However, many commentators in India complained that not everyone has the right infrastructure at home to work remotely.

Perhaps, to solve this conundrum and to encourage young people to work from relatively smaller cities, many states across India have recently announced policies and projects to build dynamic and flexible spaces of work. The Kerala government is piloting Work Near Home centres which focus on providing working professionals with IT-based shared work centres that attract both locals and the international Malayali diaspora.

In Goa, the IT Department is turning beaches into co-working spaces hoping to promote the culture of #WorkationGoa. For fostering entrepreneurship, states such as Jharkhand and Telangana have created co-working spaces at incubation centres. More states are likely to follow suit, as this trend presents an opportunity for broad based growth across regions, instead of concentrating jobs in megacities. However, we need to incorporate a gender lens into these projects from the very beginning to realise the Prime Minister’s vision and enhance opportunities for women’s participation in the labourforce.

There are many barriers to women’s labour force participation including social norms, time spent on child and elderly care, distance, lack of safety in mobility, limited mentorship, pay gap, mismatch of skills and aspirations, etc. ‘Work-near-home’ centres being developed by the government must at the very least address infrastructure related challenges. These spaces should incorporate gender-responsive design including provision of quality creches, last mile connectivity, safe public transport and adequate sanitation facilities. This might require speeding up the notification of Rules under the Maternity Benefit Act, 2017 and revisiting urban plans from a gender perspective. These centres must also be accessible to the disabled, since they often find it challenging to migrate to other cities away from their families.

Aligning with provisions of the Rights of Persons with Disabilities Act, 2016 is critical in this regard. Complementing inclusive infrastructure, other features of the work environment should also be gender intentional. For example, compliance with the Sexual Harassment of Women at Workplace (Prevention, Prohibition, and Redressal) Act may become complicated at shared work spaces. Clarificatory guidelines from the government might be helpful for the formation and functioning of Internal Committees at such ‘work near home centres’ to ensure workplace safety.

Additionally, women who choose these centres as their workplace must also have access to networking and mentorship opportunities to enable their career advancement and strengthen the local ecosystem of professionals. These government-run facilities can work with the private sector to co-create such programs.

Further, to encourage inclusion from the perspective of gender as well as for people with disabilities in privately-built infrastructure, state governments can consider devising an accreditation model which rates and certifies workplace infrastructure according to its gender intentionality and accessibility features. This model would incentivise building of inclusive infrastructure, but also enhance the quality of these facilities over time as companies will prefer better rated facilities for their employees’ satisfaction.

Today, female labour force participation in India is around 25% according to the Periodic Labour Force Survey (PLFS 2021) data. We need to work on many levers in tandem to move the needle on this disappointing number. Flexible work is one of the opportunities that the large IT-enabled/BPO service sector in India can tap into to bring in and retain more women in the workforce. As states seek to take advantage of this trend to catalyse local development, a gender responsive and social inclusion approach may also provide a much needed fillip to women’s participation in the IT/ITes and India’s growing information economy.

Authors: Shreya Ghosh is senior policy & advocacy manager at IWWAGE and Suhani Pandey is public policy associate at TQH Consulting

Overall, it seems as if a tussle is brewing between India’s monetary and fiscal authorities. However, to objectively evaluate this debate on charges for P2M transactions, it is important to understand incentives and dynamics at play in the payments ecosystem.

Authors: Rohit Kumar and Aishwarya Viswanathan
Published: November 11, 2022 in The Economic Times

From debit and credit cards to e-wallets, India’s payments landscape has seen many waves of innovation and regulation over the years. Today, India’s latest home-grown innovation, the Unified Payments Interface (UPI), currently free of charge, is the subject of a fiery debate on whether levying charges will slow the adoption of digitisation or, worse, undo its gains and hasten a reversal to cash transactions.

In August 2022, the Reserve Bank of India released a discussion paper (bit.ly/3G7BHf6) to elicit feedback on charges in the payments system. The paper approximated that, collectively, the various players enabling a UPI peer-to-merchant (P2M) transaction with an average value of ₹800 incur a charge of ₹2. A few days later, the finance ministry tweeted that UPI will continue to remain free of charge and cost concerns of service providers will have to be met through other means.

Overall, it seems as if a tussle is brewing between India’s monetary and fiscal authorities. However, to objectively evaluate this debate on charges for P2M transactions, it is important to understand incentives and dynamics at play in the payments ecosystem.

The ability to ensure frictionless and secure real-time payments via UPI is heavily dependent on banks and third-party app providers that perform a range of functions, including the acquisition of merchants, provision of infrastructure, fund transfers, and, as such, bear significant fixed and operating costs for facilitating transactions. While the finance ministry has already allocated two rounds of subsidies of ₹1,500 crore and ₹1,300 crore to boost digital transactions, continued subsidising of costs is likely going to be fiscally unsustainable.

And even if subsidies are an option, they can be an impractical offering that can lead to coordination difficulties with respect to allocation between payment players. For instance, in June, several payment companies wrote to the National Payments Corporation of India (NPCI) complaining that a large chunk of the money granted in the budget is being retained by banks, with very little flowing their way.

Here, it is important to note that much of UPI’s capture of India’s payments landscape has been enabled by payment companies operating third-party apps, who have invested heavily in designing user-friendly interfaces and instituting attractive cash back offers to drive adoption. But without adequate fiscal support, they are being incentivised to pursue other means of monetising their business.

What goes UPI, stays up

While some apps have chosen to directly pass on costs to consumers in the form of platform fees on services such as prepaid phone and direct-to-home (DTH) recharges, others are making up for lost revenue through cross-selling. A few others are indirectly imposing costs on users through data monetisation. In the absence of a comprehensive data protection legislation, the repercussions of some of these practices can be worrisome.

While the zero-charge framework for UPI transactions has certainly played a role in providing a fillip to the payments ecosystem, its role in incentivising adoption may be overestimated. In the digital payments space, the acquisition and maintenance of UPI’s QR (quick response) code infrastructure continues to be among the lowest for merchants. While it took over a decade to increase the number of point-of-sale (PoS) terminals from 5 lakh to 50 lakh, there are already over 10 crore QR code terminals in the country. By the time UPI completes a decade in existence, the number of QR codes is set to reach 170 crore.

Apart from the asset-light infrastructure, a steady proliferation of use-cases has been critical to merchant uptake. From recurring payments to FASTag recharges and ever-increasing acceptance of cross-border payments, continued innovation and development of UPI’s mandate promises to preserve UPI’s ubiquity and the expansion of its merchant base.

Against this background, instituting a merchant discount rate (MDR) may represent an important avenue of cost recovery for intermediaries. Rather than denting merchant acquisition or retention, MDR may help maintain uptake by making the system more resilient and sustainable, factor also critical in driving more users towards UPI. Also, the fact that UPI currently accounts for almost 50% of digital financial fraud and lacks a robust real-time dispute-resolution mechanism, also reflects the urgent need to create adequate financial incentives to enable robust systems for trust-building and longevity.

Since merchants have an option to choose between different service providers that offer the best rates, the market for merchant acquisition is generally competitive. So, ideally, the regulator should let MDR be market-determined. However, to ensure that the optics of levying MDR does not taint public perception or adversely impact acceptance of UPI, the regulator can consider instituting a tiered system of charges. UPI can be kept free of charge for low-value transactions, with higher-value transactions being charged a market-determined MDR. The threshold above which payments get charged can be decided by the regulator based on the funds required for sustainability as well as consumer price sensitivity.

Separate wheat from cost

For this, understanding the elasticity of demand to UPI transaction charges will be useful. Such research will help ascertain how usage of UPI is likely to be reduced if costs were to increase and, consequently, assist in identifying the threshold that balances costs and returns effectively.

This exercise can particularly help India’s monetary authorities proceed with a degree of certainty and assuage the concerns of the fiscal administration – which is actually pursuing the same objective: a safe and secure digital payments landscape.

Image: Shutterstock

Looking beyond the ‘tech’ aspects of digital public infrastructure to how it interacts with users as individuals, as collectives, and in societies.

Authors: Kriti Mittal, Varad Pande and Aishwarya Viswanathan
Published: October 26, 2022 in ORF

The COVID-19 pandemic revealed that despite the vast difference in our geographical, cultural, social, and political contexts, one thing that countries all over the world urgently need is digital public infrastructure (DPI).

DPI comprises foundational population-scale technology systems on which the digital economy operates, such as identity systems, payment systems, data exchanges, and social registries.

Some countries, such as India, were able to leverage existing DPI to provide targeted social protection assistance to their citizens amidst the pandemic; on recognising the benefits of ‘digital-delivery’, others such as Togo and Sri Lanka undertook efforts to rapidly build their own. The demand for DPI among countries has grown significantly since then, with the World Bank’s Identification for Development initiative alone currently supporting 49 countries to implement digital IDs.

Conservative estimates suggest that Estonia’s X-Road—an open-source government data exchange system that facilitates the provision of over 99 percent of all government services digitally—saves Estonians an estimated 820 years of working time every year and approximately 2 percent of GDP.

Today, DPI is increasingly being built using open-source and modular technologies that enable ‘interoperability’, which facilitates the exchange of information between different arms of the public and private sector, thereby, vastly improving the speed and scale of service delivery. This represents a paradigm shift from older end-to-end siloed systems, wherein governments provided end-to-end services through monolithic tech systems, to building minimal digital infrastructure that allows multiple actors to build solutions on top. DPI designed in this way can mean significant time and cost savings. For instance, conservative estimates suggest that Estonia’s X-Road—an open-source government data exchange system that facilitates the provision of over 99 percent of all government services digitally—saves Estonians an estimated 820 years of working time every year and approximately 2 percent of GDP.

Another DPI success story is India’s Unified Payments Interface (UPI), which facilitates the largest number of daily transactions of any tech platform in the world, and is estimated to have resulted in savings of US $12.6 billion in 2021. Moreover, since its launch in 2017, India has been improving financial inclusion at a compound annual growth rate of over 5 percent, a significant expansion of India’s formal financial system.

‘Good’ DPI is more than just the tech

Given such unprecedented population-scale impact, there is now a growing consensus around the necessity of DPI. However, there is much debate about what constitutes ‘good DPI’. As countries embark on the journey of building, maintaining, and scaling their DPI, it is imperative to understand that the technology, no matter how powerful and essential, does not exist in isolation and cannot solve all problems by itself. To maximise the benefits of DPI for the provision of citizen-centric services, and minimise risks and potential harms, the ‘non-tech’ layers of institutions, legal and regulatory frameworks, and communities are equally, if not more, important than robust technology solutions.In this regard, the ‘open digital ecosystems’ (ODE) approach offers a useful framework and set of guiding principles, with a strong emphasis on strengthening DPI through citizen-centric design and safeguards, sustained community engagement, institutional capacity building, and robust governance.

We discuss lessons from a research study undertaken for the Lancet Citizen’s Commission on Reimagining India’s Health Systems. The study highlights how healthcare came to be seen as a politically viable and electorally rewarding issue in some, but not nearly enough, States.

Author: Nikhil Iyer
Published: August 11, 2022 in The Hindu Business Line

Ask any politician at random if they think healthcare needs to be prioritised in India, and they are likely to say yes. Yet, there seems to be a sense of reluctance in making healthcare a political priority.

As India turns 75, we discuss lessons from a research study undertaken for the Lancet Citizen’s Commission on Reimagining India’s Health Systems. The study highlights how healthcare came to be seen as a politically viable and electorally rewarding issue in some, but not nearly enough, States.

Early 2022, Tamil Nadu and Rajasthan indicated they would legislate a Right to Health for their citizens. An emphatic political expression by the respective Chief Ministers, these bills signify a culture where politicians feel incentivised to deliver better healthcare as their competitors try to one up them.

Take Tamil Nadu’s case. The Right to Health Bill’s antecedents include a maternity benefits scheme for women’s nutritional security (1987), procurement and distribution of free medicines (1994), health insurance (2009), and so on. Over decades, motivated by the Dravidian ideology, leaders like K Karunanidhi, MG Ramachandran and J Jayalalithaa pursued initiatives which have embedded an expectation of health among voters. Present-day politicians, who seek to sustain their legacies, thus have an incentive to continue reforms.

Competitive political issue

In Rajasthan, health has become a thriving, competitive political issue in the past decade. In 2011, then Chief Minister Ashok Gehlot introduced the free medicines and diagnostics schemes, which went on to become so popular even his successor Vasundhara Raje had to continue it, despite murmurs about watering it down. Later in 2013, as CM, Raje introduced a health insurance scheme, and set up ‘Model PHCs’. On returning as CM in 2018, Gehlot first expanded the coverage and eligibility under the insurance scheme, and has now introduced the Right to Health Bill.

There have been few more instances where Chief Ministers decided to bet big on health, in turn affecting voter expectations of other politicians in the State. A relevant example is the legacy of YS Rajasekhara Reddy in Andhra Pradesh, which is claimed by his son Jaganmohan Reddy today. YSR introduced the Rajiv Aarogyashri Scheme, the first State-wide health insurance scheme for families below the poverty line in India, in 2007, seeking to create a pro-welfare, rural-centric image for himself.

The insurance scheme’s ensuing popularity ensured that even when the opposition led by Chandrababu Naidu came to office, they could not roll it back, due to pressure from both citizens as well as hospital associations who benefited from the scheme. Jaganmohan Reddy, as the incumbent CM, has expanded the list of procedures and benefits under the scheme.

These examples indicate a much warranted shift. We can observe a virtuous loop of political action and voter demand — as most apparently has happened in Rajasthan. What started off as a free medicines and diagnostics scheme has today snowballed into a political plank for both major parties in Rajasthan. Good service delivery arguably leads to loss aversion among the voters, which builds pressure on competitor politicians to continue the scheme, and build on it. Even smaller reforms, such as guaranteeing delivery of medicines, may begin to change the political culture, and eventually lay the path for the State to pursue systemic reform.

Healthcare is by no means an easy issue to fix. Even after 75 years, our health system pushes more than 50 million people into poverty each year, with out-of-pocket-expenditure as high as 70 per cent in some States. The Covid-19 pandemic further uncovered the deficiencies of the Indian public health system.

One might expect politicians would have adequate incentives to care for this issue that virtually affects every voter. Yet, there is a marked absence of mainstream political discourse around health financing, outcomes, human resources in health, etc. This must change, and maybe our politicians, inspired by the examples above, will be incentivised to surprise the voters with a new political agenda involving healthcare.

Author: Nikhil Iyer is Senior Public Policy Analyst at The Quantum Hub Consulting

Author: Rohit Kumar
Published: July 16, 2022 in the Economic Times. Full version below. Photo by Jeremy Bezanger on Unsplash

A lot has been written about the proposed amendments to the IT Rules. Many commentators have raised concerns that the rules go beyond the remit of the IT Act and seek more control of content moderation even as challenges are still pending in the courts. There have also been questions about the government setting up Grievance Appellate Committees and whether that will lead to political interference in moderation and censorship of critical voices.

While all of these are pressing concerns that merit deep consideration, there is also a need to examine the likely impact of the proposed rules on businesses – especially India’s digital startups – and the many administrative challenges that their enforcement may entail.

The press note accompanying the amendments explicitly says that the proposed changes are aimed at establishing stronger accountability standards, especially for the larger social media intermediaries who are perceived to be dragging their feet on compliance. The goal is to get all such intermediaries to set up better systems for grievance redressal and address the challenges presented by unlawful and harmful content being uploaded to their platforms. While this is a well-intentioned aim, the legal framework being proposed to fix the problem is likely to present many operational challenges, besides risking the freedom of speech of India’s digital citizens.

An example is the requirement to remove content within 72 hours of complaint if it is unlawful or harmful under the 10 prescribed (and very broadly defined) categories.

This change is specifically meant to address the issue of virality to ensure that the spread of unlawful or harmful content, including misinformation, is curtailed before it causes significant damage. While it is certainly important to cut the circulation of problematic content, the amendment is overzealous in that it extends the requirement to all intermediaries, irrespective of their size or the potential of virality. Content is usually likely to go viral on social media platforms with significant user bases that allow for large scale dissemination and sharing of information. Therefore, it is not necessary that smaller social media platforms or intermediaries such as enterprise communication software, video conferencing services and platforms that allow only one-on-one communication such as matrimony apps be required to implement 72 hour redressal timelines.

Even on large social media platforms, all complaints may not require expeditious redressal if there is limited risk of virality. The government should therefore consider explicitly defining virality in terms of the width of spread and the pace at which information is getting shared. In the event of a complaint, content that crosses prescribed thresholds could be reviewed on priority. Such a provision is likely to help reduce compliance costs and also increase the efficacy of the grievance process.

Another issue to consider is the structure of the Grievance Appellate Committee (GAC). While the creation of an alternative forum of appeals – outside of the already overburdened judicial process – is well-intentioned, if set up in its proposed form, it is likely to encounter several challenges in its functioning.

Given the volume of users on the internet, the GAC is likely to be inundated with an unmanageable number of requests. Intermediaries also have varying terms of use and functionalities, which could make it difficult for the GAC to assess complaints arising from widely varying contexts. For example, content takedown decisions by social media intermediaries are likely to be different from those taken by online marketplaces or enterprise software like Slack, Zoho etc. Decision making in such a situation is likely to be both cumbersome and time-consuming, making the entire exercise administratively expensive and burdensome.

A potential solution to these issues could be a redesigned, tiered intermediary-industry led appellate mechanism that culminates in the judicial system. To reduce distrust between regulators and intermediaries, and to force platforms to apply their terms of service uniformly, Evelyn Douek of the Harvard Law School proposes that intermediaries be required to put a wall between teams handling grievance redressal and those responsible for profitability/ growth and political lobbying. Evelyn’s proposal can be further strengthened by requiring intermediaries to create the first-level appellate committees in-house with independent stakeholders from outside (such as in the case of the Sexual Harassment Act). The second level of appeal could potentially lie with an industry-wide appellate body, though it might be challenging to create a truly independent body that can be insulated from both business interests and political pressures. The final appeal, therefore, must lie with the courts to protect freedom of speech and to insulate the process from interference. This thinking is also reflected in the draft shared by MeitY.

The government could also call for compliance reports on the decisions of appellate bodies to be made publicly available. This is likely to help align incentives for compliance and fairer decision-making.

While policymakers are undoubtedly operating in a challenging environment, the proposed amendments may have several unintended consequences. The government is already consulting stakeholders to overhaul the IT Act in its entirety to equip itself with new tools to deal with the changing tech landscape. Perhaps it is time that this conversation be taken forward at full steam, so that alternative regulatory models can be built ground-up, instead of patchwork through amendments.

Authors: Rohit Kumar and Aishwarya Viswanathan
Published: June 08, 2022 in the Economic Times. RBI has since postponed the deadline to 1^st October, 2022.

The payments ecosystem in India is in for a stir. Reserve Bank of India’s no-card-storage directive initiated in March 2020 is set to kick-in from July 1st, 2022. Starting July, both authorised payment aggregators and merchants will not be allowed to store customer card credentials. Instead, transactions will have to be processed through a card ‘token’ – an alphanumeric code unique to every combination of card and merchant.

Industry insiders largely believe that this move to tokenise is well-intentioned. With access to sensitive card information restricted to fewer players in the ecosystem, the likelihood of a data breach is reduced. However, with less than four weeks left for implementation, many maintain that the transition is unlikely to be seamless and will adversely affect both customer experience as well as payment completion rates.

The payments ecosystem requires sequential interaction between players (merchants, payment aggregators and gateways, card networks, banks) for smooth end-to-end transaction processing. For the tokenisation regime to take shape, it will require the ecosystem as a whole to demonstrate a certain degree of ‘readiness’. As per industry body NASSCOM, this would mean banks managing at least 80% of the cards in circulation to have tokenisation solutions, with stable APIs made available for merchants to integrate with their backend systems. Other bodies such as the Merchant Risk Council add that ‘readiness’ should also mean the ability to simultaneously create and process tokens, while being able to do so at high volumes and across use-cases, especially on days that see heavy traffic such as during e-commerce sales.

Voluntary disclosure on readiness, but hard to verify

So far, a few major card networks, some banks and payment aggregators have stated that they are ready with tokenisation solutions. Some have also indicated that compared to 6 months ago, their systems are much better equipped to handle token provisioning and processing. But while such disclosure by key players is welcome, available information still remains fragmented and superficial; it is also hard to verify. This coupled with the lack of any official information being made available by the RBI is creating a trust-deficit in the ecosystem at large, and more ominously between co-dependent players.

For instance, it is still not clear if the ecosystem is ready to use tokenised transactions for use-cases such as promotional offers and cashbacks. Merchants are also unsure if they’ll be able to process refunds for customers who choose to make online purchases as guests on a website i.e., without saving card details. Since acquiring banks will not be allowed to store customer card data starting July 1st, they may have no means to track transactions to fulfil refund requests in case of guest checkouts.

The anxiety being caused by this information asymmetry is being further aggravated by the ecosystem’s recent experience with RBI’s e-mandate on recurring payments. A media report published in May this year, after 7 months of the e-mandate regulations coming into force, highlighted that success rates for recurring transactions vary between 30-75% and the experience has been extremely damaging for smaller businesses. An important use case that has still not been solved for is international payments; many foreign developers who sell software subscriptions over the internet have found RBI’s compliance requirements cumbersome and have altogether suspended payments from Indian cards.

Unintended consequences

In this regard, it may be worth noting that the tokenisation regime will affect all businesses that accept cards, unlike the e-mandate which was only applicable to those offering subscriptions. Given that we are still seeing disruptions 7-8 months after the e-mandate kicked in, the disruption post-tokenisation may be significantly more widespread than what was previously experienced.

As the deadline approaches, players in the payments ecosystem are finding other ways to cope with the uncertainty. Some are taking pre-emptive steps to avoid disruption and circumvent compliance requirements. For instance – in a first, Apple said that they will stop accepting debit and credit card payments for both app purchases and subscriptions in India, as well as for payments on ad campaigns – a matter of concern for many small businesses who leverage credit to smoothen cash flows and ensure continuity of operations.

At a time when post-pandemic economic activity is slowly picking up pace, the RBI must recognise that forcing compliance in this manner is likely to disincentivise credit usage – a move that could have broader adversarial effects on the economy as a whole.

RBI should demonstrate readiness

The idea of pushing hard for compliance and hoping that the ecosystem will fall in line may not be the best approach to adopt at this time. The RBI needs to demonstrate that the ecosystem is confident of transacting at scale, and across use-cases. As a first step, the central bank must clarify what it considers to be ‘readiness’, and then proactively seek information from ecosystem players to demonstrate the same. Additionally, it must also consider introducing some flexibility in the transition period – perhaps by allowing acquiring banks to store card data till the system stabilizes. This will go a long way in reducing anxiety and ensuring a smooth transition. Moreover, it will guard against other inadvertent consequences for the economy that might stem from impulsive actions by ecosystem players – all of whom are in a haste to comply, no matter the cost.

Related pieces of work

Evaluating Ecosystem Readiness: RBI’s No-Card-Storage Mandate [Medianama, 15 Jun, 2022]

Technical Explainer on Ecosystem Readiness [The Print, 16 Jun, 2022]

Will India Pay for RBI’s hurry [Times of India, 23 Dec, 2021]

Experts weigh in on how RBI’s new digital payment guidelines can impact small businesses [YourStory, 09 Dec, 2021]

Over-reliance on parents for consent may curtail internet access for teenagers. The discussion on what is a good age-verification mechanism has been missing from the discourse.

Authors: Aparajita Bharti & Nikhil Iyer
Published: July 02, 2022 in The Economic Times

Imagine a 16-year-old boy getting his first smartphone in a tier-3 city. He has attended school online for two years of the pandemic. He helps his parents download and use new apps. His primary means of shopping is online and he orders for the family.

Contrast this with his 70-year-old grandmother, also a new smartphone user. Like many women of her age, she has had limited formal education and is learning to use messaging and social media apps to keep in touch with her family. Who is likely to be more vulnerable on the internet? And is age, then, a good indicator of a person’s ability to make decisions when it comes to their privacy and safety online?

This is a point of contention for policymakers across the world. Currently, as the Personal Data Protection Bill 2019 stands, any child below 18 years has to effectively obtain consent from their parent(s) or guardian(s) in all cases of their data being processed on the internet. Further, there is a blanket ban on profiling based on children’s data. If this provision remains unchanged, India will be an outlier globally.

In Britain and the US, for instance, parental consent is needed for those below 13, while in China this threshold is at 14. In the EU, the threshold age is 16, with an option for member-states to reduce it to 13. At the other end of the spectrum is Australia. Its Privacy Act, 1988, mentions no age of consent. Instead, consent is valid if the individual has ‘capacity to consent’. Entities handling individuals’ personal information have to decide on a case-by-case basis whether there is capacity to consent and take parental consent if they think fit.

In comparison, the high threshold of 18 years in India is out of touch with reality, and can seriously hamper Indian teenagers from fully experiencing the digital age. Nearly one-third of all internet users in the country were under 18 as of 2020. This number is likely to have increased in the Covid context.

Over-reliance on parents for consent may curtail access for teenagers due to various reasons, including parents’ lack of exposure, gender bias and unhealthy relationships. Further, the discussion on what is a good age-verification mechanism has been missing from the discourse, even as privacy experts concur that it should not itself lead to collection of more personal data and IDs.

Ctrl + Shift to Enter

To resolve this, policymakers could turn to the Convention on the Rights of the Child (CRC), 1989. It exhorts states – their legislative, executive and judicial arms – to act in the ‘best interests of the child’ in all matters pertaining to the realisation of their socioeconomic and political rights. India has upheld the principles of CRC in various legislations, such as the Commission for Protection of Child Rights, 2005, the Right of Children to Free and Compulsory Education, 2009, and the Protection of Children from Sexual Offences, 2012. This approach should also be applied to children’s data protection and privacy.

Britain’s Age-Appropriate Design Code (AADC), in force from September 2021, presents a model. AADC entrusts entities handling children’s data with a positive obligation to give primacy to the interests of the child. It lays down 15 standards, instead of strict dos and don’ts, directing entities to implement ‘age-appropriate’ design. This design should rest on principles of data minimisation, purpose limitation, transparency, avoiding usage of nudge techniques, default settings that safeguard children’s privacy, and so on.

Virtually all entities providing online products or services – apps, programs, websites, connected toys – are covered. AADC acknowledges that the ‘best interests of the child’ may differ on different platforms, depending on each platform’s use-case. For example, risks on a gaming platform may be different than on a video-streaming platform. The code, therefore, encourages platforms to consider their impact on children and build in mitigation strategies.

For example, while evaluating whether and how to process children’s data, entities must consider risks such as physical harm, mental health issues, excessive screen time, exposure to inappropriate content, etc. AADC also gives guidance on different age-verification mechanisms, including self-declaration, artificial intelligence (AI; by assessing usage patterns), third-party verification, and hard identification (through government-issued IDs), which can be applied proportionately to the risks faced by children on the platforms.

While India has a unique socioeconomic context, there are useful lessons from such models. In place of a blanket imposition, the data protection law must make room for a principles-based approach that allows both regulation and innovation to deal with online risks to children. Entrusting all responsibility to adults can prove to be ineffective, given the well-recorded consent fatigue, and lack of understanding among adults themselves.

Instead, regulation must make way for honest conversations among developers, regulators and parents on ‘what constitutes best interests’ of children, and how best can it be enabled on each platform while balancing their security and agency on the internet.

Authors: Rohit Kumar & Avi Krish Bedi
Published: June 15, 2022 in The Hindu Business Line

Our data is more valuable than ever. With increased digital penetration, data has undoubtedly unlocked human potential to do a lot more – and efficiently. However, with more data comes a greater risk of misuse, often exemplified by data leaks and the illicit selling of personal data. The discourse on safeguarding our data, including the discussion on the PDP Bill, is emphasizing the primacy of privacy policies and user consent as our key bastions of defense. But, as we become more aware of how businesses and other entities collect, share, and monetize our personal data, we must revisit the structural shortcomings of this approach and consciously work to devise meaningful alternatives to safeguard our privacy and autonomy.

Try recalling the last time you earnestly read through a verbose and jargon-laden privacy policy before consenting to share your data – but don’t beat yourself over being lax about it. Multiple studies have demonstrated that privacy policies and informed consent are broken. They suffer from three behaviourally-linked problems. First, the transparency/ comprehension problem – wherein the verbose legalese used in privacy policies is often incomprehensible to laypeople; this problem is further compounded by low digital literacy in India. Second, the data repurposing problem – where entities do not overtly disclose all the additional purposes for which user data could be used, thereby resulting in ‘function creeps’. And third, the consent fatigue problem – where users, by virtue of having to repeatedly consent to data sharing, are tired of doing so, thereby unwilling to expend the time and effort required to meaningfully consent.

An over-reliance on this approach has led to the prevalence of a binary “tick-the-box” approach to data protection, rendering “informed consent” perfunctory: while users have the choice to share their data, it is far from being a meaningful choice.

Some solutions posit that data collecting entities should remain legally accountable for any breach or misuse of personal data regardless of whether they obtained consent. To give this approach some teeth, a set of inviolable ‘data rights’ are envisaged. However, the problem remains in implementing and enforcing such rights. As it stands, India still does not have a data protection law, and such rights do not have legal grounding. Moreover, it can be difficult and time-consuming to prove infringements. For instance, if my data is used by AI and IoT for purposes other than what I consented to, how would I actually know? And if I somehow found out, will it be straightforward to mount a legal challenge? Moreover, by the time such a matter is adjudicated on, will any recourse offered be enough to offset the harm already done?

If we were to step back and take another look at the problem, we may be able to find some potential alternatives. Many of the core issues around data privacy are also behavioral in nature; users may wish to secure their data but their intention doesn’t always translate into action. So, by nudging human behavior through better design principles we may be able to unlock human-centric design as a potential solution to better data privacy. By placing people rather than the service-contract at the center of this relationship, we can enable better decision-making.

While designing privacy policies, for instance, UI/UX designers should be included at the very outset of the design process. Their inputs should be used to represent privacy policies visually – to show users how their data is going to be collected and utilized if they consent. Studies have shown that visually representing data flows – through short videos / animations – can make users more aware of what happens to their data when they consent, thereby reducing incomprehensibility and increasing transparency, while also tackling consent fatigue. This also has the added benefit of tackling limited literacy and linguistic diversity in a country like India.

Device makers and operating systems can also be encouraged to implement a ‘master privacy preference setting’ on user devices. Effectively, this will allow users to have a master control panel to preconfigure their data sharing preferences – where they can decide the frequency and type of data they are comfortable sharing in the normal course of online activity. And if a user’s master data sharing preferences do not meet the requirements of an app, they can either choose not to use it, or take time to specifically consent to its additional requirements. On the supply side, such a structure would incentivize the app to minimize data collection or even provide a ‘Lite’ version of their app – with basic functionality requiring only essential data from users – to prevent large-scale user drop-off.

Businesses and other entities can also be incentivized to ethically and responsibly collect data by creating a government approved market of accrediting agencies. These accreditors can carry out assessments on an annual basis to evaluate privacy policies and other data collection practices on a range of metrics including data minimization, purpose specificity, etc. – to provide score-based certifications / star ratings. A similar mechanism is also envisaged through the ‘Data Trust score’ in the PDP Bill. If well implemented, it can go a long way in addressing the shortcomings we see in the current context.

Privacy policies today remain complicated and inaccessible for many. There is a case to be made to behaviourally nudge users to invest more energy into comprehending and consenting to how their data is collected and used. Even as our lawmakers work towards devising a robust data protection law, we must also empower people and incentivise businesses to meaningfully safeguard privacy and autonomy in the digital realm – creating a win-win for all in the long term.