Beyond legal compliance: Timing and path for adoption of privacy

By Dr. Jay Prakash, Co-Founder and CEO, Silence Laboratories

India’s remarkable journey in Digital Public Infrastructure (DPI), especially through
initiatives like the UPI, Account Aggregators, and ONDC exemplify the commitment to a
leadership in framework-driven digital transformation. These platforms have not only
democratised financial transactions but have also set a global precedent of inefficient and
secure digital payment systems and collaborations.

A unique and responsible position:
The distinctive position has two key aspects- a) a proven track record of designing and
scaling to unprecedented adoption, and b) still in the early years of unified digitisation. While this promises huge opportunities for business and value creation for citizens, it also
brings a unique chance to avoid mistakes made by developed nations. I am particularly

talking about adding privacy, through the early adoption of privacy-enhancing technologies
(PETs), to the digital DNA of continuously rolling architectures by these institutions of
national importance and regulatory bodies because privacy guarantees have a lot to offer
to our economy beyond compliance and consumer trust.

Gleaning insights from the oversights of mature digital economies:
The continual clash and power struggle between data-driven companies and legal
authorities in developed countries demonstrate that privacy is treated as a superficial addition and an afterthought, rather than being intrinsically woven into the the fabric of products and infrastructures. This is something that architects of digital India can avoid and make technological strives towards privacy by design – integrating privacy at the foundational level of architecture and technological development.

Beyond compliance to privacy bills:
We can classify the digital growth to a few stages:
Stage 1: Inclusion- India has done unprecedented work in fundamental infrastructure
leading in inclusion with DPI initiatives leading to the penetration of banking from 17% to
80% in just 8 years, UPI transactions hitting 10 billion transactions per month and DigiLocker is being used by 195 million citizens. The private sector has been complimented as it is full of innovations and adaptations to their products.

Stage 2: Data Sharing and Governance Framework and Opportunity to Fix for Privacy- The next wave of growth vectors, driven by responsible and user-informed data is poised to significantly enhance the Digital Public Infrastructure (DPI) and catalyze the creation of value-added services. We are already witnessing notable strides in standardising the movement and utilization of financial and healthcare data through innovations in the Account Aggregator (AA) framework and the Ayushman Bharat Digital Mission (ABDM) healthcare data exchange. The systematic approach fostered by AA and ABDM presents an opportune moment to embed privacy at the heart of system architecture and design.

In these ecosystems, Financial Information Users (FIUs) and Healthcare Information
Users (HIUs) are particularly vulnerable to risks associated with the handling of users and business data. India stands at a critical juncture, with the potential to revolutionise how data is circulated through such aggregator systems. While these institutions access data streams with user consent, there is a risk of falling into the same conflicts observed in advanced digital economies. The crux of the issue lies in the intricate relationship between consent, data exploitation, and the often opaque interpretation of privacy about consent. Addressing this challenge is essential to avoid replicating the contentious dynamics seen in more mature digital markets and to pave the way for a more transparent, user-centric data ecosystem. User consent is not a proxy for privacy guarantees, at least impossible with how consent functions as a one-time opt-only disclosure.

This scenario presents two critical challenges: Firstly, enterprises that extract data for aggregated analysis and build services atop this information become highly attractive targets for cyber-attacks, given their centralised nature.

Secondly, the current model of consent is fraught with limitations, requiring significant advancements in both user interface design and technology. Presently, consent mechanisms are often non-interactive, characterised by rudimentary user interfaces, static, unidirectional, and lack of integration.

Moreover, they fail to provide mathematical assurances that data will be used strictly for the intended purposes and only by authorised entities. To navigate these complexities effectively, it is imperative to draw lessons from the experiences and regulatory approaches of other nations and techno-legal frameworks. This approach will not only address current vulnerabilities but also pave the way for a more secure and user-centric data ecosystem.

I strongly advocate for the integration of secure data collaboration frameworks as a
fundamental component of both private enterprises and Digital Public Infrastructures (DPIs). A key principle is that data should remain with its original custodian, never leaving the source. Thanks to significant advancements in privacy technologies, institutions can now engage in collaborative analysis and derive joint insights without consolidating data streams. This can be achieved through secure multi-party computation and other distributed computing approaches.

Additionally, our frameworks should support computations on encrypted data, ensuring service providers have no access to the content. This can be realized using fully homomorphic encryption (FHE) or a combination of SMPC and FHE. The adoption of such Privacy Enhancing Technologies (PETs) should not be an afterthought; their full potential and seamless integration are best realized when incorporated at the inception of system development, as is the case currently with emerging systems.

Stage 3: Value Creation through Privacy Guarantees: Privacy-preserving computations and collaborations can significantly enhance both local and international trust, opening new business opportunities previously unattainable. Transparent digital inclusion promises economic growth and better access to vital services. Studies indicate that adopting privacy technologies boosts the volume and quality of data shared by users and institutions. The assurance of zero data exposure provided by these technologies is a major catalyst for value creation across economies of all sizes. Privacy Enhancing Technologies (PETs) further enable programmable, transparent data usage authorization. This paves the way for UI/UX and (human-computer interactions) HCI researchers to develop dynamic, fully transparent consent management interfaces, allowing users to monitor, control, and revoke data usage consents.

2024 and beyond:
India stands at a pivotal point where such innovations can be adopted on a massive scale, transforming privacy from a mere legal requirement to a key value-creation metric. This shift calls for leveraging our R&D and engineering capabilities towards creating secure, privacy-preserving collaboration platforms and use cases beyond our current imagination.

bankingDigilockerdigitalprivacytechnology
Comments (0)
Add Comment