Give people control of their data


It takes me less than 15 seconds to hit “I Agree” to the standard terms and conditions whenever I download an app. Whether I am impatient or just oblivious to the value of the data that I am giving away, I am not alone in this act. All over the world, billions of consumers and businesses are doing the same–giving away their data to be used by other agents for a slew of unintended purposes. I realize now that upfront consent gives away my data for good. But should I care? Should society care about it?

The answer is a resounding yes. In democracies, our ideas, beliefs, and values form the architecture for how our system works. This system, in turn, shapes our lives. In the area of data governance, the existing system has failed to deliver and is out of line with our values as a society. Thus, the architecture needs to change.

What is the problem?

Technological developments over the last two decades have led to an explosion in the availability of data and how they are processed. It has also enabled large amounts of consumer data–often referred to as “big data”–to be collected and turned into a valuable commodity. In such a setting, it is important to be clear about who has control over consumers’ and businesses’ data, where these data are stored, with whom and under what conditions they are shared, and what data governance system underpins all of this. In most countries, a relevant privacy law describes a set of principles that define how personal data are collected, shared, and processed. However, despite these legal measures, consumers are usually unable to access their data, instead finding them stored in inaccessible, proprietary silos and in incompatible formats.

However, despite these legal measures, consumers are usually unable to access their data, instead finding them stored in inaccessible, proprietary silos and in incompatible formats.

What is the solution?

In order to give individuals a way to take back control of their data, regulators must replace upfront broad and sweeping consent with granular consent. In a recent article, my co-authors and I developed a set of data governance principles that will enable consumers to take control of their data. Given the vast amount of data involved—as well as the need for security and low transaction costs—we also argued that the system must be digital.

India is pioneering such an approach to return data to consumers. Lessons taken from their foray into stricter data regulation can be useful for all legislators, whether they be in advanced, emerging or developing countries.

In the financial sector, the data governance system works as follows. There are four parties involved in this framework:

  • Data Subjects: Consumers and business whose digital trails create data.
  • Data Providers: Entities where consumer/business data are stored. These can include financial information providers, tax platforms, and insurance providers, among others.
  • Data Users: Entities who can provide services to the Data Subjects given that they have access to their data. These can include parties such as lenders, insurance companies, and personal finance managers.
  • Consent Managers (CM): Entities who can ensure that the data-sharing takes place according to rules.

The figure below illustrates the role and timing of each party’s contribution:

  1. The Data Subject first needs to enroll with a Consent Manager (CM), and in so doing provides a list of approved Data Providers to the CM.
  2. The Data Subject seeks a service from a Data User.
  3. The Data User submits a data transfer request to the CM.
  4. The CM passes on the request to the Data Subject and gains consent for sharing the data.
  5. The CM submits this request to the Data Provider.
  6. After verifying the request, the Data Provider transfers the data through an end-to-end encrypted flow to the CM.
  7. The CM shares encrypted data with the Data User.

Figure 1. India: financial sector data-sharing system

Figure 1.

Source: figure provided by author.

This data-sharing system architecture allows for high levels of data security. While the CM is aware of the identity of both the Data Users and Data Providers in the series of transactions sketched above, it is blind to the content of the data that it transfers. By contrast, Data Users are aware of the content of the data but blind to the identity of the Data Provider. Similarly, Data Providers are aware of the content of the data but blind to the identity of the Data User. Through the CM, data flows are separated from consent flows, ensuring the efficient transfer of data while respecting privacy concerns.

Carefully designed digital public infrastructures, developed and implemented as public-private partnerships in which the public sector defines the regulatory guardrails while the private sector unleashes the forces of innovation, are verified approaches for spearheading economy-wide growth. The digital system discussed above, which allows individuals to effectively operationalize their data rights, provides a high level of security and operates at low transaction costs despite the massive amounts of data involved. In the 11 months since this system went live in India, accounts for some 1.1 billion individuals have been enabled so that they can reap benefits from the value of their data. The Indian experience has demonstrated the potential to return the control of data to individuals in a secure and cost-effective manner.

Such success cannot be taken for granted. In the development and implementation of India’s data governance system, legislators, technologists, and legal professionals have all played central roles. Different countries may wish to adopt different models, in part due to different legislative starting points. Yet whatever the particulars of the adopted data governance system might be, the principles underlying the data governance system in India remain crucial to building a secure global framework for users’ data.