Centre for Internet and Society

Setting the Agenda: A Behavioural Science approach to Data Privacy

Admin — 2019-07-04T16:47:31Z

Amber Sinha attended a meeting organised by the Centre for Social Behaviour Change (CSBC) at Ashoka University and the Busara Center for Behavioral Economics on 26 June 2019 at CSBC office, Vasant Vihar in New Delhi.

The session brought together a small group (8-12) of critical players from industry, academia, and the public sector to solicit inputs on the structure and content of India’s first experiment-based behavioural research on data privacy. This body of research, set to launch in the next few months, will use a behavioural science approach to answer 4 main topics facing data privacy: (1) consent practices, (2) business advantages for enhanced privacy, (3) willingness to pay, and (4) nudges to improve engagement in privacy. Equipped with a behavioural science toolkit, we aim to produce new evidence through lab and field experiments that help define best practices in data privacy across these topics. More info here.

For more details visit https://cis-india.org/internet-governance/news/setting-the-agenda-a-behavioural-science-approach-to-data-privacy

Digital ID Forum 2019

Admin — 2019-08-07T14:09:16Z

Sunil Abraham was one of the panelists at this event at Chulalongkorn University on July 3, 2019.

Click to view the agenda. Also see Wikipedia page

For more details visit https://cis-india.org/internet-governance/news/digital-id-forum-2019

The Impact of Consolidation in the Internet Economy on the Evolution of the Internet

Akriti Bopanna and Gurshabad Grover — 2019-07-03T12:53:53Z

The Centre for Internet and Society in partnership with the Internet Society organized an event on the impact of consolidation in the Internet economy. It was divided into two roundtable discussions, the first one focusing on the policies and regulation while the latter dealt with the technical evolution of the Internet. This report contributed to the Internet Society’s 2019 Global Internet Report on Consolidation in the Internet Economy.

Edited by Swaraj Barooah, Elonnai Hickok and Vishnu Ramachandran. Inputs by Swagam Dasgupta

This report is a summary of the proceedings of the roundtables organized by the Centre for Internet and Society in partnership with the Internet Society on the impact of consolidation in the Internet economy. It was conducted under the Chatham House Rule, at The Energy and Resource Institute, Bangalore on the 29 June 2018 from 11AM to 4PM. This report was authored on 29 June 2018, and subsequently edited for readability on 25 June 2019. This report contributed to the Internet Society’s 2019 Global Internet Report on Consolidation in the Internet Economy.

The roundtables aimed to analyze how growing forces of consolidation, including concentration, vertical and horizontal integration, and barriers to market entry and competition would influence the Internet in the next 3 to 5 years.

To provide for sufficient investigation, the discussions were divided across two sessions. The focus of the first group was the impact of consolidation on applicable regulatory andpolicy norms including regulation of internet services, the potential to secure or undermine people’s ability to choose services, and the overall impact on the political economy. Thesecond discussion delved into the effect of consolidation on the technical evolution of the internet (in terms of standards, tools and software practices) and consumer choices (interms of standards of privacy, security, other human rights).

The sessions had participants from the private sector (2), research (4), government (1), technical community (3) and civil society organizations (6). Five women and eleven men constituted the participant list.

Click to download and read the full report

For more details visit https://cis-india.org/internet-governance/blog/akriti-bopanna-and-gurshabad-grover-july-3-2019-impact-of-consolidation-in-the-internet-economy-on-the-evolution-of-the-internet

Pranesh Prakash as Resource Person for ITD seminar on Competition

Admin — 2019-07-04T16:23:51Z

Pranesh Prakash represented the Centre for Internet & Society (CIS) as a resource person for a training seminar held by the International Institute for Trade and Development, which is an organization with a UN mandate and funding by the Thai government. The event was held from 24 - 26 June 2019 at Bangkok.

The theme was "Competition Law and Policy for Sustainable Development". The audience was made up of government officials (mostly from competition commissions or from commerce ministries) from Thailand, Bhutan, India, Myanmar, Pakistan, Papua New Guinea, Vietnam. Click here to view the programme schedule. Pranesh Prakash was also a speaker in the session on Consumer Protection and Digital Rights- Defining Welfare and Fair Competition.

For more details visit https://cis-india.org/internet-governance/news/pranesh-prakash-as-resource-person-for-itd-seminar-on-competition

Facebook to pay Indians to give up privacy: Experts raise questions

Geetika Mantri — 2019-06-22T04:01:26Z

Facebook has launched a voluntary, opt-in program, which monetarily compensates users in exchange for their data.

The blog post by Geetika Mantri was published in the Newsminute on June 14, 2019. Pranesh Prakash was quoted.

On June 11, 2019, Facebook announced ‘Study,’ its market research app for Android users in US and India, which pays users who allow it to monitor how they use the applications on their phone.

The Study app will collect data on the apps installed on a participant’s phone, the amount of time spent using those apps, the participant’s country, device and network type and app activity names, which may show Facebook the names of app features the participants are using. It promises not to collect user IDs, passwords, or any of the participant’s content, such as photos, videos or messages and has assured that the information will neither be sold to third parties nor used to target ads. Facebook says it also won’t add the data collected to the user’s Facebook account if they have one. Read more about it here.

It’s clear that this is a voluntary, opt-in program, which monetarily compensates users in exchange for them giving up some of their privacy. A Facebook spokesperson told TNM that the payments will be made on a monthly basis through PayPal, but the amount and the rate were not disclosed. “Our partner, Applause, will handle all compensation,” Facebook said.

And while experts point out that Facebook is certainly not the first company that wants to do market research by collecting user data, the new proposal raises some pertinent questions about privacy and consent.

Not illegal, but what’s the end goal?

“It is clear that market research apps invade people’s privacy,” states Pranesh Prakash, a fellow at the Centre for Internet and Society. “However, asking people to opt-in for market research is not uncommon. And if consent is given, it is legal. There is nothing wrong with people participating in this as long as they are aware.”

That being said, Pranesh also points out that in many cases, market research such as this has led to useful insights about user behaviour and can contribute to public policy as well. However, in Facebook’s case, it is likely that the findings will be used internally and will not be made public.

When asked about the purpose of this data collection, Facebook said it was to make better products.

“Like many companies, we use market research to help us understand trends and build better products. This information is incredibly important to us because knowing how people use apps helps us prioritise and build better experiences for people,” a Facebook spokesperson said, adding that they are maintaining complete transparency.

No strong data privacy laws in India

While there is a requirement for participants to consent to share data with Study app, what makes Indian users vulnerable is that the country does not strong data privacy laws. The Data Privacy Bill 2018, modelled on the General Data Protection Regulations (GDPR) of the European Union, is yet to become a law and is riddled with loopholes in its present form.

Nitish Chandan, a cyber-security specialist, points out that though the Supreme Court deemed privacy a fundamental right of Indian citizens last year, the jurisprudence itself has not evolved – no major company or entity has been punished so far for a data breach.

“Had the Data Protection Bill been passed, there would have been a clear mandate for companies who want to process personal data as well as purpose limitation, meaning they can only process data for certain purposes and not others,” Nitish says.

And while the data collection is legal because consent is obtained, Nitish points out a strong data protection law would have barred from it being used for unethical purposes such as mass profiling. The Data Protection Bill for instance, under section 33 (1), bars large-scale profiling or any processing which carries the risk of “significant harm to data principles” unless the data fiduciary undertakes a data protection impact assessment in India.

Further, while purpose limitation breaches can be picked up by watchdogs, common people are unlikely to realise this and read the fine print, Nitish adds.

What conditions is consent being sought in?

Nayantara R, Programme Manager–Freedom of Expression at the Internet Democracy Project, tells TNM that Facebook’s decision to launch Study raises some very important questions.

"With calls for informed consent while giving away data, something like Study seems to satisfy many requirements. The app will clearly state what data is collected when a user opens it, etc. But the problem is approaching consent in an individualised manner, without questioning if there are structural conditions that enable giving consent. A useful parallel to draw is conversations on consent in the context of sexual relations. We question the power dynamics and surrounding circumstances in the giving of consent there. The Study app is a good case to confront what is the kind of consent we are after," she explains.

Nayantara argues that consent has to be situated in the larger ecosystem of power play. The situation is made complex by the monetary incentive. If a person needs the money and therefore consents to give up their privacy to a large company – how freely is that consent given? And is it a fair trade?

“These questions don’t have easy answers but are the conversations that we need to start having,” Nayantara states. “This is not so much about whether Facebook's motives are bad. The more important question it raises is about the demands that civil society has been making: consent, compensation in exchange for the labour on platforms etc,” she observes.

The Facebook spokesperson’s response indicated that the company has been aware of these debates and demands: “We’ve learned that what people expect when they sign up to participate in market research has changed and we’ve built this app to match those expectations.”

Not Facebook’s first time collecting data

This is not the first time that Facebook has launched an app for market research – its now-defunct Research app, launched in 2016, was rolled back after an investigation by Tech Crunch that revealed the app had violated Apple’s policies. The app had asked users to download a VPN onto their devices, ‘trust’ it (requiring users to give it permission), and could, if it wanted, access personal information of users, including private messages on social media apps, chats from instant messaging apps (inclusive of photos and videos), emails, web browsing history and even the present location of the person, by tapping into another app using the location feature.

This app – that also paid users up to $20 per month in gift cards to share their data – came under even more fire because it didn’t just target adults. People from age 13 to age 35 were eligible to download this app. Investigations also revealed that Facebook had ended up collecting some non-targeted data as well.

Additionally, it also bought the Onavo Protect app in 2014, which projected itself as a privacy app providing free VPN to users and allowing them to minimise their data plan usage. However, the app was collecting information on users, providing Facebook with deep analytics about which apps the users were using. The app was eventually discontinued after the data snooping was discovered.

Facebook seems to have learnt from these experiences. “We’re offering transparency, compensating all participants and keeping people’s information safe and secure,” a company spokesperson said. However, Tech Crunch reportedthat Study – which is only for users above the age of 18 – too could give Facebook crucial insights into competitors and features it could invest in on its own platforms based on what was popular on other apps users are using.

For more details visit https://cis-india.org/internet-governance/news/geetika-mantri-june-14-2019-the-news-minute-facebook-to-pay-indians-to-give-up-privacy

Workshop on 'Urban Data, Inequality and Justice in the Global South'

Admin — 2019-07-06T01:30:16Z

Aayush Rathi and Ambika Tandon presented our research on video-based surveillance in New Delhi at a workshop on urban data, inequality, and justice in the global South at the University of Manchester on 14 June 2019.

The agenda for the workshop and the presentations made by CIS can be accessed here. The research was conducted as part of a grant from the University, as part of a project on justice in data systems within cities. It will bepublished as a working paper by the university in July-August.

For more details visit https://cis-india.org/internet-governance/news/workshop-on-urban-data-inequality-and-justice-in-the-global-south

No Fintech company meets every single privacy requirement under IT Act: CIS report

Shilpa S. Ranipeta — 2019-07-08T02:34:59Z

The study shows that privacy policies companies such as Paytm, Jio Payments Bank, Airtel Payments Bank, Amazon Pay, Bhim are not accessible from the main website.

The blog post by Shilpa S. Ranipeta published by the News Minute on June 10, 2019, quotes the research done by Aayush Rathi and Shweta Mohandas of the Centre for Internet & Society.

A study by the Centre for Internet and Society on privacy and security policies of Fintech companies in India has shown that no company met every single requirements under the Section 43A Rules of the IT Act. A study of privacy policies of 48 companies has also shown that privacy policies of major entities such as Paytm, Jio Payments Bank, Airtel Payments Bank, Amazon Pay, Bhim are not accessible from the main website of the company.

The privacy policies were assessed based on the privacy policy requirements mandated by the Sensitive Personal Data or Information (SPD/I) Rules.

A fintech company is one that combines financial services and products with technology. The companies categorised as Fintech in this study are payment gateways, payment gateway aggregators, mobile and online wallets, digital payments banks, peer-to-peer lending platforms and miscellaneous entities that share features of the above categorisation.

Rule 4 of the SPD/I Rules mandates that a company that handles information should have a privacy policy that ensures it is dealing with the information provided by users as per the SPD/I Rules. It is also required that the privacy policy is published on the website of the company and is ‘clear and easily accessible’. However, the SPD/I Rules doesn’t specify what would constitute a ‘clear and easily accessible’ privacy policy.

In this research, CIS has studied accessibility as how many times a person has to click to access the privacy policy, if it is readily available on the homepage, if the company states its practices for privacy in language that can be understood by someone fluent in English and does not require prior legal or technical knowledge to be understood.

Here are some observations from the research:

Accessibility:

The study found that 38 companies have a privacy policy accessible on the main website of the company, 38 also have the privacy policy included in terms and conditions of all documents of the company that collects personal information.

However, policies of only 20 companies can be understood by someone without legal and technical knowledge and 16 can be partially understood. Privacy policies of RazorPay, Oxigen, Airtel Payments Bank, Capital Float, Freecharge, BHIM couldn’t be understood by someone without legal and technical knowledge.

“For some of the companies the privacy policy had to be located in the terms of service or under separate categories such as ‘legal agreements’, ‘key policies’, ‘security’, further making the privacy police more inaccessible. We anticipate that unless the user is specifically looking for the privacy policy, it is unlikely for the privacy policy to be perused in the usual course of a user’s usage of the services of the fintech provider,” the report states.

The study found that while most fintech companies in the sample explicitly specified personal information that was being collected, fewer privacy policies contained categorical provisions segregating the sensitive personal information that was being collected. However, it was unclear what each category specifically entailed.

“Another terminology that is often incorporated to broaden the ambit of information being collected is the definition of personal information as any information that may be provided by the user. This squarely places the onus of restricting information collection on the user, further compounding the handicaps users face in ascertaining the information that that firms are seeking to collect because of the illustrative nature of the listing of information,” the report states.

Option to not provide information and withdrawal of consent:

Interpretation Rule 5(7) states that the company should inform users even before collecting information that they have an option to not provide the data or information.

The rule also specifies that the individual must also be informed that he/she has an option to subsequently withdraw consent from the use of the data or information collected by the data controller.

However, Privacy Policies of 30 companies do not specify that the user has the option to not provide information. These include companies such as PayU, CitrusPay, Jio Money, Airtel Payments Bank, Paytm, Fino Paytech, Capital Float, Walnut, etc.

Only 17 companies specify that the user has the option to subsequently withdraw consent.

Registering grievances

The study showed that only 16 of companies mention the existence of grievance officer in their privacy policies.

Rule 5(9) of the SPD/I Rules state that companies are required to have a grievance redress mechanism in place vis-a-vis the user’s privacy practices.

“Thirty-two companies failed to not just provide a redressal mechanism but also failed to mention the existence of a grievance officer specific to the resolution of issues that users may encounter vis-à-vis the data controller’s privacy practices,” the report states.

Language barrier

All companies, except PhonePe, had a privacy policy only in one language – English. PhonePe provided a privacy policy in both English and Hindi.

“With the growth of the digital economy, a multitude of Indians are using online 46 services, and it is imperative that privacy policies be accessible and understandable to all users of the service. In the context of the fintech sector, accessibility to privacy policies takes on added significance given the fintech sector’s avowed promise of increasing access to financial products to hitherto underserved sections of the society,” the report states.

The research showed that few consumers, if any, read online privacy policies, despite expressing concern about their online privacy. And privacy policies are often very technical and not comprehensible by a regular user.

For more details visit https://cis-india.org/internet-governance/news/the-news-minute-shilpa-s-ranipeta-june-10-2019-no-fintech-company-meets-every-single-privacy-requirement-under-it-act-cis-report

HillHacks 2019

Admin — 2019-06-05T14:41:44Z

Karan Saini was a speaker at HillHacks 2019 organized by HillHacks in Bir, Himachal Pradesh from May 24 to May 26, 2019.

Karan's talk was on using web applications for intelligence gathering purposes. For more info on the event, click here

For more details visit https://cis-india.org/internet-governance/news/hillhacks-2019

Stockholm Internet Forum 2019

Admin — 2019-06-05T04:15:00Z

Swedish International Development Agency (Sida) organized the Stockholm Internet Forum 2019 in Stockholm from 16 - 17 May 2019. Gurshabad Grover was a panelist in the discussion on 'Influencing Internet Governance' co-organised by Article 19. The other panelists were Sylvie Coudray (UNESCO), Grace Githaiga (Kictanet), J. Carlos Lara (Derechos Digitales) and Charles Bradley (GPD). The discussion was moderated by Mallory Knodel (Article 19).

Gurshabad's primary contributions were around the motivations for civil society organisations to participate in technical internet governance fora, and how their role has matured at such fora in the last couple of years. Gurshabad extends his thanks to the inputs of Akriti Bopanna and Arindrajit Basu primarily for their contributions around the motivations for civil society organisations to participate in technical internet governance fora, and how their role has matured at such fora in the last couple of years.

Click to view the agenda. See the concept note here

For more details visit https://cis-india.org/internet-governance/news/stockholm-internet-forum-2019

ABLI Privacy Workshop

Admin — 2019-06-05T07:29:18Z

On May 21 and 22, 2019, Elonnai Hickok, participated in the ABLI privacy workshop along with side events in Singapore.

Click to view the agenda.

For more details visit https://cis-india.org/internet-governance/news/abli-privacy-workshop

Curating Genderlog India's Twitter handle

Admin — 2019-05-14T14:40:08Z

Shweta Mohandas has been nominated to curate Genderlog's Twitter handle (@genderlogindia).

Shweta Mohandas will be tweeting about topics related to gender and data, more specifically around AI, big data, privacy and surveillance. To view the tweets, click here

For more details visit https://cis-india.org/internet-governance/news/curating-genderlog-indias-twitter-handle

An Analysis of the RBI’s Draft Framework on Regulatory Sandbox for Fintech

vipul — 2019-05-08T13:57:49Z

The term Fintech is generally used to describe innovative technology and technological processes being used in the financial services sector.

Click here to download the file.

It originated as a term referring to the back-end technology used by large financial institutions, but has expanded to include technological innovation in the financial sector, including innovations in financial literacy and education, retail banking, investments, etc. Entities engaged in FinTech offer an array of services ranging from peer-to-peer lending platforms and mobile payment solutions to online portfolio management tools and international money transfers.

Regulation and supervision of the Fintech industry raises some unique challenges for regulatory authorities as they have to strike a balance between financial inclusion, stability, integrity, consumer protection, and competition. One of the methods that have been adopted by regulators in certain jurisdictions to tackle the complexities of this sector is to establish a “regulatory sandbox” which could nurture innovative fintech enterprises while at the same time ensuring that the risk associated with any regulatory relaxations is contained within specified boundaries. It was precisely for this reason that establishment of a regulatory sandbox was one of the options put forward by the Working Group on Fintech and Digital Banking established by the Reserve Bank of India in its report of November, 2017 which was released for public comments on February 8, 2018. Acting on this recommendation the Reserve Bank has proposed a Draft Enabling Framework for Regulatory Sandbox, dated April 18, 2019, (“RBI Framework”) which is analysed and discussed below.

Regulatory Sandbox and its benefits

While the basic concept of a regulatory sandbox is to ensure that there is regulatory encouragement and incentive for fledgling Fintech enterprises in a contained environment to mitigate risks, different regulatory authorities have adopted varied methods of achieving this objective. While the Australian Securities and Exchange Commission (ASIC) uses a method where the eligible enterprises notify the ASIC and commence testing without an individual application process, the Financial Conduct Authority, UK (FCA) uses a cohort approach wherein eligible enterprises have to apply to the FCA which then selects the best options based on criteria laid down in the policy. The RBI has, not surprisingly, adopted an approach similar to the FCA wherein applicants will be selected by the RBI based on pre-defined eligibility criterion and start the regulatory sandbox in cohorts containing a few entities at a time.

A regulatory sandbox offers the users the opportunity to test the product’s viability without a larger and more expensive roll out involving heavy investment and regulatory authorizations. If the product appears to have the potential to be successful, it might then be authorized and brought to the broader market more quickly. If there are any problems with the product the limited nature of the sandbox ensures that the consequences of the problems are contained and do not affect the broader market. It also allows regulators to obtain first-hand empirical evidence on the benefits and risks of emerging technologies and business models, and their implications, which allows them to take a considered (and perhaps more nuanced) view on the regulatory requirements that may be needed to support useful innovation, while mitigating the attendant risks. A regulatory sandbox initiative also sends a clear signal to the market that innovation is on the agenda of the regulator.

RBI Draft Framework

Since the RBI has adopted a cohort approach for its regulatory sandbox process (“RS”), it implies that fintech entities will have to apply to the RBI to be selected in the RS. The eligibility criterion provides that the applicants will have to meet the eligibility conditions prescribed by the government for start-ups as per the Government of India, Department of Industrial Policy and Promotion, Notification GSR 364(E) April 11, 2018. The RS will focus on areas where (i) there is an absence of regulations, (ii) regulations need to be eased to encourage innovation, and (iii) the innovation/product shows promise of easing/effecting delivery of financial services in a significant way. The Framework also provides an indicative list of innovative products and technologies which could be considered for RS testing, and at the same time prohibits certain products and technologies from being considered for this programme such as credit registry, crypto currencies, ICOs, etc.

The RBI Framework also lays down specific conditions that the entity has to satisfy in order to be considered for the RS such as satisfaction of the conditions to be considered a start-up, minimum net worth requirements, fit and proper criteria for Directors and Promoters, satisfactory conduct of bank accounts of promoters/directors, satisfactory credit score, technological readiness of the product for deployment in the broader market, ensuring compliance with existing laws and regulations on consumer data and privacy, adequate safeguards in its IT systems for protection against unauthorised access etc. and a robust IT infrastructure and managerial resources. The fit and proper criteria for Directors and Promoters which requires elements of credit history along with the minimum net worth requirements in the RBI Framework are conditions which may be too difficult for some of the smaller and newer start-ups to satisfy even though the technology and products they offer might be sound. The applicants are also required to: (i) highlight an existing gap in the financial ecosystem and how they intend to address that, (ii) show a regulatory barrier or gap that prevents the implementation of the solution on a large scale, (iii) clearly define the test scenarios, expected outcomes, boundary conditions, exit or transition strategy, assessment and mitigation of risks, etc.

The RBI Framework specifies that the focus of the RS should be narrow in terms of areas of innovation and limited in terms of intake. While limits on the number of entities per cohort may be justified based on paucity of resources, limiting the focus of the RS by narrow areas of innovation is a lost opportunity in terms of sharing of ideas and learning from the mistakes of their colleagues who may be employing technologies and principles which could be useful in fields other than those where they are currently being applied.

The RBI Framework specifies that the boundaries of the RS have to be well defined so that any consequences of failure can be contained. These boundary conditions include a specific start and end date, target customer type and limits on number of customers, cash holdings, transaction amounts and customer losses. The Framework does not put in place any hard numbers on the boundary conditions which ensures that the RS process can be customised to the needs of specific entities since the sample sizes and data needed to determine the viability of fintech entities and products may vary from product to product. However a major dampener is the hard limit of 12 weeks imposed on the testing phase of the RS, which is the most important phase since all the data from the operations is generated during this phase and 12 weeks may not be enough time to generate enough reliable data so as to reach a determination of the viability of the product.

Although the RBI has shown a willingness to relax regulatory requirements for RS participants on a case to case basis, it has specified that there shall be no relaxation on issues of customer privacy and data protection, security of payment data, transaction security, KYC requirements and statutory restrictions. Since this is only an initiative by the RBI the RS participants dealing with the insurance or securities sector would not be entitled to any relaxations from the IRDA or the SEBI even if they are found eligible for relaxations from RBI regulations. This would severely limit the efficacy of the RS process and is an issue that could have been addressed if all three regulators had collaborated thereby encouraging innovative start-ups offering a broader spectrum of services.

Once the RS is finished, the regulatory relaxations provided by the RBI will expire and the fintech entity will have to either stop operations or comply with the relevant regulations. In case the entity requires an extension of the RS period, it would apply to the RBI atleast one month prior to the expiry of the RS period with reasons for the extension. The RBI also has the option of prematurely terminating the sandbox process in case the entity does not achieve its intended purpose or if it cannot comply with the regulatory requirements and other conditions specified at the relevant stage of the sandbox process. The fintech entity is also entitled to quit the RS process prematurely by giving one week’s notice to the RBI, provided it ensures that all its existing obligations to its customers are fully addressed before such discontinuance. Infact customer obligations have to be met by the fintech entities irrespective of whether the operations are prematurely ended by the entity or it continues through the entire RS process; no waiver of the legal liability towards consumers is provided by the RS process. In addition, customers are required to be notified upfront about the potential risks and their explicit consent is to be taken in this regard.

The RBI Framework itself lists out some of the risks associated with the regulatory sandbox model such as (i) loss of flexibility in going through the RS process, (ii) case by case determinations involve time and discretional judgements, (iii) no legal waivers, (iv) requirement of regulatory approvals after the RS process is over, (iv) legal issues such as consumer complaints, challenges from rejected candidates, etc. While acknowledging the above risks the Framework also mentions that atleast some of them may be mitigated by following a time bound and transparent process thus reducing risks of arbitrary discretion and loss of flexibility.

Conclusions

While there are some who are sceptical of the entire concept of a regulatory sandbox for the reason that it loosens regulation too much while at the same time putting customers at risk, the cohort model adopted by the RBI would reduce that risk to an extent since it ensures comprehensive screening and supervision by the RBI with clear exit strategies and an emphasis on consumer interests. On the other hand the eligibility criterion for applicants prescribes minimum net worth requirements as well as credit history, etc. which may impose conditions too onerous for some start ups which may be their infancy. Further the clear emphasis on protection of customer privacy and consumer interests also ensures that the RBI will not put the interests of ordinary citizens at risk in order to promote new and untested technologies. That said, the regulatory sandbox process is a welcome initiative by the RBI which may send a signal to the financial community that it is aware of the potential advantages as well as risks of Fintech and is willing to play a proactive role in encouraging new technologies to improve the financial sector in India.

Report of Working Group on Fintech and Digital Banking, Reserve Bank of India, November, 2017, available at https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=892

Jenik, Ivo, and Kate Lauer. 2017. “Regulatory Sandboxes and Financial Inclusion.” Working Paper. Washington, D.C.: CGAP, available at https://www.cgap.org/sites/default/files/Working-Paper-Regulatory-Sandboxes-Oct-2017.pdf

Other countries which have regulatory sandboxes are Netherlands, Bahrain, Abu Dhabi, Saudi Arabia, etc.

Report of Working Group on Fintech and Digital Banking, Reserve Bank of India, November, 2017, available at https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=892

These conditions are fairly liberal in that they require that the entity should be less than 7 years old; should not have a turnover of more than 25 crores, and should be working for innovation, development or improvement of products or processes or services, or if it is a scalable business model with a high potential of employment generation or wealth creation.

Clause 5 of the RBI Framework.

Clause 6.1 of the RBI Framework.

Clause 6.3 of the RBI Framework.

Clause 6.5 of the RBI Framework.

Clause 6.4 of the RBI Framework.

Clause 6.7 of the RBI Framework.

Clauses 6.2 and 8 of the RBI Framework.

Clause 6.6 of the RBI Framework.

Clause 6.9 of the RBI Framework.

Jemima Kelly, A “fintech sandbox” might sound like a harmless idea. It's not, Financial Times, Aplphaville, https://ftalphaville.ft.com/2018/12/05/1543986004000/A--fintech-sandbox--might-sound-like-a-harmless-idea--It-s-not/

For more details visit https://cis-india.org/internet-governance/blog/vipul-kharbanda-may-8-2019-an-analysis-of-rbi-draft-framework-on-regulatory-sandbox-for-fintech

How privacy fares in the 2019 election manifestos | Opinion

Aayush Rathi and Ambika Tandon — 2019-05-02T01:49:39Z

We now have a rights-based language around privacy in the mainstream political discourse but that’s where it ends.

The article by Aayush Rathi and Ambika Tandon was published in the Hindustan Times on May 1, 2019.

In August 2017, the Supreme Court, in Puttaswamy vs Union of India, unanimously recognised privacy as a fundamental right guaranteed by the Constitution. Before the historic judgment, the right to privacy had remained contested and was determined on a case-by-case basis. By understanding privacy as the preservation of individual dignity and autonomy, the judgment laid the groundwork to accommodate subsequent landmark legislative moves — varying from decriminalising homosexuality to limiting the use of the Aadhaar by private actors.

Reflecting the importance gained by privacy within public imagination, the 2019 elections are the first time it finds mention across major party manifestos. In 2014, the Communist Party of India (Marxist) was the only political party to have made commitments to safeguarding privacy, albeit in a limited fashion. For the 2019 election, both the Congress and the CPI(M) promise to protect the right to privacy if elected to power. The Congress promises to “pass a law to protect the personal data of all persons and uphold the right to privacy”. However, it primarily focuses on informational privacy and its application to data protection, limited to the right of citizens to control access and use of information about themselves.

The CPI(M) focuses on privacy more broadly while promising to protect against “intrusion into the fundamental right to privacy of every Indian”. In a similar vein, both the Congress and the CPI(M) also commit to bringing about surveillance reform by incorporating layers of oversight. The CPI(M) manifesto further promises to support the curtailment of mass surveillance globally. It promises to enact a data privacy law to protect against “appropriation/misuse of private data for commercial use”, albeit without any reference to misuse by government agencies.

On the other hand, the Samajwadi Party manifesto proposes the reintroduction of the controversial NATGRID, an overarching surveillance tool proposed by the Congress in the aftermath of the 26/11 Mumbai attacks. In this backdrop, digital rights for individuals are conspicuous by their absence from the Bharatiya Janata Party’s manifesto. Data protection is only seen in a limited sense as being required in conjunction with increasing digital financialisation.

The favourable articulation of privacy in some of the manifestos should be read along with other commitments across parties around achieving development goals through the digital economy. Central to the operation of this is aggregating citizen data. Utilising this aggregated data for predictive abilities is key to initiatives being proposed in the manifestos —digitising health records, a focus on sunrise technologies, such as machine learning and big data, and readiness for “Industry 5.0” are some examples.

The right is then operationalised in a manner that leads data subjects to pick between their privacy and accessing services being provided by the data collector. Relinquishing privacy becomes the only option especially when access to welfare services is at stake.

The discourse around privacy in India has historically been used to restrict individual freedoms. In the Puttaswamy case, Justice DY Chandrachud, in his plurality opinion, acknowledges feminist scholarship to broaden the understanding of the right to privacy to one that protects bodily integrity and decisional privacy for marginalised communities. This implies protection against any manner of State interference with decisions regarding the self, and, more broadly, the right to create a private space to allow the personality to develop without interference. This includes protection from undue violations of bodily integrity such as protecting the freedom to use public spaces without fear of harassment, and criminalising marital rape.

While the articulation of privacy in the manifestos is a good start, it should be much more. Governance must implement the right to look beyond the individualised conception of privacy so as to allow it to support a whole range of freedoms, rather than limiting it to data protection. This could take the shape of modifying traditional legal codes. Family law, for instance, could be reshaped to allow for greater exercise of agency by women in marriage, guardianship, succession etc. Criminal law, too, could render inadmissible evidence obtained through unjustified privacy violations. The manifestos do mark the entry of a rights-based language around privacy and bodily integrity into mainstream political discourse. However, there appears to be a lack of imagination of the extent to which these protections can be used to further individual liberty collectively.

For more details visit https://cis-india.org/internet-governance/blog/hindustan-times-may-1-2019-aayush-rathi-and-ambika-tandon-how-privacy-fares-in-the-2019-election-manifestos

FinTech in India: A Study of Privacy and Security Commitments

Aayush Rathi and Shweta Mohandas — 2019-05-02T11:20:30Z

The unprecedented growth of the fintech space in India has concomitantly come with regulatory challenges around inter alia privacy and security concerns. This report studies the privacy policies of 48 fintech companies operating in India to better understand some of these concerns.

Access the full report: Download (PDF)

The report by Aayush Rathi and Shweta Mohandas was edited by Elonnai Hickok. Privacy policy testing was done by Anupriya Nair and visualisations were done by Saumyaa Naidu. The project is supported by the William and Flora Hewlett Foundation.

In India, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (subsequently referred to as SPD/I Rules) framed under the Information Technology Act, 2000 make privacy policies a ubiquitous feature of websites and mobile applications of firms operating in India. Privacy policies are drafted in order to allow consumers to make an informed choice about the privacy commitments being made vis-à-vis their information, and is often the sole document that lays down a companies’ privacy and security practices.In India, the Information Technology (Reasonable Security Practices andProcedures and Sensitive Personal Data or Information) Rules, 2011 (subsequently referred to as SPD/I Rules) framed under the Information Technology Act, 2000 make privacy policies a ubiquitous feature of websites and mobile applications of firms operating in India. Privacy policies are drafted in order to allow consumers to make an informed choice about the privacy commitments being made vis-à-vis their information, and is often the sole document that lays down a companies’ privacy and security practices.

The objective of this study is to understand privacy commitments undertaken by fintech companies operating in India as documented in their public facing privacy policies. This exercise will be useful to understand what standards of privacy and security protection fintech companies are committing to via their organisational privacy policies. The research will do so by aiming to understand the alignment of the privacy policies with the requirements mandated under the SPD/I Rules. Contingent on the learnings from this exercise, trends observed in fintech companies’ privacy and security commitments will be culled out.

For more details visit https://cis-india.org/internet-governance/blog/aayush-rathi-and-shweta-mohandas-april-30-2019-fintech-in-india-a-study-of-privacy-and-security-commitments

Data for Development: Mapping key considerations for policy and practice in India

Admin — 2019-04-25T15:17:55Z

On 24 April 2019 Arindrajit Basu delivered a talk at an event titled at Data for Development:Mapping key considerations for policy and practice in India at Azim Premchand University.

Arindrajit presented some of CIS's work on artificial intelligence and its work on privacy and the SriKrishna Bill, some of the constitutional contours of India's data governance policies and some of the larger implications on India's foreign policy vision as an emerging economy.

For more details visit https://cis-india.org/internet-governance/news/data-for-development-mapping-key-considerations-for-policy-and-practice-in-india