Dr Gulshan Rai, National Cyber Security Coordinator, Government of India, Office of Prime Minister, Ritesh Agarwal, Founder, OYO Rooms, Alan Mamedi, Co-Founder & CEO, Truecaller, Amit Shah, Group President & Head Corporate Strategy, Fintech, Marketing & Communication, YES BANK, Osama Bedier, Founder & CEO, Poynt, talk about data regulation, transparency & the power of world’s most valuable resource at ET Global Summit in New Delhi on Saturday.
Edited excerpts:
If data is the new oil, Yuval Noah Harari argues, there is need for a new grouping like OPEC. There is urgent need for frameworks and safeguards so that both the economic value of data is realised and also there is security and protection. Is there merit in the argument that India must not fall prey to data colonisation?
Dr Gulshan Rai: If you look at the conditions under which we are talking about the concepts of data colonisation, data is oil. Now, oil is a matter of colonisation. If you take that concept, yes certainly then data should be colonised. But that is not the exact thing. In fact, the data is much more complex than what oil is.
The same data can be sold to many people. Oil cannot be sold to many people. Oil is under someone’s ownership, someone’s possession. Data is not under someone’s ownership and someone’s possession. Today, honourable prime minister said we are aiming for a $10-trillion economy. A $5-trillion dollar economy is achievable in next couple of years and we are talking about a trillion-dollar digital economy.
In a digital economy, the data flows from one end to another and it passes through many elements. Every element collects data. Then comes the question of who owns the data, who owns the responsibility of data leakage. That is one aspect. It is a very complex thing.
The second aspect of this industry is that there is data monetisation. Everything in the world of internet is free. How do they meet the cost of the infrastructure which they installed to provide the free services?
Now, data is collected and monetised in a different manner. When you monetise data, issues of privacy will certainly come up. Whenever we talk of data colonisation, data localisation, these issues come up. Today we must talk about data ownership or data sovereignty. That is the larger issue and needs to be set right.
Till the time we do that, there will be issues because I have to purchase data. It has a strategic value. The trend worldwide is every country is trying to colonise data. In fact, those countries which are talking about being against data colonisation, are colonising the data much more than anybody else.
It can become a “us versus them” debate but without getting into that, what are the checks and balances that are required before you can take on data localisation?
Ritesh Agarwal: There is a fundamental difference in how you would think about oil and personal data. Sorry, I am just using it quite literally, I know that was not the sense that you had when you mentioned it. I feel data is a very personal item which is personal for every individual and hence keeping the perspective of my data or an individual’s data is only her’s or his and nobody else’s, is a very key characteristic of how you extend the argument about it — localisation or non-localisation.
Second, I believe globalisation is here to stay. There are going to be companies which are going to do cross-border business, companies coming into India, companies going out of India. But that said, making sure that there is a certainty about visibility of critical national data is very valuable and there are countries which have solved it very actively whether it is in Europe very recently or Indonesia. Every country is actively looking at it and recently, the Srikrishna Commission here in India has come up with their own views which hopefully will get implemented over the months.
How do societies look at this? There is concern over privacy and there is also the need to belong to a connected world. How do you combine all these things and make sure that the consumer feels secure using the applications that we are talking of now?
Alan Mamedi: Historically, technology has always helped the world grow faster than laws and regulations. So, what is going to happen is natural. I grew up in Sweden and we started the company in Stockholm, Sweden where data privacy and regulations has always been key and something you grow up with.
For us, personally it has been extremely important to make sure that our data does not really belong to us. It belongs to our customers and the reason why I do that is because the moment you believe as a founder or as a leader of a company that the data belongs to you, that is the moment you lose trust of your customers. And when you lose the trust of your customers, you do not have a business anymore.
We have a very strong stance on this and from day one we have always been clear on what is it that Truecaller needs and what is the value that you get back as a consumer and how do you as a customer rectify and delete that data super simple. I can give you an analog. Me and Nami talked about in the very early days. If Google index website writes about you, it is going to be impossible for you to get that website removed from the search engine. We wanted to do the total opposite and I think that is the core of what we do. That is what we talk about with all our employees and that is how all companies should think about data. It is very personal.
We are talking about financial data for instance, where issues of privacy are even more acute. Are Indian companies prepared to take on the investments required when data is stored locally? What are the safeguards that are required and how prepared are we?
Amit Shah: A couple of points here. First, banks are not just fiducially responsible for the money of our customers. If data is such an important asset, then we are also responsible for the customer’s data. Banks are supposed to do KYC but herein, as far as data is concerned, KYC has a very different meaning. Does your customer know what data I hold for him or her? Does he or she know why I hold this data and where is the control that is the C? Who is controlling this data and the usage of data?
There are data privacy norms in EU. Some of those norms are coming up in India. At some stage, this KYC is going to take precedence on how we use this data. The second part as far as security is concerned is that there is no foolproof system ever. If there is highly secured system, there is a smarter guy who is trying to break that system. The strength of the organisations, data privacy architecture is not so much. You can always put up firewalls, put in security systems but you are interacting with a whole lot of external vendors and supply chain partners.
The strength of the data protection is the strength of the entire system and any weakness anywhere in the entire chain is going to derail the entire thing. A whole lot of data protection now is not rule-based but are driven by AI and ML algorithms. You need to fight an AI attack with an AI attack. If you are going to fight an AI attack with rudimentary rule-based system, you are going to lose the war. So in future, data protection is going to be one AI which is your good AI and there is somebody else who is also equally smart but is also attacking you through AI.
You are really at the heart of the connected world in the sense that IoT and all other things are probably going to generate more data than we already have. Do you think technology companies have kept the trust of users?
Osama Bedier: I do not think we have failed yet but we need to change course. Let me just go back briefly to the analogy of data and oil. I do agree from a monetisation perspective that this is true that as resources come, this is the next generation resource to make money but they are very different in that oil is a limited resource while data is an unlimited resource.
You can make unlimited copies of it and the problem is that it is almost impossible to regulate all the data in the world. That will be a waste of time. More data is generated every year now than all previous years of humanity and so there is a role for the regulatory frameworks to play and they need to be super focused on what matters because not all data is equal.
Personal or personally identifiable information or private information like my bank account information and my medical history is very different from my public preferences which I put on Facebook and Instagram and they need to be treated very differently.
From a regulatory perspective, we need to classify the most important data and put rules around it as it relates to consumer consent, permissions, transparency, control and that is the only role governments can play. They need spend a lot more energy as opposed to letting technology companies create the wrong rules. But then in other areas, it is reputational. As a service provider, as a technology company, I have to be careful about how I treat my customers’ information to continue providing good service.
Do you think there is a role for India to take the lead in devising an order on data protection?
Dr Gulshan Rai: Let us leave the issues that have come out. Look at it from the constructive angle also. The Chinese have said in 2030, they will be the leader in artificial intelligence. Americans, the western countries are the leaders in artificial intelligence now. Artificial intelligence is going to be embedded into every system, every device which is going to come.
If you have to fine tune your algorithm for any new technology like IoT or AI, you need the data. Now, that data should be available to the start-up companies or companies who are developing that technology. That itself will require some sort of a data governance framework. Localisation or colonisation will be required because any country cannot afford to not to get the data which they generate for the technology development in their own country.
That is one aspect which is very important for the growth of the country in technology development or economic development, everything is going to be cyber-led growth.
Second aspect is security. Timely data should be available and accessible for the law enforcement agencies. These two factors will become an important driving force for data localisation.
Every country is trying to localise their data. Look at the Cloud Act or the GDPR. There should be recognition of mutual give and take. Indirectly, mutual legal sanctity is coming back in the form of things we have never been able to solve worldwide. Cyber is a uniform domain and this artificial domain is going to be much more complex. We need a worldwide data governance framework and let us look at the maybe UN-led or whosoever-led governance framework.
Every country should adopt those kind of a framework and make it compatible to their system. That is the only solution. Otherwise, it is going to be very difficult. I am in favour of a data protection Act because we have no other option. Every country has done it.
Have we sort of missed out on opportunities by not having a…
Dr Gulshan Rai: No, we have not. The GDPR has come up only about 10 months ago. Our Justice BN Krishna Committee Report has come out. I was a member there and we wanted to convert it into law but now we will, after the government comes back. It is necessary to do that because we also have to put our businesses, technology development and other matters there.
From a perspective of someone who runs a venture where you are directly with consumers, who do you think has the greater responsibility in protection? Should a consumer be more conscious about how to use personal data and what they need to do to protect it?
Ritesh Agarwal: Generally speaking, customers increasingly are focussed on convenience and it is the responsibility of us as companies. Eventually, regulators and governments have to make sure that customer convenience is not hampered at all while making sure a sustainable data protection system is built out.
I believe fundamentally data being available to local start-ups for making sure that they can use that is a very important part of the broader data privacy and data localisation perspective. The only addition I would have on it is that data privacy is an extremely important model to have trust of the customers, like Alan mentioned. It is extremely valuable that this data should always be available with anonymity and anonymity being a very critical part of the whole subject which I am sure the regulators are looking at and increasingly, as companies we are thinking about.
But generally speaking, customers should be more educated but the second priority is companies and regulators taking a very responsible and sustainable view of the world and making sure that an individual’s data is their data and respecting that is very critical.
With increasing incidences of data breaches, the question everyone will have is what is the banking industry doing to safeguard this?
Amit Shah: As a bank, we believe in data privacy along with data availability. Like Ritesh was saying, for ease of operations, somewhere there is a little bit of trade off, The higher number of locks that you put on to a process, the lesser enjoyable experience it becomes for a customer. But how do you balance it out? We have a three-pronged framework. There are three levels of barriers that we have put right from how the backoffice operates, how the governance framework happens, how the audits happen and what are the technical solutions that you put around protecting this data.
To bring a lighter note to a reasonably technical subject, when you watch the heist movies, whether it is the Italian Job or anything else, the eventual break is within the bank or within a storehouse of gold or something, but the entry point never starts from there. The entry starts from some vague corner somewhere, While I want to ensure that my customer has the best app on his mobile phone, I also want to ensure that it is dummy proof. I should not allow him to create a breach. My app has to be equally strong and enjoyable because that is the entry point of most frauds.
Do you think consumers should have ownership of data? Should they be able to trade and benefit from it?
Alan Mamedi: It depends on the business model. It is hard to say but you can always build an ecosystem around it. It is similar to how Uber has done it but that is based on services. I am not so sure I would think that is a good idea around data because then in some way you incentivise people to sell parts of their personal information and that is not the direction the world should be going towards.
Osama Bedier: I will split the question in two parts; ownership, absolutely. Consumers need to own their data, especially personally identifiable information as well as should have transparency around what others know about them.
In terms of benefit from it, it is situational. There are things that you could do to harm yourself or others by benefitting from the data. That should not be allowed but there are things where people profit off you and that is really a good argument to benefit when others profit from you.
Leave a Reply