We have reached a point in history where analog governance models are no longer sufficient for regulating digital societies. While technology-enabled regulations might be one feasible solution, they come with both promises and challenges that must be considered.
The advent of digital public infrastructure offers a new possibility to enforce laws through technology-enabled regulations. Today, many countries are in the process of designing and implementing their digital public infrastructure, particularly identity and payment systems, data exchange, and e-commerce, as well as other key components. Implementing technology-enabled regulations alongside digital public infrastructure could help regulators break out of the cycle of post-facto enforcement of regulations. For example, when designing a new data exchange platform, implementors could directly embed legal principles like consent and privacy as technology-enabled regulations. Embedding legal principles could also help reduce the dependency of regulators on post-facto measures, like penalties and other punitive deterrent measures. However, if poorly implemented, technology-enabled regulations could end up embedding state surveillance into the digital public infrastructure “operating system,” leading to numerous harms.
Technology-enabled regulations are a new concept – so new that search engine queries for this term bring up mainly irrelevant results. This article, therefore, explores technology-enabled regulations, along with some of their promises and perils.
So, how can technology-enabled regulations support effective governance?
To be clear, when referring to technology-enabled regulations (TERs), we are not talking about creating new laws but about implementing existing laws through technological means. As our world becomes increasingly digital, TERs will become a necessity. In the slow-moving, pre-digital world, laws were implemented in an analog fashion. However, in today’s fast-moving digital age, slow, analog remedies cannot effectively govern the range of transactions enabled by online digital services.
Take privacy, for example. Globally, there is growing consensus that users should have more agency over their data. This data should be used with informed consent and limited to the purpose for which the users consented. However, this is easier said than done. To date, the most visible manifestation of this consensus is the proliferation of pop-up windows where the user clicks the “I Agree” button before accessing websites. Yet, most people never get around to reading the terms and conditions or examining the consent they give. If their data is misused, it is difficult for individuals to detect the misuse, raise a complaint with regulators, and get grievance redressal.
Digital service providers take advantage of this by requesting (and receiving) overly broad consent that complies with the letter of data protection laws but violates their spirit. To be fair, organizations do not have mechanisms to conveniently get consent every time they use data. Therefore, they default to overly broad consent to protect themselves, leaving users to hand over more data than necessary without understanding what data is being used for what purposes.
At a regulatory level, enforcing privacy laws is a very complex task. Today, many individuals own multiple digital devices, from smartphones to smartwatches, laptops, tablet computers, Wi-Fi devices, connected printers, and voice-activated devices. In 2022, Statistica estimated that 255 billion mobile applications (apps) had been downloaded, while Maitrik Kataria estimated that the average smartphone user had more than 40 apps installed on their phones.
Consequently, the data exhaust created by individuals has exploded. By some estimates, we generate around 3.5 quintillion bytes of data every day as we browse the internet, shop online, message our friends and colleagues, watch videos, and scroll through online publications. With the Internet of Things (IoT) connecting our toasters, refrigerators, and other devices to the internet, data exhaust is set to explode even further. Even the most well-staffed Data Protection Authority could quickly get overwhelmed with complaints. Reviewing user complaints, reviewing terms and conditions that differ from organization to organization, and conducting forensic analyses to uncover how data has been used or misused will be a steep hill to climb.
In such a complex and suboptimal environment for individuals, organizations, and regulators, TERs could play a significant role.
In our increasingly digital world, technology-enabled regulations offer real promise.
An emerging TERs approach is the Data Empowerment and Protection Architecture (DEPA), an ambitious attempt to re-architect data flows from the current organization-centric model to an individual-centric model. DEPA was launched in 2018 in Bangalore, India, as an open specification that aims to give individuals the power to decide how their data can be used. Since India did not have a privacy law when conceptualizing DEPA, it was designed with the European Union’s General Data Protection Regulations (GDPR) in mind. In other words, DEPA provides a technological framework for implementing data protection laws and regulations.
The Account Aggregator model introduced in India is one of the first implementations of the Data Empowerment and Protection Architecture. It gives individuals more control and insight into how their financial data is used and serves as a “control panel” for data sources that are connected to it. Presently, organizations in the Indian financial sector are both users and providers within the Account Aggregator ecosystem. Individuals can choose from a selection of Account Aggregator apps, download one – or more – to their smartphones, and select the bank accounts, provident fund accounts, mutual fund depositories, and others that they would like to connect to their app. Additionally, individuals can give granular consent to their data, withdraw consent, and audit their consent trails. Sahamati, the collective of Account Aggregator organizations, is creating standardized consent templates that will allow individuals to understand the nature of the consent they are giving easily.
If designed well, models like the Account Aggregator could help organizations collect data in keeping with local privacy laws, thus reducing their compliance costs and legal risks. Since users can track and audit their consent trails, raising disputes and getting grievance redressal should become easier. Sahamati is currently exploring Online Dispute Resolution frameworks that will work with different financial sector regulators and all the players in the Account Aggregator ecosystem. This combination of an online dispute resolution framework and Self-Regulating Organization status could improve regulatory compliance. And, with digital data being an inescapable part of life, a framework like the Account Aggregator, which supports TERs, could make life easier for individuals, organizations, and regulators. Yet, while this approach has much potential, it is still a work in progress and, therefore, an unproven concept.
While technology-enabled regulations offer the potential for a better digital future, there are also risks to consider.
Conversely, digital public infrastructure (DPI) and TERs raise concerns over individual agency, privacy, and surveillance. Robust institutional checks and balances are therefore required to ensure that innovation and entrepreneurship flourish and that system abuses are minimal.
TERs are a nascent phenomenon within the DPI world, but we can look at other sectors to see the potential downsides. For example, one of the objectives of deploying Electronic Logging Devices for long-distance trucking in the US was to ensure that drivers got ten hours of sleep for every eleven hours driven, as prescribed by regulation. Electronic Logging Devices replaced the paper logs maintained by drivers and became a form of TERs. However, the change was not entirely welcome, as many drivers rued the loss of flexibility. Drivers like Blair Blakely pointed out on Quora that “Enforcement and the Government operate on the premise that, since you are allowed to drive eleven hours, if you drive ten hours and fifty-nine minutes, you are fine, but if you drive eleven hours and one minute you are a hazard to the public.”
Blakely and others point out the challenges with Electronic Logging Devices. There are times when, after driving for ten and a half hours, drivers find no parking spaces. If they drive further to the next parking space, they might exceed the eleven-hour limit and be flagged as violators. In other cases, they might be 20 minutes away from their home when their hours run out and would have to wait 10 hours before starting their trucks again. The moral of the story is that TERs can become rigid and inflexible, if not implemented with empathy and consideration of real-life conditions.
Technology-enabled regulations can benefit people, but only if they are designed to promote – and protect – agency, privacy, and consent.
As society becomes increasingly digitized, traditional, post-facto governance practices may no longer be able to effectively regulate our quickly changing world. Take the traffic police for instance, who often only fine cars caught speeding on the highway well after they’ve breached the speed limit. Of course, trucking companies, rental car fleet owners, and others could install speed governors that limit the speed of the vehicle, but such cases are a small percentage of the vehicular population. In this case, the digital world enables possibilities that the analog world cannot. For example, as we move closer to autonomous vehicles, it is now becoming possible to encode the rules of the road into the vehicles. Cars with Advanced Driver Assist Systems can ensure that cars stay in the center of the lane, obey traffic signals, detect pedestrians, and halt at zebra crossings. Encoding the rules reduces the need for post-facto enforcement of rules.
Advanced Driver Assist Systems-enabled cars are thus an excellent example of TERs. As countries worldwide look at implementing DPI and putting in place digital identity systems, payments solutions, data exchange, among other key components, techno-legal regulations promise to improve compliance with laws and reduce the workload of regulators. However, they also hold out the peril of reinforcing power imbalances between individuals and those who encode the rules of the road.
By encoding generally accepted privacy principles like consent, notice, and choice into DPI, approaches like the Data Empowerment and Protection Architecture and the Account Aggregator create frameworks for TERs. In an increasingly digitized world, DPI and TERs may be implemented in domains like e-commerce, healthcare, logistics, and others. While techno-legal frameworks hold out the promise of improving compliance with laws, it is essential to preserve individual agency and choice. When implementing TERs – like, for example, encoding the rules of the road into technology frameworks – we must ensure that technology serves people and not vice versa.
For safe, effective technology-enabled regulations, collaboration – and shared learning – is key.
Given that digital public infrastructure will have a significant impact on society, and that technology-enabled regulations are a relatively new concept, this author recommends convening multidisciplinary groups consisting of economists, technologists, human rights organizations, domain experts, and other stakeholders to think through effective governance in greater depth.
