Strengthening the account aggregator ecosystem: A feminist perspective — A policy brief
A report by
Tripti Jain
in
Data
Abstract
In earlier research, Kovacs and I (2020) identified six feminist principles to strengthen consent in data governance. An examination of the account aggregator (AA) ecosystem against these principles makes clear that the AA framework is a positive step towards addressing some of the key concerns regarding current consent regimes, for example where auditability and granularity are concerned. However, to fully meet the minimum requirements necessary to ensure meaningful consent, further modifications will be needed. In particular, it appears that the focus of the ecosystem currently is on ensuring that AAs are robust, but that it fails to address challenges relating to other stakeholders in the ecosystem.
Context
Despite the centrality of consent in data protection regimes, research in the past has been critical of consent mechanisms. In an earlier study, Kovacs and I (Kovacs & Jain, 2020) have argued that consent mechanisms can be strengthened significantly by applying six key learnings from feminist debates around sexual consent to the data context. Other efforts to strengthen consent include technology-enabled consent frameworks, such as the account aggregator framework conceptualised and launched in India. This framework aims to address some of the very same criticisms of consent as the feminist principles articulated by Kovacs and myself, such as consent fatigue, the complexity of notice, and that consent is often sought up-front for subsequent transactions. In this policy brief, I outline how well the developing AA ecosystem is delivering on these claims in practice by assessing it against the feminist principles of consent. To what extent do AAs align with the feminist principles; are AAs effective; and what is the why forward for the AA ecosystem?
Main arguments
The following are the main lessons regarding both benefits and areas of concern that need to be revisited, learnt from the assessment for each of the feminist principles.
PRINCIPLE 1: Consent must be embedded in a notion of relational, rather than individual, autonomy
The AA ecosystem does not embody the principle of relational autonomy. The focus of the ecosystem has been on the AA, and how to make it secure, transparent and trustworthy. But the framework fails to take into consideration the impact that other data fiduciaries in the ecosystem, such as financial information users (FIUs) and financial information providers (FIPs) may have on how meaningful user consent can be. FIUs are empowered to dictate the terms of consent artefacts and to obtain any information they deem fit from users. At the same time, the framework provides minimal information about the mechanisms used and the third parties involved with the system. It also lacks a technology layer as well as regulatory mechanism to assess whether FIUs are effectively practicing purpose limitation. Moreover, the regulatory requirements for the ecosystem do not obligate data fiduciaries to assess the risks associated with data processing either. Regulatory safeguards preventing the abuse of dominance by players is absent, nor is there a mandate to inform users about data breaches or leaks. The ecosystem positions AAs as a silver bullet to enable autonomy while failing to prevent the subordination of users at the behest of FIUs and FIPs.
PRINCIPLE 2: Consent must be given proactively, communicated in the affirmative
The AA framework is more equipped to seek consent proactively than existing consent regimes. As far as opt-in and opt-out consent artefacts are concerned, the AA ecosystem prescribes a mixed approach, suggesting the use of different consent artefacts for different use-cases. However, the opt-out mechanism is insufficient to nudge people to proactively give consent. (Kahneman, Knetsch & Thaler, 1991) The AA ecosystem also provides an audit mechanism. If enforced as envisioned, it will provide users and data fiduciaries with more clarity vis-a-vis the flow of their data. Currently, however, it only enables users to keep a tab on the information and consents shared with different FIUs, and not on user details resting with FIPs. Thus, there is scope for further change to ensure consent is obtained proactively.
PRINCIPLE 3: Consent must be specific, continuous and ongoing, to be sought for different acts and at different stages. Consent is required to be built
Several characteristics indicate that the ecosystem requires consent to be specific. Firstly, the framework enables FIUs and FIPs to seek consent on different occasions for different purposes, not upfront for all future behaviour. Secondly, users will have access to a dashboard containing all the consents they have given for data that they have shared with FIUs. Thirdly, users are empowered to revoke consent at any time. These measures can ensure that the consent sought is specific while maintaining the seamlessness of the mechanism. However, they are not enough for consent to also be continuous and ongoing. The ecosystem needs to acknowledge that human conditions are not static, and may demand change in previously taken decisions. Currently, there is no regulatory requirement for the products or services to seek consent at every step. Further, the ecosystem does not allow individuals to edit data once it is fed into the AA ecosystem; all they can do is revoke or pause consent. Lastly, there is no provision for the user to view the data that an FIP will transfer to an FIU prior to the transfer, although this would aid substantially in ensuring purpose limitation.
PRINCIPLE 4: Consent is a process, and thus opens up a conversation, rather than entailing merely a yes/no decision
The AA framework does not conceive of consent as a process. It relegates user control over the expression of consent to a simple yes or no. In addition, the concept of assisted consent, involving a human point of contact, has for now not been integrated into the framework. For a service catering to an extremely wide range of users and claiming to target specifically those previously excluded from access to financial services, it is imperative to develop assisted consent and other technical tools to improve access to the technology.
PRINCIPLE 5: Consent allows for negotiation by all parties involved; this requires the ability for each party to say no as well as to provide input on the terms of agreement
For consent to be meaningful, a user should be able to, at the very least, say no to any practice that doesn’t relate narrowly to the service being provided. However, users at present have limited ability to negotiate in the AA ecosystem. Data fiduciaries remain excessively empowered to dictate the terms of consent, including by reserving, in their privacy policies, the right to unilaterally change these policies without informing users. Moreover, the ecosystem provides no means to object to and revoke consent for third party data sharing. Thus, reflecting existing practices in data governance more broadly, the ability of users to negotiate barely exists in the ecosystem.
PRINCIPLE 6: Conditions must be created so that consent can be given freely. This implies that the person should be free from any fear of oppression or violence of any kind
Many individuals may not have the capacity to express consent because of the physical or socio-economic context they find themselves in. Currently, the AA ecosystem has not factored this in. Despite acknowledging the value of vernacularisation, localisation is yet to find a place at the heart of the ecosystem. Rather, the expectation is that with adoption and innovation, more regional languages will eventually be integrated. Moreover, the pilot applications and tools are being built for people who can read and write and are currently only available on smartphones and websites. The AA ecosystem also demands every participating individual to personally own a mobile phone number registered in their name. Additionally, the ecosystem has not taken into consideration the needs of elderly and differently abled individuals. A sizable portion of the population of our nation will, therefore, be excluded from participating in the ecosystem, let alone being able to express meaningful consent, even though the ecosystem was supposedly conceptualised precisely to improve their ability to exercise autonomy over their financial data.
Recommendations
As the AA ecosystem is in the process of being iterated and continues to evolve and adapt, the following key recommendations should be implemented immediately to strengthen user autonomy and meaningful consent along the above lines.
Regulatory Changes:
● Until the Personal Data Protection Act is promulgated, the Reserve Bank of India (RBI) should set-up a task force or committee comprising experts from the field, to notify clear data protection rules and lay down penalties. AAs and other data fiduciaries within the ecosystem should comply with these rules.
● If the draft version of the Personal Data Protection Bill, 2019 is promulgated, the financial regulators must, at the very least, ensure that FIPs and FIUs do not over-collect and over-process personal data of individuals under the garb of section 14, to assess creditworthiness or for “other reasonable purposes”. FIPs and FIUs should be obligated to seek consent from individuals for all personal data collected by them, and must expressly inform individuals about the purposes for which they are collecting and processing data.
● The RBI and the Competition Commission of India (CCI) must identify and eliminate anti-competitive behaviour, such as monopoly pricing, cartelisation by players, customer-locking and other market abuse (Uppal, 2020). A clear revenue model for the ecosystem should also be delineated by the RBI after having public consultations.
● The RBI should delineate penalties for storage of data beyond 72 hours by AAs and norms regarding data storage by FIUs and FIPs.
● To enhance transparency, data fiduciaries should be transparent in processing personal data, report personal data breaches, conduct data protection impact assessments and maintain clear records of all these measures.
● To enable easy exit from the AA ecosystem, the RBI should specify when and how the data of individuals should be removed after they revoke consent to participate in the AA ecosystem.
● To prevent collection of unnecessary data and behavioural surplus from users, the RBI should, following public consultations, set a standard which delineates who can collect data; what data they can collect; for how long they can store it; and what type of consent (view, storage, or authentication) should be sought for each expected use-case in the AA ecosystem.
● The RBI should obligate data fiduciaries to inform users prior to changing their privacy policies and users should have the ability to opt-out prior to the change. Further, users should have the option to continue using the services for a reasonable time as per old policies, especially if the new policies may harm or have serious implications for users.
● Like FIPs, the RBI must mandate FIUs to maintain logs of their data sharing, so they can be held accountable in case they fail to follow the data sharing norms prescribed by the RBI.
Technology Changes
● There should be a mechanism for users to learn when data is being used by any data fiduciary and why.
● For all use-cases, consent should be obtained through an opt-in consent mechanism.
● Users should be allowed to inspect the data that is being transferred to the FIU prior to the transfer. Users should be able to raise a request to address and edit any mistakes or discrepancies prior to transfer.
● To enable users of all demographics to participate, there should be an option for users to speak with a person who is well-versed with the nuances of data collection and processing and who can assist the user in resolving their queries.
● All applications and interfaces should be made available in the 22 official languages of India as listed in the VIIIth Schedule to the Constitution of India.
● Developers must ensure that people with disabilities can access the AA ecosystem.
● The ecosystem should allow users to manage their consent even without a personal phone number, to prevent exclusion of a considerable segment of the population of users in our nation.
This policy brief is based on research carried out for the paper: Jain, Tripti (2021). Tech Tools to Facilitate and Manage Consent: Panacea or Predicament? Mumbai, Data Governance Network.
References
Kahneman, Daniel, Knetsch, Jack L., & Thaler, Richard H. (1991). Anomalies: The endowment effect, loss aversion, and status quo bias. Journal of Economic Perspectives, 5(1), 193 – 206. DOI: 10.1257/jep.5.1.193
Kovacs, Anja & Jain, Tripti (2020, November). Informed Consent — Said Who? A Feminist Perspective on Principles of Consent in the Age of Embodied Data (Working Paper No. 13). Data Governance Network. https://datagovernance.org/files/research/1606371436.pdf
Uppal, Mahesh (2020, June 10). Keeping India’s payments market competitive. Financial Express. https://www.financialexpress.com/opinion/keeping-indias-payments-market-competitive/1986606/