Explicit consent: Online's new era may shift power from apps to users

I feel energised when, during my daily evening exercise walk in Colaba, I see fisherfolk from the nearby Sassoon docks whip out their mobile phones, point at the QR code at a pavement fruit shop, and pay for their mangoes. I feel immensely proud of our Unified Payments Interface (UPI) and Aadhaar card systems, which are helpful for all levels of Indian society. 

However, my nationalist pride in India’s digitisation was shaken last week, when I began reading Rahul Bhatia’s well-written book The Identity Project: The Unmaking of a Democracy. It argues that Aadhaar, which I (like most Indians) love to showcase as an example of our country’s advanced technology, has created an unprecedented infrastructure for state surveillance. He explores the dangers of having such a vast and centralised collection of personal and biometric data. 

When I set out to explore whether any other writer and thinker held similar views about Aadhaar, I discovered several. Ritika Khera’s book Dissent on Aadhaar: Big Data Meets Big Brother has a collection of essays from experts belonging to various fields — economists, lawyers, technologists, and activists — which attempt to provide a comprehensive critique of the Aadhaar project from multiple angles. 

Then there is Jean Drèze, a Belgian-born Indian development economist and activist, who argues that imposing a fragile, internet-dependent technology on the poorest and most vulnerable populations is a “leap into barbarism” and it functions more as a tool of exclusion rather than inclusion. 

In response to these critiques, the Centre has rightly pointed out that Aadhaar is an identification tool, and not one aimed at profiling. It has also said that Aadhaar does not collect sensitive information, such as caste, religion, health records, or financial details, and utilises “best of breed” encryption and security technologies to protect data. 

We have also learnt an important lesson: The “political economy” of the Aadhaar/UPI success wasn’t purely a free-market phenomenon. It required deliberate state action to create an ecosystem where this “instant gain” could be realised by millions. The Centre did not wait for private companies to build this system. It created the foundational digital public infrastructure: Aadhaar for identity and UPI as an open, interoperable platform. Initiatives like the Pradhan Mantri Jan Dhan Yojana ensured millions of people had a bank account to link to these systems. 

  Then came this news last week: “A jury in San Jose, California, said on Tuesday that Google misused customers’ cell phone data and must pay more than $314.6 million to Android smartphone users in the state, according to an attorney for the plaintiffs.” The report went on to say: “... the jury agreed with the plaintiffs that … Google … was liable for sending and receiving information from the devices without permission while they were idle, causing what the lawsuit had called ‘mandatory and unavoidable burdens shouldered by Android device users for Google’s benefit’”. 

For years, the tech industry has operated on a model of “implied consent”. By using a service, we implicitly agree to a long and complex terms of service agreement, which often grants broad permissions for data collection. A verdict like the one described above would accelerate the shift to a model of “explicit and informed consent”. 

Does this mean that “permission” is not perpetual? Just because a user gave permission to an application (app) upon installation doesn’t mean the app has the freedom to transmit data in the background indefinitely. Will this force companies like Google to build much more transparent controls for users and to justify every single background data transfer? 

If explicit permission is required for every type of data transfer, and many users say “no”, this could significantly disrupt these business models. It would force companies to find new ways to monetise their services or be much more upfront about the value exchange. For example, a potential new message from an app could be: “Allow us to collect this data to keep this service free, or pay a subscription fee for a private version.” 

When I asked a knowledgeable European friend why Europe had quickly embraced such “explicit permission” type of privacy regulation in the General Data Protection Regulation (GDPR), her answer was: “Have a look at Europe’s 20th-century history: The Nazi regime’s use of census and personal data for persecution, the Soviet bloc surveillance (Stasi, secret police) tracking citizens and other abuses under fascist and communist regimes … all this has created deep societal fear in Europe of state and corporate misuse of personal data.” I then asked her — is it also because Europe, unlike the United States (US), does not have native tech giants with a data-driven business model? Her answer was: “Yes, that too.” 

The move to “explicit permission” could also shift the balance of power. It would legally reinforce the idea that users are the ultimate owners of their data and must have simple, straightforward, and continuous control over how it is used. The burden of proof would shift from the user having to figure out how to opt out, to the company having to justify why it needs the user to opt in. Does this mean a significant shift away from opaque, implied consent and towards a future where user permission is explicit, granular, contextual, and continuously managed? 

Does this mean that India will also soon need new legislation in this area regarding “user permission”, even for data collected by public institutions such as Aadhaar and UPI? 

The author (ajitb@rediffmail.com) is devoting his life to unravelling the connections between technology and society