In its first Indian edition of the ‘Privacy Matters’ roundtable, Mozilla brought together the brightest minds from India’s leading and upcoming online businesses to discuss practical issues surrounding data privacy. Held recently in New Delhi, the aim of the session was to drive the conversation on how businesses can make decisions about personal data more thoughtfully. This closed-door intensive meeting saw participation from a variety of companies – ranging from SMEs to large conglomerates, including Aditya Birla Group, Dunzo, Ibibo, Practo, Ola, Zeotap, Zomato, among others.
The 5-hour long session was conducted using Mozilla’s Lean Data Practices framework, that puts forth privacy principles and practical steps to implement them. With a mix of engineering, C-level, product and legal folks driving the discussions, the workshop focussed on the incentives for companies to stay “lean”, and minimize the personal data they collect and store; ways to build-in security features; and finally, effective ways to communicate with users and offer them more meaningful choices vis-à-vis their data.
Urmika Shah, lead product and data counsel at Mozilla, Mountain View, led the discussion and shared, “It was great to see that many of the larger Indian SMEs have taken proactive measures to build in privacy and security features into their services, even prior to the enactment of India’ data protection law. For some, the incentive seems to come from the possibility of security breaches and reputational risks, and for others it’s their global presence or foreign investors.”
The discussions were divided into three segments as per the framework, covering key topics: “Engage users”, “Stay Lean” and “Build-in Security”.
The first segment of the discussions focussed on how companies can better engage different audiences (such as end users, business clients, employees and investors) on issues of privacy. The observations reinforced the importance of providing more meaningful choices to users about their personal data at the time they are using the service, and making privacy notices more visible and easily comprehensible. In addition, companies expressed the need to better engage investors and boards on privacy issues to gain their support for implementing reforms.
The second section was on the importance of staying “lean” with data rather than collecting, storing, and sharing indiscriminately. Most companies agreed that collecting and storing less personal data mitigates the risk of potential privacy leaks, breaches and vulnerability to broad law enforcement requests. Staying lean does come with its own challenges, given that deleting data trails often comes at a high cost, or may be technically challenging when data has changed hands across vendors. It was agreed that there is a need for more innovative techniques to help pseudo-anonymize or anonymize such data sets to reduce the risk of identification of end-users while maintaining the value of service. Despite these challenges, responsible companies should do their best to adhere to the principle of deleting data within their control, when no longer required.
The third section covered key security features that could be built-in to the services. Many companies explained that their own security practices, especially relating to employee data access controls, have evolved as they grew in size. A key observation voiced by many companies was that vendors are often not scrutinized and may not always be welcoming to rigorous reviews of their data and security practices. This remains a key challenge in protecting the privacy and security of user data.
Amba Kak, Mozilla’s public policy advisor in India said, “In the lead up to India’s first data protection law, we need more such conversations that focus on implementing these principles, and how to overcome practical challenges.”, she concluded.