Beyond Disruption: Rebuilding Privacy in the Digital Era

Can privacy and innovation really go hand in hand? What can we do to safeguard sensitive data today, and what’s in store for the future? Dan Cassara, Project Manager for the Digital Credit Observatory (DCO), explores these questions and more in the second part of this two-part series on privacy enhancing technologies and their role in financial inclusion. If you missed part one, click here to check it out.

An employee at Radio Shabelle prepares the studio for an upcoming show | Tobin Jones

Trust is fundamental for an improved digital financial system. As discussed in part one of this series, privacy enhancing technologies (PETs) play a central role in enabling trustworthy and responsible innovation. Despite the complexity of data privacy, policymakers are exploring regulatory approaches. Europe’s General Data Protection Regulation (GDPR) may be the most well-known regulation, but it is not the only one. Globally, more than 130 countries have data privacy laws, a number many anticipate will increase as decision makers learn more about the benefits and challenges of responsible data usage.

In conversation with partners, policymakers, and practitioners, CEGA explored this subject at its 2022 Africa Evidence Summit in Kigali, Rwanda. Key insights from the summit are summarized below:

• What: Minimizing data collection avoids the possibility for sensitive data to be improperly used or shared and is one of the most intuitive ways to protect privacy. When collecting sensitive or identifying information cannot be avoided — for example, for medical research — the next best step is to de-identify the data as soon as possible.
• How: Gathering informed consent prior to collecting any information is vital to conducting ethical research or providing services in most circumstances. However, Informed consent is based on complete, accurate, and understandable information, and it is important to recognize its limits. Often, these criteria are not met; for example, most privacy policies are designed to not be read. Even when all criteria are met, pressing needs can push people to accept terms they may otherwise reject. Regulatory guardrails can help balance the equation. For example, the Central Bank of Kenya has released regulations to address these types of concerns, which is a model that other governments can emulate.
• Where and Who: Safely storing data through encryption — scrambling data so it can only be unscrambled and read with authorized access — and putting appropriate access controls in place — limiting data access to authorized users — are two of the most commonly used security tools to protect data from being accessed outside its intended context. Unfortunately, many fintech apps either do not encrypt all data or use outdated modes of doing so, which leaves many of their customers vulnerable to data breaches. Requiring financial institutions to adopt the most secure standards for encryption and communication should be a high priority, whether through voluntary adoption or regulatory guidance.
• Why: There are typically trade-offs between privacy and accuracy, and effectively evaluating them is dependent on what purpose the data will serve. For example, public health guidance has historically permitted surveillance without consent in some settings where obtaining consent would not be possible or would impede public health goals, judging these benefits to outweigh privacy needs. It is imperative, however, that the usage of data is limited to its initial purpose. While cell phone data can be leveraged for humanitarian aid delivery or to benefit public health, the data shouldn’t be used later for other purposes.

The ongoing data revolution will likely transform the way people around the globe access and interact with financial services. This change has the exciting potential to promote financial inclusion and lift people out of poverty, but it also comes with risk of data misuse, financial loss, and infringements upon privacy.

While protecting individual privacy and peace of mind is worth pursuing in and of itself, the benefits of proper data privacy frameworks go well beyond this. Using data improperly and not using data at all, for instance, both come with costs. Many private sector companies and government initiatives seek the same data but, lacking the means to responsibly and legally share it, collect it separately. This drives up costs and impedes innovation. Those with the least typically pay the largest share through higher interest rates, lower accessibility, and little to no data privacy.

Tools like PETs can help mitigate risks and promote responsible innovation. More research is needed to explore how these tools can be best utilized to improve the financial well being of those excluded from the formal financial system. CEGA is contributing to this effort by funding a research agenda that examines key questions, such as:

• How do local definitions of data privacy vary by context, how can we best measure this, and how can we ensure local voices and values are incorporated into decision-making processes?
• What PETs or other tools are best suited for solving specific privacy problems, and can we analyze their effectiveness in doing so?
• How can privacy enhancing tools enable data portability and data sharing, which could unlock new or improved public goods such as credit bureaus or anti-terrorism monitoring systems?

CEGA’s Digital Credit Observatory (DCO) is building a portfolio of research and a community of researchers and practitioners that will drive a more comprehensive understanding of the challenges and solutions to protecting data privacy in low- and middle-income countries. If you’re interested in research funding, collaborating, or learning more about the DCO, we’d love to hear from you at digitalcredit@berkeley.edu.