Agile Tech Regulation

Technology regulations need to be agile. They need to respond rapidly to the changing dynamics of evolving market conditions and to stay current with changes in technologies that call for new standards and stipulations. Governments are singularly ill-equipped to do this and so they must take the help of self regulating organisations and technical standards organisations as appropriate.

This is an expanded version of the article I wrote for my weekly Ex Machina column in The Mint. You can read the original article at this link.


Three Core Considerations

Last year I wrote about the three core considerations I believe to be essential for good tech sector regulation. In the first place, I pointed out that it was important for regulators identify the real regulatory objectives behind the laws they are rolling out. More often than not, we tend to fixate on the most immediate hot-button issues that are top of mind - and as a result end up with a quick fix for only the most pressing concerns while leaving many of the more important issues unresolved. It is only when we take the trouble to identify all the underlying issues that we will lasting regulatory solution.

I then argued that in the context of technology, it is often far more effective to establish regulatory principles rather than trying to write rules that often only apply to a limited implementation of that technology. Given the rapid pace at which technology evolves, trying to regulate each specific iteration of technology will only result in laws that are outdated soon after they are passed. 

Finally, I suggested that the government should not be shy to ask for help: 

Technology is complex. If it is to be effectively regulated, it needs to be well understood. As astute as our bureaucrats are, they are generalists and, in this age of specialisation, cannot hope to appreciate the many layers of nuance necessary in order to properly regulate technology. They should never attempt to go it on their own, but instead should actively co-opt experts from all relevant fields—behavioural economists, technologists, lawyers and the like— so that the laws we pass can be truly robust.

For years, I've watched as we have rolled out laws and regulations unsuited for the technologies they are supposed to govern. In most instances, by the time they are finally enacted into law, the technology itself has moved on and brought with it a whole host of new issues that the already outdated law is incapable of addressing.

Agile Governance

Because our law makers don't fully understand the technologies they are looking to regulate, they phrase their regulations in language designed to obfuscate rather than clarify, filling statutes with broad definitions and catch-all phrases intended to apply not just to activities within the immediate contemplation of the regulator but also others that they fear might be applicable in the future.

It is thanks, in good part, to this approach, that our tech sector is hobbled by unnecessarily restrictive laws and why tech companies operate, from day to day, at the mercy of whatever interpretations the local office of the regulator chooses to adopt on a given day.

I have argued previously about the need for us to adopt an agile approach to governance. Drawing from a paper presented at the World Economic Forum I suggested that the Indian government would do well to encourage multi-stakeholder participation in regulation.

In essence, agile governance uses systems thinking to determine the parameters of the complex and dynamic ecosystems that require regulation and design thinking to develop tools that policymakers can use to pilot low-cost, low-risk versions of policies to test their impact. The combination of these techniques allows them to evaluate the intended and unintended impact of proposed policies and iteratively improve them before implementing regulations on a broader scale.

Self Regulatory Organisations

Early last week, the Telecom Regulatory Authority of India (TRAI) issued its recommendations on cloud services in India. It suggested adopting a light touch regulation for the cloud service providers and called for the creation of an industry body that would work in close conjunction with the Department of Telecommunications (DoT) and the TRAI to come up with the correct balance between regulation and commercial freedom to operate.

Recommendations such as these, that encourage the establishment of self-regulatory organisations (SROs) and give them a meaningful role in the development of the regulations for the sector, are welcome. In many ways this approach checks the boxes on all three points that I argued were essential to the effective regulation of the tech sector. Since the SRO will have the opportunity to work in conjunction with the sector regulator, it will be able to feed into the regulatory process commercial inputs that will help develop more well rounded regulatory objectives, appropriately taking into account societal and commercial imperatives. By requiring light touch regulation, the SRO will be forced to first evolve principles that can then be translated into use-specific regulations. Finally, the suggestion that an industry body comprised of organisations operating in the sector, will be involved in the formulation of regulations is indicative of the government’s desire to lean on the expertise that resides within industry to formulate the regulations required to govern the space.

I am heartened to see signs of this approach manifest itself in different parts of the tech sector. Before the TRAI went down this path, the Personal Data Protection Bill had called for SROs to come up with Codes of Practice to translate the privacy principles into sector specific regulations. If more regulators can adopt this co-regulatory approach to the tech sector I believe our regulations will respond in a more agile fashion to the rapidly evolving demands of modern technology.

But I believe we shouldn't stop there.

Technical Standards Organisations

Many of our more recent developments owe their success to the proliferation of digital public infrastructure in the country - from the payments infrastructure that includes the Universal Payment Interface (UPI) and the Account Aggregator framework to the National Digital Health Mission that, when implemented, will bring the principles of on-demand data portability to the healthcare sector. I believe it is critically important to do all we can to keep this infrastructure current. This will call for actively evolving technical standards based upon which this infrastructure functions to both account for the evolution of technology around the world as well as to respond to market demands for new and more innovative digital products. 

Our regulators are singularly ill-equipped to do this. They have neither the technical expertise to evolve new versions of our existing frameworks, nor the organisational muscle to keep the current frameworks in good shape. What is needed are high quality technical standards organisations (TSOs) that will take on the responsibility for devising and continuously evolving the standards based upon which our public digital infrastructure will function. These organisations are appropriately staffed with persons of suitable technical qualification, drawn, as required from our many institutions of higher learning. The standards they recommend could be submitted to the regulator for its consideration and once approved could be made applicable to the sector as a whole.

This will ensure, in much the same way as the SROs develop regulatory frameworks specific to the sector, that our regulators get the assistance they need in formulating the technical standards that are critically important to the long term success of the sector.