While there is widespread support for India’s digital public infrastructure achievements, a small, articulate chorus of voices has begun to question certain aspects of the approach. Their concerns, for the most part, relate to the role played by the self-regulatory organisations at the heart of these ecosystems. In a recent paper, Smriti Parsheera, a well-regarded analyst of Indian tech policy, argued that these organisations have become “Alt Big Tech” and need to be regulated to ensure fairness and competition.

Accountability and Competitiveness

The main thrust of the paper is that India’s new technology infrastructure, while a necessary alternative to the monopolistic forces of big tech, is controlled by a few private non-profit organisations that operate without regulation. Unless these entities are themselves subject to oversight, they could become a new version of Big Tech—as harmful as the companies they were supposed to provide an alternative to.

The paper makes two broad arguments. First, in the absence of measures to ensure transparency and accountability, these entities have access to vast amounts of data that could, either inadvertently or recklessly, cause all manner of harm to users of the ecosystem. National Payments Corporation of India (NPCI), for instance, processes vast volumes of payment data. This is transactional data that, if misused, could significantly affect the privacy of individual users. There is so little visibility on how this data is aggregated and processed that we have little to no knowledge of the harms that could befall us.

Second, because these entities get to decide, almost single-handedly, the future direction of these ecosystems—by determining what types of products can be offered, the way they must be implemented and the features they must have—we are denied the innovation benefits we might have got had there been healthy competition among digital ecosystems. This is precisely why New Umbrella Entities were proposed in the digital payments sector—so that we could have alternatives to NPCI in order to experience different types of competitive payment ecosystems. That proposal is, for all practical purposes, now on the back-burner

The extraordinary power these organisations have, the paper concludes, has given rise to a new form of Big Tech, one where power resides not in commercial entities but with new non-profit organisations that have the singular ability to control the direction of the digital ecosystems on which the country depends. This “new brand of power and control” will, it suggests, have long-term consequences for competition and innovation.

New Regulatory Institutions

The broad concerns the paper raises are worth considering. I have no argument with subjecting these entities to a robust set of governance principles that addresses concerns around privacy and data security. What I question is the emphasis it places on the ownership of the entities in charge of the ecosystem and the fact that control of it rests in private hands. I am not sure that this alone is grounds to question the appropriateness of the construct.

As a matter of fact, all these entities operate under the supervision of the regulator. In the case of NPCI, the Reserve Bank of India even has a seat on its board. While they may be owned by market participants, given the diverse range of entities represented on their boards, no single one of them can, unlike the Big Tech companies to which they are being compared, parlay this advantage into commercial benefit. But what is even more unfortunate is that the paper fails to appreciate how this construct could well signal a necessary evolution in regulatory design, which if successful could show the way for how all modern technology ecosystems should be governed.

Techno-legal ecosystems need new regulatory institutions. Their governance needs so far exceed what traditional regulatory institutions can provide that it is meaningless to require old forms of supervision. Core to the functioning of digital ecosystems are central registries that establish the authority according to which different ecosystem participants operate. Someone needs to establish and maintain these servers, with the assurance of neutrality to ensure that no one gains a disproportionate advantage. That same someone needs to evaluate the technical systems of new participants, certifying that they are compatible with prescribed protocols before they go live. When new products are proposed, someone needs to technically evaluate them to ensure they do not result in any unintended harm to the ecosystem.

These are just some of the demands that modern techno-legal ecosystems impose on our regulatory apparatus. Traditional regulators have neither the technical expertise nor the organisational bandwidth to deal with this, but since these are all core regulatory functions, they cannot be simply outsourced to private enterprises to perform.

It is in this context that we need to view the quasi-regulatory organisations that India has established. While not regulators themselves, they function under the supervision of the regulator. While private, they can be incentivised to work in the interests of the entire ecosystem through a diversified ownership model and carefully designed governance. And precisely because they are privately operated, they can build the technical capabilities that is required to do all that needs to be done.

This is exactly the sort of intermediate regulatory institution that we need to govern modern techno-legal infrastructure.