Author: Gaurav Bhalla
The draft data empowerment and protection architecture was prepared by the NITI Aayog (the think-tank of the Government of India) in August 2020. The framework envisaged by the draft is ‘a secure consent-based data sharing framework to accelerate financial inclusion’. As per the draft, with the implementation of DEPA, India will be taking a historic step towards empowering individuals with control over their personal data, by operationalising an evolvable regulatory, institutional, and technology design for secure data sharing.
The Report firstly makes a case for the need of a suitable Data Empowerment and Protection Architecture in India. It builds from some statistics to emphasize how India has seen a radical shift towards a digital economy. These include:
· The internet subscription base in India has grown from 200 million to over 687 million (which is an increase of 300%) in only a span of 5 years.
· India has over 1.2 billion mobile subscribers.
· Over 1.3 billion monetary transactions take place per month over UPI (Unified Payment Interface).
· The number of registered businesses in India has grown from 6.5 million (in 2016) to 10 million (in 2020).
The Report states that with the vast amount of data being generated, there has recently been a global push towards data security and protection. The Report recognises that India has taken a step towards data protection through introduction of the Personal Data Protection Bill. It goes on to emphasize that with the digital transformation, the Indian population is increasingly becoming data rich and this data could be used for better access to services that could meaningfully improve people’s lives. Accordingly, a well-designed data governance framework would grant users control over data through a safe and seamless protocol to share data across institutions, leading to empowerment of the individuals.
The Report builds from this towards establishing a linkage between the objectives of strong data governance and financial inclusion. The architecture envisages that the next step in digital financial inclusion has to be towards access to formal financial products (such as insurance, saving instruments such as mutual funds, provident funds, access to capital markets, pensions and other investment opportunities) of the right size, at the right cost, and at the right points in an individual’s life.
As per the Report, India’s current data governance approach would not scale to achieve the envisaged outcome around financial well-being of the individuals. As the number of applications/systems holding our digital information keeps on increasing, the requirement to go to each data fiduciary to access/share data become a lengthy and tedious exercise. Further, when data is stored in different formats, the process of porting specific data to share with another service provider is not a standardised process, thereby compelling the individuals on a patchwork of workaround solutions to access data.
The Report envisages DEPA as a framework which will need to enable a non-uniform and scalable set of solutions for all to enable them to improve their financial well-being and at the same time ensuring that their right to privacy is not infringed.
The premise of this architecture seems to be a noble one viz. that the individuals will have the right to collect, share and access data pertaining to them in an accessible and easily understandable manner. It describes DEPA as a paradigm shift from the current organisation centric data sharing approach to an individual centric system. The DEPA seems to have been founded by some guiding principles including restoring agency and user control, informed consent, institutional and data controller accountability, accessibility and affordability, shared open infrastructure, incentive alignment, reciprocity, technology agnosticism & interoperability, data minimisation, enabling other data rights, evolvability, etc.
DEPA’s Institutional Architecture
Under this framework, a new class of institutions termed as ‘consent managers’ will be created which have economic incentives aligned with those of the users when it comes to the sharing of personal data. The interactions between an individual, a potential data user, and the data fiduciary (which will hold a user’s information) will be mediated through consent managers (who will be in the business of making sure individual data is not shared without user consent).
As per this model, the data principals (individuals or small businesses) are provided with seamless control over their personal data with a single view, even in the scenario when the data is created, stored, and processed by hundreds of different services. As regards data users, this model facilitates access to data and removes dependencies on specific data aggregators.
DEPA’s Technology Architecture
To enable a thriving data access fiduciary ecosystem, various digital public goods have been created:
1. Electronic Consent Framework – A specification for a consent artefact managed by MeitY
2. Data Sharing API Standards – To enable an encrypted flow of data between data providers and users
3. Data Information Standard – For the sector-specific launch of DEPA
Electronic Consent Architecture as a Foundation of DEPA
As per the report, a shared specification to communicate consent is a critical foundation of the DEPA technology architecture. It has the following benefits:
1. It provides a clear process for obtaining consent to share.
2. It identifies why the data is being used in a particular context in standard form.
3. It enables users to choose how long their data is shared for, specify consent for granular data elements and decide whether data can be shared further to third parties.
4. It simplifies jargon on consent forms and allowing users to make meaningful comparisons between privacy policies of products.
APIs for Data Sharing
Institutions adopting DEPA APIs can provide data in a machine-readable format to all licensed consent managers. Resultantly, it would be possible to build a centralised dashboard where an individual may grant access and give or cancel permissions for multiple data sources and services. A standardised Consent Management architecture makes the accounts interoperable and allows individuals to easily switch operators.
DEPA for the Financial Sector
Account Aggregators (AAs) will act as Consent Managers for the financial sector, working with Financial Information Providers (FIPs) to share the data of an individual or small business with their consent to a Financial Information User (FIU). The Report further mentions that seven AAs have received in principle approval from RBI to begin operations and two have received operational licenses.
AAs are designed to be data blind viz. the data that flows through an AA is encrypted and can be processed only by the FIU intended by the user. Moreover, the AA regulations do not allow them to store user data, to minimise risk of data leaks and misuse.
To operationalise the AA framework quickly, market players have come together to create a new organisation to support the rollout of best practices for the AA ecosystem: a non-profit called ‘Sahamati’. Sahamati will educate new financial information providers, users, and potential AAs about the DEPA architecture, provide technical support for institutions to go live, design procedural guidelines and best practices to support the ecosystem.
Potential for Cash Flow Lending
Cash Flow Lending is a type of small ticket working capital loan which is not asset backed; instead, it provides credit based on the revenue generation and repayment capability. It creates a short and flexible tenure and repayment schedule based on incoming cash flows. It has not become a mainstream mode of credit, in part because trusted data about invoices that indicate a close-to-certain future cash flow is difficult to access. AA opens up access to many different types of data that could be shared to inform banks and NBFCs of cash flows and creditworthiness: GST data which is trusted information on turnover or future receivables, invoices on government procurement platforms such as GeM (Government eMarketplace), e-commerce invoices and transactions on private aggregators such as Flipkart or Amazon, or other kinds of digital sales records from trusted sources.
DEPA Implementation and Rollout
In the financial sector, the RBI has already taken major steps forward towards operationalising DEPA through adoption of the MeiTY Electronic Consent Framework and creation of a new entity – the NBFC Account Aggregator (NBFC-AA) – in its Master Directive of September 2016.
A full public launch which allows sharing of key financial sector data to access better credit products for individuals and MSMEs is planned for Fall 2020. Similarly, the National Health Authority has been tasked with implementing the National Digital Health Mission and is piloting the DEPA architecture for healthcare data in Fall 2020.
The Report also states that the telecom sector is also planning its adoption of DEPA. Telecom data is often the first digital footprint generated by a low-income household, and a steady history of on-time recharges could contribute to a budding credit history.
As per the Report, DEPA’s regulatory, institutional, and technology architecture will be a transformative data governance approach. This approach shows the new ‘India Way’ that is quite distinct from the other models around the world with respect to data protection, sharing, consent and privacy. The Indian approach is specially designed to inclusively cater to the needs of a developing economy, to be technologically cutting edge and innovative, to drive and stimulate economic and business value, and lastly to evolve over time to meet ever emerging “new” applications of data.
Disclaimer: Views, opinions, interpretations are solely those of the author, not of the firm (ALG India Law Offices LLP) nor reflective thereof. Author submissions are not checked for plagiarism or any other aspect before being posted.
Copyright: ALG India Law Offices LLP.