1.1 The National Institution for Transforming India (“NITI Aayog”), in August 2020, had released a draft framework on Data Empowerment and Protection Architecture (“DEPA/Draft Framework”). DEPA is aimed at empowering people to have a seamless and secure access to their data and share it with third party institutions. It proposes creation of a new form of Consent Manager Institution which would ensure that individuals can provide consent for every piece of data shared and would work for protection of data rights. DEPA is aimed at replacing the current mechanism for data access and sharing mechanism which involves bulk printout notarization and physical submission, screen scraping, username/password sharing etc. It recognizes the problem of small firms not being able to reap the benefits of individual data and ends up being used mostly by the larger firms.
1.2 DEPA is aimed at increasing financial inclusion and mentions that consented data sharing has the potential to reduce the cost and risk premium of offering loans to small entrepreneurs. In India most loans are offered on collateral bases and this architecture could empower an individual to get a loan on the basis of past turnover (example- GST records, mobile payment transactions etc.) which would indicate a future capacity to repay. This would enable individuals to obtain affordable loans on the basis of their digital footprint. This draft framework aims implementation of RBI Account Aggregator system to function as consent managers which would enable them to share their financial data across insurers, banks, lenders tax collectors etc.
1.3 DEPA also aims at working with layers of India Stack for finance sector. The draft framework refers to DEPA as “a final layer of India Stack”. India Stack is a set digital public goods which allows private market innovators to improve digital services for India across a range of sectors. Some key players of India Stack include Aadhar, UPI etc.
2. Aim of DEPA
2.1 The draft framework aims at improving the financial inclusion of individuals by allowing them get access financial products by using their digital financial data. It has been recognized that India’s rural and urban poor population faces exclusion from financial products due to lack of trust and asymmetry of data. This is due to high costs faced by financial institutions in reposing trust in individual or a small business having undocumented financial background and no digital trail to reference.
2.2 The draft aims at realizing the full potential of digital opportunity which has been witnessed in India lately. It has been observed that due to various platforms such as Aadhar, UPI, increase in mobile connectivity and increase in internet useage, the members of lower socioeconomic strata are becoming data rich. Small shop owners, gig workers, MSME players have been increasingly generating digital transaction history which could be used for building trust with financial institutions for availing credit.
2.3 The draft realizes that despite of a massive increase in digitization, the data remains in the hands of the companies or institutions which control individual’s data as custodians. It is recognized that the custodian-centric data sharing model will not be effective in addressing the data access needs of our country. The draft framework aims at breaking down the data silos and make the personal data accessible and reducing the lengthy practice of availing this data.
2.4 DEPA recognizes that the problem is not that the companies are benefitting from personal data but the problem is that individuals and small firms are not able to reap the benefits. The draft framework aims at providing individuals and small businesses the practical means to access, control and selectively share personal data that has been stored in multiple institutional datasets.
2.5 The Draft Framework states that the DEPA will not be a static policy but will be an evolvable program.
2.6 DEPA’s institutional architecture will involve creation of Consent Managers which in the financial sector will be known as Account Aggregators. The draft framework also envisions creation of collective alliance of Account Aggregators called DigiSahamati (“Sahmati”) Foundation. This will be responsible for providing procedural and best practice guidelines for all participating institutions.
2.7 The Draft Framework aims that the DEPA’s technology architecture should be interoperable, secure and privacy preserving.
2.8 It is aimed that the DEPA platform will channelize tremendous entrepreneurial energy and many different players can co-create and innovate on this public good. Financial institutions can continue to adopt the public APIs and become financial information providers. Entrepreneurs and fintechs can start up Account Aggregators catering to diverse users or innovate on business models involving informed consent. Banks, NBFCs and fintechs can build innovative products such as cash flow based lending for small businesses which could leverage new data sharing possibilities.
3. Key Highlights
3.1 Consent Manager
The Framework creates a new class of institution which shall have economic incentives aligned with those of the users when it comes to the sharing of personal data. As indicated in the image below, the interaction between a potential data user and data fiduciary holding the information will be channeled through a consent manager who will make sure that data is not shared without user consent.
(Source: NITI AAYOG Draft Framework for DEPA)
The consent manager will be responsible for holding consent logs which determine how data can flow form data sources to data users in an authorized system. They shall remain data blind. While their job is to enable the transaction, they shall remain unable to read or store the data. The users will have the option to opt for consent manager portability and can change their consent manager operation service.
For the financial sector, Account Aggregators will be acting as consent managers and will work with Financial Information Providers (“FIP”) to share the data of an individual or small business with their consent to a Financial Information User (“FIU”). For ensuring sustainability of the business model, the Account Aggregators can charge the FIUs an amount per transaction. Any data that flows through the Account Aggregator will have to be encrypted.
Sahamati, a non-profit organization, has been created for the rollout of best practices for the Account Aggregator ecosystem. This organization will be responsible for educating FIPs about the DEPA architecture and provide technical support for institutions. It shall publish a code of conduct, audit guidelines and interoperability standards. Developing grievance redressal framework and monitoring member compliance will also have to be done by the organization.
3.2 Business models for consent managers
For the DEPS ecosystem to be successful, it is important that there exists a viable business model for the new consent managers, data users and data provider. It is often seen that personal data is regularly shared or sold by the data fiduciary to enable the individual to get a free service. The various business models discussed in the Draft Framework are as follows-
Consent Management accounts or operators- In this case the operator will be an independent entity which shall act as a consent manager. Their job would be to allow and manage data and consent flows from the data principle and data user.
In house model- In this model, the data operator and the data user will be combined. The data user will need access to the personal data of the data principle and will incorporate a consent manager along with the services which it provides to the data principle.
Public Sector Model- Under this model, the public sector entities could offer a subsidized and low cost consent management service.
Privacy based model- This model suggests that consent managers may offer additional services with regards to data privacy and security.
3.3 ORGANS Framework
Consent pertaining to sharing of data will not be a blanket yes or no and thus, DEPA uses the ORGANS framework for providing a good technology framework. The ORGANS framework is as follows-
Open Standards- The consent architecture must follow open standards and shall ensure all institutions to use the same approach
Revocable- The consent can be revoked at any stage
Granular- Consent given has to be presented at a granular level, where the data is broken down in terms of its characteristics and how can long can it be used etc.
Auditable- All the events in the consent flow must be digitally signed and logged using Ministry of Electronics and Information technology’s log artifact.
Notice- The user must be informed and given due notice when consent is created or revoked and when data has been requested, sent or denied.
Security by design- the internal and external software to be used in DEPA must be designed from ground up to be secure and there shall be end to end security of data.
3.4 APIs for Data Sharing
The Draft Framework provides that Application Programming Interfaces (API) enable seamless interaction flow and encrypted data flow between data providers and data users. Institutions which have adopted the draft DEPA API can provide data in a machine readable format to all licensed consent managers. A centralized consent management architecture makes the account interoperable and will allow the individuals to switch from one operator to another.
3.5 Data protection and processing standards
The Draft Framework states that DEPA should rely on adoption of related technology standards around data storage which will be designed and regulated by the forthcoming Data Protection Authority under the Personal Data Protection Bill.
4.1 The move by NITI Aayog for releasing this framework is very much appreciated, it must be highlighted that this draft framework must provide detail of how the architecture would be implemented. Further there has to be clarity on how the Account Aggregator’s provisions given under this framework be read vis a vis the RBI regulations on the same.
4.2 For full implementation of this Draft Framework, there has a detailed implementation framework and guidelines by the concerned government and ministries. There is clarity needed on issues such as eligibility of information users for demanding the data and their eligibility criteria. Whether the consent manager will be regulated by a Self Regulation Organization (SRO) or whether any regulatory body will issue guidelines for the same is also an issue which hasn’t been dealt with. Further, the Draft Framework mentions that control of data to small business will be promoted, however, there is no clarity provided on how this might be achieved. The Draft Framework also relies on a legislation (Personal Data Protection Bill, 2019) which has not been enacted yet and is undergoing deliberations.
4.3 There requires clarity on how the Consent Managers operate and the Draft Framework only provides a pictorial representation and no further information has been given. There is also no information given as to how sectoral regulators (such as RBI, SEBI, IRDAI) will accommodate the implementation of DEPA. Another factor which has not been considered is the parameters of data protection and privacy which have been laid down in the judgements of Justice K.S Puttaswamy v. Union of India.