NITI Aayog, the national policy think tank of India, has recently released draft Data Empowerment and Protection Architecture (DEPA). DEPA’s central aim is to empower users with heightened control over data sharing.
Features of DEPA
DEPA’s primary function is to provide individuals with control over their personal data. It aims at creating a safe and secure environment for data sharing by implementing a regulatory, institutional, and technology design. Designed for good data governance, DEPA offers an agile, evolving framework. It allows users to access their data securely and seamlessly, share it with third-party institutions, and exercise consent that is free, informed, specific, clear, and revocable.
Consent Managers Under DEPA’s Institutional Architecture
DEPA’s institutional architecture involves the creation of new market players known as User Consent Managers who will ensure that individuals can provide consent as per a digital standard for every shared data. The Reserve Bank of India (RBI) has issued a Master Directive to create Consent Managers in the financial sector, known as Account Aggregators (AAs). The DigiSahamati Foundation, a non-profit collective, was established to bring together these players.
Open APIs in Action
Open Application Programming Interfaces (APIs) facilitate seamless and encrypted data flow between data providers and data users through a consent manager.
DEPA’s Implementation
The implementation of this model will be taken up by regulatory bodies like RBI, SEBI, IRDAI, PFRDA and the Ministry of Finance. The regulatory foundation is also expected to evolve over time with the forthcoming Data Protection Authority envisaged under the Personal Data Protection Bill, 2019.
The Background and Journey to DEPA
The regulatory direction on data privacy, protection, consent, and new financial institutions necessary for DEPA’s application in the financial sector was provided by the Supreme Court Judgement on the Right to Privacy in 2017, Personal Data Protection Bill (PDP), 2019, Justice Srikrishna Committee Report, 2018 and the RBI Master Direction on NBFC-Account Aggregators, 2016. A government committee led by Infosys co-founder Kris Gopalakrishnan has suggested allowing domestic companies and entities to harness non-personal data generated in India.
Applications of DEPA in Different Sectors
DEPA has applications in multiple sectors. In the financial sector, individuals and Micro, Small, and Medium Enterprises (MSMEs) can use DEPA to access affordable loans, insurance, savings, and better financial management products through their digital footprints. It is also being introduced in the telecom sector, following a Telecom Regulatory Authority of India (TRAI) consultation report released in July 2018. Its implementation in government departments will begin with the Goods and Services Tax (GST) department. The National Health Authority is piloting the DEPA architecture for healthcare data, and the Ministry of Skill Development and Entrepreneurship is encouraging its adoption for digital skill credentialing.
Advantages of DEPA
DEPA’s framework enables significant innovation by new fintech entities by replacing costly and cumbersome data access and sharing practices. It provides individuals and small businesses with practical means to access, control, and selectively share personal data stored across multiple institutional datasets. DEPA will also enable better personal financial management services, wealth management, robo advisory, or different types of lending, insurance, and investment products.
Global Approaches to Data Protection and Sharing
Countries around the world have different approaches to data protection and sharing. The European Union has implemented General Data Protection Regulation (GDPR), the UK has established an Open Banking Data Sharing Framework, and Australia has introduced My Health Record and the Australian Consumer Data Right for the banking sector. China has prioritized national security over user control and data democracy while the USA is yet to implement a nationwide data protection law.