This article is written by Shreya Jain, pursuing Diploma in International Data Protection and Privacy Laws from Lawsikho. The article has been edited by Prashant Baviskar (Associate, LawSikho) and Ruchika Mohapatra (Associate, LawSikho).
Table of Contents
Currently, data is in control of the giants who have captured most of the marketplace all over the world. These incumbents make profits more than the GDP of a few countries. Since data is the new oil, they have become powerful and have already created a monopoly in the market dynamics. This has affected small scale enterprises to survive in such a tech-savvy marketplace. It is inevitable to mention that with the COVID-19 outbreak, businesses of many small entrepreneurs have either vanished or are surviving with much difficulty.
To overcome the same, and to sustain competition in the market, it has become essential for governments to intervene and come up with some solution for providing fair opportunities to all the businesses present in the market, and to promote new ones providing them with the facility to easy access to the existing data and to share it with third-party institutions. Therefore, NITI Aayog has come up with a framework known as Data Empowerment and Protection Architecture (hereinafter referred to as DEPA) which will enable SMEs to utilise the existing data that is available in silos, i.e., with the existing players from the industry such as fintech, e-commerce, healthcare or insurance bringing out new products and services in the market.
Hence, DEPA may be considered as a global solution to the existing problem in the industry wherein data is accumulated in the hands of a few and generates opportunities for market players across all the sectors. It will enable the provide entrepreneurs to leverage this framework to build new products and services. Let us understand what DEPA is, and what does it aim at?
Data Empowerment and Protection Architecture (DEPA)
Data Empowerment and Protection Architecture is a framework released by National Institute for Transforming India (NITI) Aayog in India. It is also called a “consent-based-data-sharing framework to accelerate financial inclusion. Ensuring consent-based sharing, the granularity of the information (data subject may decide what information to be shared), and moving from data fiduciary centric model to individual-centric model. It basically entails the procedure for receiving and giving consent to share data to the third parties through the consent manager. Data would be encrypted; hence, the consent manager does not have access to data. A similar mechanism is being developed for each sector. The procedure is clearly explained in the chart below:
Aim of DEPA
DEPA framework aims at allowing people to access their data seamlessly and securely, and share it with third-party institutions. It is an Indian model of data governance that is evolving and targets individual empowerment, economic recovery and growth, and competitive data democracy.
DEPA also focuses on the financial inclusion of individuals, digital opportunity, consent manager involvement, organ framework, APIs for data sharing, etc.
Special attention is given to the utilization of existing data sets along with the India stack to empower individuals to have control over their data sharing and build new services. It is brought to the table keeping in mind the benefits of individuals and small firms and are not merely constraining incumbents to benefit from using individual’s data.
Primarily, DEPA entails salient features in its draft which widely covers all the sectors including financial, health, telecom, etc. These key highlights play a major role in curbing the existing monopoly with the silos and promoting fair competition in the market.
Key highlights of DEPA
It enables the growth of MSMEs (greater financial security), new aspirations (through credit), and prosperity (through savings and investment).
Since data is the new oil, through this framework, MSMEs will become data-rich, and resultantly, witness socio-economic growth. Due to the large scale use of data in the digital market and the increase in mobile connectivity after the advent of Aadhar, UPI, etc., members from lower socioeconomic strata are more data-savvy a have more access to data. Therefore, small businesses, Kirana shop owners etc., could use their digital data for building trusts with financial institutions for availing credit. APIs enable encrypted data flow between the data user and the data provider.
Data is in control in the hands of a few incumbents; and presently, whoever has data, has power.
If you pay attention to the numbers, Facebook and Google together dominate about 71 per cent of the digital ad market in the US. It is merely because of the concentration of data in the hands of silos. Data needs to flow to gain maximum economic growth.
WeChat and AliPay also own 93 per cent of the $5.5 trillion mobile payments market (about 50 times the US mobile payment market) leaving a meagre 7 per cent for other banks. Below is the chart of the world’s largest data centres wherein the US and China are dominating the world:
Therefore, in India, DEPA has tried resolving a similar issue by focusing on sharing data amongst other small players present in the market and simultaneously, protecting and empowering the data.
Inverting the data
It basically means giving power to the user and announcing to him the owner of his data. Users can share the data in a secure manner, and opt for sharing it for its own benefit, rather than sharing it with silos to get advertisements. Although it requires an evolvable, interoperable, and secure data sharing framework to stand in the market.
Paradigm shifts towards empowerment
It is personal data management that transforms the current organization-centric data sharing to an individual-centric approach, it promotes user control on data sharing for empowerment. Hence, companies can not benefit from an individual’s data.
A new class of institution
Consent managers are created in the new market, they are more inclined to individuals, hence, no more extortion of data from the users can take place will prevail. This framework is majorly proposing the implementation of consent managers in all sectors as a way to manage users’ consent which would ensure that individuals can provide consent for every piece of data shared and would work for the protection of data rights. It primarily focuses on replacing the current mechanism for data access and sharing mechanism which involves bulk printout notarization and physical submission, screen scraping, username/password sharing etc. It recognizes the problem of small firms not being able to reap the benefits of individual data and ends up being used mostly by the larger firms.
It is primarily designed wherein consenting is programmable as opposed to all permissive terms and conditions. It is designed on the principles acronym ORGANS:
O– Open standard- unified approach for all the companies.
R– Revocable- individuals can withdraw their consent anytime.
G– Granular- individual decides every time if the data has to be shared, and for how long.
A-Auditable- in machine-readable logs of consent provided.
N– Notice to all parties provided.
Here, it is easy for users to understand and interpret information. Therefore, no over-consent is given or less informed users exist.
Data protection, affordability, accountability, individual agency, incentive alignment, minimising data, informed consent, data minimisation, data rights, data use, reciprocity, shared open infrastructure, etc., are a few guiding principles of DEPA.
Combinatorial layered innovation
Identity layer (individuals having a unique identity) like Aadhaar, eKYC, eSign, etc., payment layers enabling interoperable, instant and cheap payments, and Data empowerment by bringing in the picture consent manages, DigiLocker, etc.
DEPA in various sectors
DEPA in the financial sector : the account creator model
“DEPA introduced in the financial sector in 2020 under the joint leadership of the Ministry of Finance, Reserve Bank of India (RBI), Pension Fund Regulatory and Development Authority (PFRDA), Insurance Regulatory and Development Authority of India (IRDAI), and Securities and Exchange Board of India (SEBI)”- as announced By NITI Aayog. Although the same has already begun in the financial sector, with a closed user group (CUG) launched by major banks in July 2019.
Account Aggregator (AA) is a consent Manager in the Finance sector. It is basically a class of NBSC approved by RBI to manage consent for financial data sharing. There will be multiple AAs present in the market to provide consent-based services to the users as well as data fiduciaries. Financial Information Provider (FIP) and Financial Information User (FIU) may use this service. Few AAs already existing in the market include CAMSFinServ, Cookiejar Technologies Private Limited (product titled Finvu), Finsec AA Solutions Private Limited (Product tilted Onemoney). Etc.
The diagram below depicts the functioning of the Account Aggregator:
DEPA in the health sector
DEPA was proposed to be piloted in the health sector in 2020, the same has been iterated by Hon’ble Prime Minister, Narendra Modi on Aug 15th wherein he also announced the National Digital Health Mission, which includes a Health ID and a data-sharing framework for personal health records of all the individuals (similar to Aadhar card).
DEPA in telecom, education, jobs, etc.
Currently, DEPA has laid its roots in the Financial Sector and will soon expand its umbrella to the health sector, followed by the telecom sector, education sector and so on as announced by NITI Aayog in its guidelines scheme. However, it is yet to be seen how data will perform in the financial sector in order to analyse its impact, growth and performance in the health, telecom and education sectors.
Challenges that DEPA may face in India
Organisations that are self-regulatory may create difficulty in considering consumer issues. Although the DEPA framework envisages that Self-Regulatory Organisations (SRO) will not be biased towards any stakeholders, be it consent managers, data providers and consumers, however, in practice, it might be difficult to balance the needs of all the three parties mentioned above.
Further, procedural data sharing guidelines for SROs, consultation procedure, complaints mechanism, etc. have also not been mentioned yet in the DEPA. Regulators are going to play a key role in the same and may become a deciding authority for the same, but the same has not been finalised yet.
Data fiduciaries like laymen, small scale enterprises, Kirana store owners, etc., may face certain issues which need to get resolved in no time for them to trust the process. For instance, if the consent manager asks for the consent of the data fiduciary to share its data with a third-party institution. If there are multiple questions to answer in order to provide consent regarding each question, it will be a lengthy procedure. Lack of awareness amongst the stakeholders.
PDP Bill is still pending in the Parliament; it is the need of the hour. Therefore, for DEPA to come into existence, the data protection bill must be ratified is a must. A mandate/law is required for a country population like India to be willing to work on such neglected topics.
Moreover, it is going to be a big challenge to convince incumbents to move to DEPA. They have their own set of rules and procedures, and this novel invention is going to take away their monopoly from the market, hence causing them a huge loss.
The overall picture of DEPA looks great, however, it lacks clarity, practicality, and there are some loopholes that have not been talked about yet.
DEPA looks great from the outside, as deeper you go, you find multiple loopholes. It is a time taking procedure, needs practice in all the sectors to bring it into effect across the country. It is a cliché framework but in practicality, too far to reach its goal.
Incumbents who have data have power. Therefore, it is important to safeguard and protect data from being getting misused. To accomplish the same, the Government of India is trying to come up with a Personal Data Protection Bill. The bill is still pending to be approved by Parliament. Hence, till today, there is no law to protect the data of data fiduciaries in India. DEPA is somehow connected to PDP Bill and without its enactment, it will be a challenge to bring into practice the DEPA. Without Law, people lack trust and sincerity to abide by the framework.
Furthermore, due to covid situation, the internet has become an inevitable part of people’s lives. With the increase in the use of the internet, data sharing has also increased, resultantly, increase in cybercrimes, targeted marketing, etc. Therefore, this is another reason to bring into effect is a data law.
- https://www.jishnusanyal.com/post/_depa-consent-manager-account-aggregator-framework#:~:text=Overall%20DEPA%20 seems%20like%20an%20 ambitious%20step%20 towards,account%20 aggregators%20are%20already%20 providing%20new%20business%20opportunities
- https://www.jishnusanyal.com/post/_depa-consent-manager-account-aggregator-framework#:~:text=Overall%20DEPA%20 seems%20like%20an%20 ambitious%20 step%20 towards,account%20 aggregators%20are%20already%20 providing%20new%20business%20opportunities
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: