NITI Aayog has presented a draft policy that allows individuals to “seamlessly and securely access their data and share it with third party institutions.”
The new draft policy, titled ‘Data Empowerment And Protection Architecture’ (DEPA) argues “India needs a paradigm shift in personal data management” and proposes a consent framework that would allow individuals and small businesses to “access, control and share personal data” with third party institutions.
The reports seeks to enable organisations to share the personal data of an individual with one another through the concept of “consent managers” - that will manage people’s consent for data sharing.
In doing so, the policy frames this new data governance model in the context of ‘individual empowerment’ by allowing the seamless exchange of personal data among institutions in a secure manner while minismising privacy harms.
This draft policy comes hot on the heels of other data-related policies such as the Non-Personal Data Governance Framework and the National Digital Health Mission. NITI Aayog has stated that the policy will be publicly launched and operationalised in 2020 itself and is currently seeking comments on the draft till 1 October.
NITI Aayog’s New ‘India Model’ For Personal Data Sharing Explained
1. Why Has This Policy Been Proposed?
The reports identifies the problem of India’s digital economy as being held back by personal data of an individual lying across silos.
It argues that the “The problem is not that companies are benefiting from individuals’ data; the problem is that individuals and small firms do not benefit,” the draft states.
This report flows from the Centre’s overarching position that data is primarily an economic good. This is reflected in the Personal Data Protection Bill (currently tabled in Parliament), the Economic Survey of India in 2019 and 2020 as well as the decision of ministries to sell the data of citizens without consent to generate revenue and most recently in the Non-Personal Data Governance Framework published 13 July.
However, the proposed goal of maximising economic value from personal data is possible if action is taken to ensure ease of data flows between silos such as banks, NBFCs, insurance companies, government department with user consent.
Who All Have Developed This Policy?
This policy, published by NITI Aayog and set to launch in 2020, involves four regulators across banking, securities, insurance, and pensions - RBI, SEBI, IRDAI, PFRDA - and the Ministry of Finance coming together to implement this model.
The report has been prepared by iSPIRT, a Bengaluru-based not-for-profit think tank comprising some of the biggest names in India’s technology sector as its volunteers. Among the core pillars of its operation is to “convert ideas into policy proposals to take to government stakeholders.”
iSpirt products include India Health Stack, National Health Stack and OCEN ( APIs for interaction between lender and Loan Service Provider)
The report has also received inputs from “individual thought leaders” including Nandan Nilekani, Justice Srikrishna (who headed the committee on personal data protection bill), former SBI chairperson Arundathi Bhatacharya, and lawyer Rahul Matthan.
Expand2. Where Does This Policy Fit?
DEPA “as a layer of secure digital data sharing through consent” forms the final layer of India Stack
India Stack is a privately-owned bouquet of proprietary software or APIs powering Aadhaar-based applications, and UPI based digital transactions. It allows government, businesses to use India’s digital infrastructure to deliver private services.
The other key layers of India Stack include the ‘identity layer’ (Aadhaar, launched 2010), and a ‘payments layer’ for digital payments (the Unified Payments Interface, launched 2016). DEPA will form a part of the ‘data empowerment’ layer “to enable secure sharing of data” as the NITI Aayog describes it.
DEPA identifies three building blocks in order to facilitate this new model of data sharing.
- enabling regulations
- cutting edge technology standards
- new types of public and private organisations
Expand3. What’s in It for Those Whose Personal Data Is Shared?
DEPA has been positioned as a policy that seeks to empower “Indians with opportunities to improve their own lives.” How does it seek to do so?
According to this draft, “DEPA is founded on the premise that individuals themselves are the best judges of the ‘right’ uses of their personal data, rather than competing institutional interests.”
DEPA seeks to move away from an organisation-centric system of personal data sharing to an individual-centric approach where a person provides consent to, say a bank to share her data with a credit company or a tax/GST platform to share data with a wealth management company.
The policy outlines two incentives to individuals in consenting to her data being shared.
- Build trust with institutions that store and share personal data.
- Allow business to use that personal data to derive value it which could, in turn, provide benefits to individuals in terms of loans, insurance.
Using DEPA, “individuals and small businesses can use their digital footprints to access not just affordable loans, but also insurance, savings, and better financial management products.”
For small businesses and kirana businesses, if a shop owner can digitally share proof of the business’ GST payments or receivables, “a bank could design and offer regular small ticket working capital loans based on demonstrated ability to repay rather than only offering bank loans backed by assets or collateral.”
Expand4. What Are Consent Managers?
In view of the treatment of personal data as an economic good, the policy advocates for the creation of “a new class of institutions” called ‘consent managers’ that will act as a conduit between individuals (data principals), institutions in possession of the individual’s personal data (data fiduciary) and a business that seeks access to that personal data.
The concept of consent managers was introduced in the Personal Data Protection Bill. This new class of institution will manage an individual’s consent for data sharing with businesses through an accessible and interoperable platform.
In other words, under DEPA, the interaction between an individual, a potential data user, and the institution holding a user’s information will be mediated through consent managers
DEPA policy states that these consent managers are ‘data blind’ and will not see or use personal data themselves; rather they will serve as a conduit for encrypted data flows.
These Consent Managers in the financial sector will be known as Account Aggregators. A non-profit collective or alliance of these players will be created called the DigiSahamati Foundation (‘Sahamati‘).
Expand5. What Are the Primary Concerns?
A number of concerns arise from a privacy, transparency and accountability perspective.
First, DEPA is yet another data policy that comes in the absence of a law to protect the personal data of citizens. However, the Personal Data Protection Bill, which is tabled in the Lok Sabha, provides the “consent philosophy” for DEPA, according to this draft report.
Second, a recurring issue with the development of data-related policies is regarding the transparency and accountability of private players who are intrinsic to the preparation of policies and digital infrastructure.
Third, while the draft policy has been presented for comments from the public till 1 October, another recurring issue has been the lack of consultations with all the relevant stakeholders prior to the development of such policies. While DEPA seeks to empower individuals with control over her personal data, there was no prior involvement of the public in shaping this policy.
In an important development in a related policy issue, Delhi High Court noted on 3 September that lack of meaningful public consultation could be raised as a ground if the the National Digital Health Mission is challenged after its notification.
The National Digital Health Mission which has come under fierce criticism for being rolled out in a rush in the middle of a pandemic will collect, process and store massive amount of sensitive health data of citizens. However, the government had initially given just a week for public comments. This has now been extended by another week to 10 September.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)
Expand
Why Has This Policy Been Proposed?
The reports identifies the problem of India’s digital economy as being held back by personal data of an individual lying across silos.
It argues that the “The problem is not that companies are benefiting from individuals’ data; the problem is that individuals and small firms do not benefit,” the draft states.
This report flows from the Centre’s overarching position that data is primarily an economic good. This is reflected in the Personal Data Protection Bill (currently tabled in Parliament), the Economic Survey of India in 2019 and 2020 as well as the decision of ministries to sell the data of citizens without consent to generate revenue and most recently in the Non-Personal Data Governance Framework published 13 July.
However, the proposed goal of maximising economic value from personal data is possible if action is taken to ensure ease of data flows between silos such as banks, NBFCs, insurance companies, government department with user consent.
Who All Have Developed This Policy?
This policy, published by NITI Aayog and set to launch in 2020, involves four regulators across banking, securities, insurance, and pensions - RBI, SEBI, IRDAI, PFRDA - and the Ministry of Finance coming together to implement this model.
The report has been prepared by iSPIRT, a Bengaluru-based not-for-profit think tank comprising some of the biggest names in India’s technology sector as its volunteers. Among the core pillars of its operation is to “convert ideas into policy proposals to take to government stakeholders.”
iSpirt products include India Health Stack, National Health Stack and OCEN ( APIs for interaction between lender and Loan Service Provider)
The report has also received inputs from “individual thought leaders” including Nandan Nilekani, Justice Srikrishna (who headed the committee on personal data protection bill), former SBI chairperson Arundathi Bhatacharya, and lawyer Rahul Matthan.
Where Does This Policy Fit?
DEPA “as a layer of secure digital data sharing through consent” forms the final layer of India Stack
India Stack is a privately-owned bouquet of proprietary software or APIs powering Aadhaar-based applications, and UPI based digital transactions. It allows government, businesses to use India’s digital infrastructure to deliver private services.
The other key layers of India Stack include the ‘identity layer’ (Aadhaar, launched 2010), and a ‘payments layer’ for digital payments (the Unified Payments Interface, launched 2016). DEPA will form a part of the ‘data empowerment’ layer “to enable secure sharing of data” as the NITI Aayog describes it.
DEPA identifies three building blocks in order to facilitate this new model of data sharing.
- enabling regulations
- cutting edge technology standards
- new types of public and private organisations
What’s in It for Those Whose Personal Data Is Shared?
DEPA has been positioned as a policy that seeks to empower “Indians with opportunities to improve their own lives.” How does it seek to do so?
According to this draft, “DEPA is founded on the premise that individuals themselves are the best judges of the ‘right’ uses of their personal data, rather than competing institutional interests.”
DEPA seeks to move away from an organisation-centric system of personal data sharing to an individual-centric approach where a person provides consent to, say a bank to share her data with a credit company or a tax/GST platform to share data with a wealth management company.
The policy outlines two incentives to individuals in consenting to her data being shared.
- Build trust with institutions that store and share personal data.
- Allow business to use that personal data to derive value it which could, in turn, provide benefits to individuals in terms of loans, insurance.
Using DEPA, “individuals and small businesses can use their digital footprints to access not just affordable loans, but also insurance, savings, and better financial management products.”
For small businesses and kirana businesses, if a shop owner can digitally share proof of the business’ GST payments or receivables, “a bank could design and offer regular small ticket working capital loans based on demonstrated ability to repay rather than only offering bank loans backed by assets or collateral.”
What Are Consent Managers?
In view of the treatment of personal data as an economic good, the policy advocates for the creation of “a new class of institutions” called ‘consent managers’ that will act as a conduit between individuals (data principals), institutions in possession of the individual’s personal data (data fiduciary) and a business that seeks access to that personal data.
The concept of consent managers was introduced in the Personal Data Protection Bill. This new class of institution will manage an individual’s consent for data sharing with businesses through an accessible and interoperable platform.
In other words, under DEPA, the interaction between an individual, a potential data user, and the institution holding a user’s information will be mediated through consent managers
DEPA policy states that these consent managers are ‘data blind’ and will not see or use personal data themselves; rather they will serve as a conduit for encrypted data flows.
These Consent Managers in the financial sector will be known as Account Aggregators. A non-profit collective or alliance of these players will be created called the DigiSahamati Foundation (‘Sahamati‘).
What Are the Primary Concerns?
A number of concerns arise from a privacy, transparency and accountability perspective.
First, DEPA is yet another data policy that comes in the absence of a law to protect the personal data of citizens. However, the Personal Data Protection Bill, which is tabled in the Lok Sabha, provides the “consent philosophy” for DEPA, according to this draft report.
Second, a recurring issue with the development of data-related policies is regarding the transparency and accountability of private players who are intrinsic to the preparation of policies and digital infrastructure.
Third, while the draft policy has been presented for comments from the public till 1 October, another recurring issue has been the lack of consultations with all the relevant stakeholders prior to the development of such policies. While DEPA seeks to empower individuals with control over her personal data, there was no prior involvement of the public in shaping this policy.
In an important development in a related policy issue, Delhi High Court noted on 3 September that lack of meaningful public consultation could be raised as a ground if the the National Digital Health Mission is challenged after its notification.
The National Digital Health Mission which has come under fierce criticism for being rolled out in a rush in the middle of a pandemic will collect, process and store massive amount of sensitive health data of citizens. However, the government had initially given just a week for public comments. This has now been extended by another week to 10 September.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)