India to empower citizens with control over use of personal data

Niti Aayog seeks suggestions and comments on Data Empowerment and Protection Architecture (DEPA), which aims to empower individuals with control over how their personal data is used and shared

The government is all set to launch a Data Empowerment and Protection Architecture (DEPA) that will let citizens have control over how their data is used or shared while ensuring privacy. The framework aims to be a public-private effort for a new and improved data governance approach, and policy think tank NITI Aayog has already sought suggestions on the DEPA draft document before October 1.

The on-ground implementation of the framework is set to launch this year.

Nandan Nilekani, Aadhaar architect, and Infosys co-founder, in a Tweet on Friday said: “The DEPA draft is out now. India is taking a historic step towards empowering individuals with control over their personal data, by operationalising an evolvable regulatory, institutional, and technology design for secure data sharing.” Nilekani is one of the industry leaders, along with top financial institutions and government departments, involved with providing insights to build the framework.

According to the draft, millions of Indians are creating electronic transaction histories and becoming ‘data-rich’ at historic rates. Personal data helps people inform and build trust with key institutions providing life-altering services, such as hospitals, banks, or future employers. Knowing this, the draft said it is unreasonable not to give individuals agency over their data. DEPA is founded on the premise that individuals themselves are the best judges of the ‘right’ uses of their data and that they should not struggle to access and share their data.

DEPA would empower people to seamlessly and securely access their data and share it with third-party institutions. A private ‘consent manager’ institution will ensure that individuals can provide consent for every granular piece of data shared securely (using newly created standard APIs). These consent managers should also work to protect data rights.

“India is the first country in the world to take a citizen-first approach to personal data sharing. DEPA puts the citizen in control of her data,” said Sharad Sharma, co-founder, iSPIRT Foundation, a technology think tank, which has contributed to building the draft. “Only consented data flows are allowed, and these are granular and auditable. This builds trust. There are many use-cases like financial inclusion where DEPA can be applied right away. Many such use-cases have been outlined in the paper.”

DEPA’s first application has been in the financial sector, for greater inclusion and economic growth. Using DEPA, individuals and small businesses can use their digital footprints to access not just affordable loans, but also insurance, savings, and better financial management products.

According to the draft, even before Covid-19 hit India, 92 per cent of the small businesses lacked access to formal credit. The paper said consented data sharing can reduce cost and risk-premium of offering loans to small entrepreneurs by creating frictionless and secure access to data, used to establish creditworthiness, with individual consent.

Most such loans today are offered based on collateral. Instead, offering short-term working capital loans based on evidence of past turnover (for example, through GST) that indicate a future capacity to repay is critical to solving the Rs 20-25-trillion credit gap faced by micro, small and medium enterprises, said the draft.

“DEPA is aimed at inverting the traditional Western model, where data is simply used to advertise and sell products, to one where data can be used to empower a billion Indians,” said Salman Waris, managing partner at technology law firm TechLegis Advocates and Solicitors. “It can show a new ‘India way’ on data governance.”

Protection of both data privacy and user rights are gaining increasing significance in an evolving complex digitised world. “Giving more control over users of data and bringing in transparency will help users get better access and rights to the data they are generating, along with building trust and addressing the misuse of the information,” said Ankur Pahwa, partner and national leader, e-commerce and consumer internet at consultancy EY India. Pahwa said companies, especially in areas such as finance, health, online social profiles, will need to build a better data governance framework to safely share information with customer’s consent.

Sachin Taparia, founder and chairman of LocalCircles, a platform which hosts an online community of over 30,000 start-ups and SMEs, said DEPA will provide financial institutions with a platform to better understand borrowers and help them make informed decisions. “This ideally should reduce NPAs (non-performing assets) and make more loans available to small businesses,” Taparia said.

DEPA will also be piloted in the health sector this year. On August 15, Prime Minister Narendra Modi announced the National Digital Health Mission, which includes a Health ID and a data-sharing framework for personal health records. DEPA is also being launched in the telecom sector.

On the flip side though, experts said more information about an individual or business will now become public, which, if not secured well, could lead to misuse by rogue elements. “We are still a country where (one) can purchase credit cardholder data, online shoppers’ data, combine that with election records, and pretty much get to most, if not all, information about an individual,” said Taparia. “This is something the policymakers — involved with DEPA, PDP (personal data protection), NPD (non-personal data) or digital health ID — need to keep in mind and define specific and enforceable penalties that create a serious disincentive for anyone that compromises personal or aggregate data of an individual or business.”