iSPIRT works to transform India into a hub for new generation software products, by addressing crucial government policy, creating market catalysts and grow the maturity of product entrepreneurs. Welcome to the Official Insights!
The Data Empowerment and Protection Architecture (DEPA) empower every Indian with control over their data, and democratises access and enables the portability of trusted data between service providers. This architecture will help Indians in accessing better financial services, healthcare services, and other socio-economically important services. DEPA is more commonly known as the ‘Consent Layer of India Stack’.
The rollout of DEPA for financial data and telecom data is taking place through Account Aggregators that are licensed by RBI. It already covers all asset data, liabilities data, and telecom data.
The purpose of the session is to understand the technological, institutional, market and regulatory architecture of DEPA, it impacts on existing data consuming businesses and how people could contribute to this new data sharing infrastructure that’s being built in India.
The session will be anchored by Siddharth Shetty (Data Empowerment And Protection Architecture Lead & Fellow, iSPIRT Foundation)
DEPA Unleashed
DEPA is a new approach, a paradigm shift in personal data management and processing that transforms the current organization centric system to a human-centric system. By giving people the power to decide how their data can be used, DEPA enables the collection and use of personal data in ways that empower people to access better financial, healthcare, and other socio-economically important services in a safe, secure, and privacy-preserving manner.
In the fight for data, the individual has lost control over how their personal data is collected, shared, and used. This can be a very disempowering experience for the user, who now has no means of gathering and using their data for their benefit. It also inevitably prevents the user from accessing essential financial services and inhibiting their participation in the market.
India, who is a step ahead of the curve, recognises the need to empower the user with their own data. The Indian government has operationalised the values stated above by encouraging and mandating organisations to seek the consent of the user to use and share their data and seeded the idea of data access fiduciaries, organisations envisioned to enable personal management of consent. The first manifestation of Data Access Fiduciaries is for financial data through the NBFC-Account Aggregator
NBFC Account Aggregator Ecosystem
The Account Aggregator enables users to maintain and use their financial data as they see fit.
In the past, it was tremendously hard for an Indian to get a statement of his bank account; when applying for a loan, he had to share either unverifiable paper records or his banking password with the lender, not knowing what data might be extracted. With Account Aggregators, customers can allow certain financial data to be shared safely. And because the Account Aggregators operate on a fee-for-transaction business model and are legally prohibited from storing or selling data, users can rest assured that their privacy is respected.
The Account Aggregator performs two main functions. It assists and enables the user to access their financial data easily and it helps manage consent.
For a quick overview of the Data Empowerment and Protection Architecture and NBFC Account Aggregator, you may watch this Future State webinar: https://youtu.be/mxFe5404jY8
Overview of the Data Empowerment and Protection Architecture (DEPA)
Technology Architecture
Institutional Architecture of Data Access Fiduciaries
Market Architecture of the entire Ecosystem
Q & A
Location
Residency Road, Bangalore
Time
5:30pm – 7pm
How to participate?
We’re inviting fintech entrepreneurs, product managers, developers and anyone else who is looking to understand the potential of the Data Empowerment and Protection Architecture.
The Draft Privacy Bill lists 4 Rights for a Data Principal, one of which is the Right to Data Portability: (1) The data principal shall have the right to— (a) receive the following personal data related to the data principal in a structured, commonly used and machine-readable format— (i) which such data principal has provided to the data fiduciary; (ii) which has been generated in the course of provision of services or use of goods by the data fiduciary; or (iii) which forms part of any profile on the data principal, or which the data fiduciary has otherwise obtained. (b) have the personal data referred to in clause (a) transferred to any other data fiduciary in the format referred to in that clause.
Data protection and privacy have been a topic of hot debates and discussion in recent times in India. It had become extremely important as India is progressing to a be a “Digital economy” to address this issues relating to the use of personal data.
iSPIRT has been in forefront of developing Consent Framework and called as Data Protection & Empowerment Architecture (DEPA). The Account Aggregator Policy of RBI revolves around this consent architecture.
Whereas the bill is of interest to almost all the sectors of the economy, it is extremely important for businesses in Information Technology sector and especially in Software product Industry to understand the law as it is seeded and further as it evolves.
The bill has many aspects to it in the legal framework. It is not possible to cover the entire understanding of the bill in one blog. We have attempted to cover some salient features that may be important for the Software Product Industry as well as how it contacts with the techno-legal aspects of DEPA as it stands in financial sector, perhaps to be replicated in other important sectors of the economy.
This blog is again posted in a Question and answer format both as a video and as a transcript of the video. You can use the one you like.
Questions have been asked by iSPIRT volunteer and Policy expert Mr Sudhir Singh and answered by Supratim Chakraborty (Data Privacy and Protection expert from Khaitan & Co.) and Siddharth Shetty (leading the DEPA initiative at iSPIRT).
What are the most important aspects of the bill?
Supratim answered, “What we have seen is through this draft bill, there is an attempt to establish the relationship of trust between the data subject and data controller. The nomenclature has been changed in this bill and It is data fiduciary and data principles. It puts a lot of onus on the data fiduciary to take care of data care protection.”
“There are several important aspects of the bill that needs attention such as localisation of data, cross-border transfer and also some other aspects such as privacy by design, transparency requirement, security safeguard, breach notification, grievance redressal mechanism, the requirement of Data protection officer, record keeping requirements”, as elaborated Supratim.
Is there some restriction on data fiduciary? Is the state exempted?
Supratim said, “this bill is equally applicable to private parties and the Government unlike earlier provisions of section 43A and 72A of IT ACT. 43A will be scrapped after this bill comes into existence. There has been a lot of debate on this aspect of bringing Govt. under the purview of the law.”
Is right to be forgotten covered in a similar way as GDPR?
Supratim explained, “Our Govt. has looked at this in a more business-friendly way by covering the right to be forgotten by provisioning that any further dissemination of data should be stopped, once the data principal chooses to withdraw the consent or ask for the right to be forgotten.”
He described four governing aspect that explains how to determine the aspect of keeping Data local, as described below.
You could have certain pockets of personal data that can be transferred outside.
There could be certain pockets of data that could be transferred outside but a serving copy of the data has to be within the country
The third category is sensitive personal data ambit of sensitive personal data which has been widened considerably compared to what we saw under the 43A of IT ACT. For this, if sent out of
The fourth category is data that cannot be sent outside country at all.
“On Cross border transfer of data in addition to ‘consent’ there has to be standard contractual clauses (approved/prescribed by authority) or the transfer to a jurisdictions is approved by the central government”, he further explained.
What is the Data Protection Authority?
Supratim answered, “In the draft bill this seems to be all encompassing all powerful authority from rulemaking to advisory to enforcement. Therefore it is important to see how this really shapes up. In “IT Act”, section 43 A and 72A were largely there to cover the aspects of data privacy but enforcement and implementation.”
What are other important aspects to consider?
“There are many aspects but let us touch upon two given below”, said Supratim.
One is the requirement of having notices in multiple languages, which is not a very hard obligation the way it has been put. But in a country like India for say an e-commerce platform imaging the cost that one has to incur for putting multiple language notices. Also, we need to see are we able to really address the point of informed consent through this, because you also have a section of people who may be illiterates. Justice Srikrishna report suggest that we should have short videos or graphical representation which make it very easy for someone to understand the critical aspects of privacy.
Another important aspect is applicability of the law. This law is applicable to all processing that is happening in India and also to foreign bodies. Section 2(2) talks about applicability to foreign bodies, the first part says that “in connection with any business carried out in India”. This means a global platform that is accessible from India has to have the entire requirement of this law.
Are we going in direction of GDPR?
Supratim answered, “Whereas we are trying to follow the Gold standard and many countries are trying to follow the path set by GDPR, India is quite different country and we are not following everything the way it is in GDPR, we have to be mindful of our requirements. But the idea is slowly and surely reach a zone where we can have our laws quite akin to laws of matured jurisdictions.”
How does Bill address iSPIRT DEPA initiative?
Siddharth, sees this draft bill as a unique India first approach. He feels that apart from addressing privacy and data protection aspects it empowers Indians on having control on the use of their data for better financial services, better health services, education etc.
Siddharth goes on to explain that at iSPIRT for past 3-4 years we have been working at Consent layer of IndiaStack or Consent framework and it is great to see that bedrock of draft bill is actually based on consent and in that way it is somewhat similar to GDPR. But, one of the biggest problem they are facing in EU today is it is very difficult to operationalise consent. It is for the first time India has a unique infrastructure to operationalise consent.
“DEPA is nothing but a set of two tools that helps to operationalise consent, explains Siddharth.
One is known as Digital Locker system which allows to the federated exchange of data and second is known as electronic data consent, which is nothing but an electronic representation of user Consent.
“This means, if you want to share or allow your data from some provider to say another consumer, then you must be able to express what date you want to share with whom for what time period in some codified manner. This codified information or consent is known as consent artefact”, says Siddharth further.
As explained by Siddharth, the ‘consent artefact’ became a national standard in 2016 adopted by four financial sector regulator RBI, PFRDA, IRDA and SEBI and they adopted it for their entire eco-system.
Based on consent artefact every individual has an access to financial data and has a mechanism to share that data to gain access to a loan or any other services provider. This has been through an institutional mechanism called Account aggregator.
Siddharth further elaborated that, “the ‘Account aggregator’ (AA) is a class of entities known as data access fiduciaries. The AA unlike other parts of world decouples the institution that collecting consent from an institution that either consuming data or providing data. In EU e.g. as per of PSP2 directive the account information service provider which consumes data is also responsible for collecting the data.”
In India, 3 AA have been approved. Technical standard drafts are also out for ecosystem. And through AA you actually have an entity that’s working toward creating an informed consent experience. Going forward just like UPI you receive your consent for a payment, through AA you will have an entity that helps you provide and control consent. Based on Financial sector we have proposed a similar concept to TRAI for the telecom sector and health sector to NITI Ayog.
Has the AA concept been addressed in the bill?
Siddharth explains further, “The bill makes bedrock of most processing of data based on consent. AA model is nothing but your consent collector or Consent manager. Every data principle they have outlined right to confirmation and access, right to correction, most importantly the right to data portability. As a data principle from data fiduciary, you have the right to request and port machine structured non-reputable transaction history or any other user-generated data to other service providers. AA is nothing but a framework to operationalise this right.”
He further explained that in the report preceding the bill, they talk about a concept consent dashboard. AA is nothing but a consent dashboard. They had 2 tech innovation consent dashboard and data dashboard. You can log consent flows and data flows.
Will, there be consent dashboards concept like AA in other sectors also or will there be one single point authority under DPA?
Siddharth, “it would be a combination of both. If you see the draft bill, it allows sectoral regulators to write rules. For data the falls under private data sets category such as data pertaining to social media etc, DPA would prescribe an standard.”
The report talks about that dashboard can be maintained by each data fiduciary or it can be a common dashboard that everyone else agrees and follows. If you look at the account aggregator dashboard it is a common dashboard for the entire financial sector. But for social media companies can follow their won dashboards.
For any Software product companies that does not lie in any of the regulated sector can create their own consent dashboards, where the user can come see their dashboard correct their data, port the data, manage their consent.
Unlike the IT act, this regulation will have a direct bearing on any businesses processing data irrespective of being in a Software product or other domain. And hence there is a need to be attentive. How right is this aspect?
“Yes, the ambit increases quite a bit. Wherever there is sensitive personal data interface involved, the level of compliance requirement has gone up several times. In the IT Act, there was a mention of personal data in section 72A. The present draft bill does not talk about the deletion of 72A. The draft bill have a parallel mechanism set out in the IT Act”, mentioned Supratim.
Siddharth, “it is just not limited to compliance, this law unlocks the whole host of business models around data sharing around consented data sharing that you haven’t yet seen in any other country and it will be really interesting to space to see what companies get a build out there.”
Question from Participants.
What is the definition of data processing? Or what is the differentiation between Data Storage and Data Processing. E.g. if you are an email service provider, is it Data Storage or Data Processing? (asked by Chintan)
Supratim answered, “definition of data processing is extremely wide enough to make businesses fall in to ‘data processing category’ without being a processor.”
What is the timeline? (Asked by Chintan)
MeitY has asked for public comments by 10th of September on the draft bill, thereafter it will be presented to parliament and after promulgation, there will be more work in framing Authority, the rules by DPA etc. The law is not expected to be in implementable form only after 18 Months or so, minimum.
What happens to the Existing customer? Do we go back to them and get their consent? (Karthik)
Supratim answered, “whilst the it is not a retrospective legislation, if you continue processing without taking consent, you will fall foul of the requirement of law.”
Are there any fines defined here? (Karthik)
Yes, it has been taken care. Just like other aspects the draft bill he highly inspired by GDPR on this aspect also. We have 4% and 2% of annual turnover. There are 2 buckets 4% and 15 Cr and other is 2% and 5 Crore.
Do we need to appoint an DPO?
“There is a segregation which has been made of has significant Data Fiduciary under certain conditions will have to have DPO. Also, this law has an immense amount of significant rulemaking power, answered Supratim.
Hence, it will be seen in future how rules are framed by Authority. So, it has to be seen how business friendly the authority remains in rulemaking e.g. section 43A in IT ACT gave rule making power to define what is sensitive data and information and set out what is reasonable practices and procedure. In the rule made in future, we saw a plethora of requirements set out, over legislated and sometimes badly drafted.
The rules will go through an evolutionary cycle. Hence, the legislation has to be tested over a period of time as it unfolds, after crystallisation of this draft promulgation by parliament in to an ACT and rules being made after that on different aspects.
Disclaimer
PolicyHacks, and publications thereunder, are intended to provide a very basic understanding of legal/policy issues that impact Software Product Industry and the startups in the eco-system.
PolicyHacks, therefore, do not necessarily set out views of subject matter experts, and should under no circumstances be substituted for legal advice, which, of course, requires a detailed analysis of the relevant fact situation and applicable laws by experts in the subject matter on the case to case basis.
If you are facing an issue, we recommend you take expert professional advice on the case to case basis.
We intend to provide the best transcripts in the text part of the blog. However, it may not be an exact replica and maybe approximation, more standardised, normalised or moderated version of the expert view presented in the video.
