“In view of the new communication technologies which make it possible to store and use personal data, the right to control one’s own data should be added to this definition.” — Resolution 1165 (1998) of the Parliamentary Assembly of the Council of Europe, about privacy.
In the beautiful tech-savvy Baltic nation of Estonia, whenever any authority accesses the data of a citizen, the person is duly notified about the event and the reasons for such access. The Estonian government has no central servers or a master database; instead, each agency or organisation stores and administers its own data in encrypted form, and it cannot be shared without the knowledge and permission of the subject. Thus, data about any citizen’s taxes, traffic challans, land transfers, education, voter registration, healthcare and finances are stored in separate databases. One can choose which service providers see information from other providers — so, for instance, the data subject decides if he/she wants the family physician to see information from the psychotherapist or cardiologist or the skin doctor.
India is ready to embark upon a similar journey with the Data Empowerment and Protection Architecture (DEPA). This will be achieved by implementing regulatory, institutional and technology design for secure data sharing. According to NITI Aayog, “The Data Empowerment & Protection Architecture will empower individuals with control over how their personal data is used & shared while ensuring that privacy considerations are addressed.”
Data, privacy, security & innovation
A new class of institutions will be created that have economic incentives aligned with those of the users with regard to the sharing of personal data. Consent managers — organisations maintaining the ‘electronic consent dashboard’ for users as stipulated in the PDPR Bill — will mediate the interaction between an individual, a potential data user, and the data fiduciary holding a user’s information. Consent managers will be in the business of making sure that individual data is not shared without user consent and that individual data rights around privacy and portability are protected. The DEPA framework envisions these consent managers as ‘data blind’ entities that will not see or use personal data themselves and instead serve as a conduit for encrypted data flows. They are not permitted to store user data either.
As the DEPA evolves, other technology modules would be added which would be more efficient at preserving privacy and data rights, and both public and private players will be allowed to contribute to this.
Data barons and entry barriers
Big Tech firms with access to very large amounts of data use that data to improve the quality of their products and services. This is done by increasing the accuracy of a search engine, improving targeted advertising or offering targeted discounts: a process which attracts additional customers, who in turn generate more data. This also creates the phenomenon of ‘network effects’ which amplify the existing advantage of one amassing data. Similarly, the access to big data results in a feedback loop which reinforces the dominance of large firms.
Thus, the customer or user cannot ‘multihome’ or use portability to his/her advantage, getting into a provider/vendor lockdown. DEPA has the potential to break this cycle by unlocking data in institutional silos. This will provide significant opportunities for a number of players, including banks, financial institutions and gaming operators, to redefine their business and operating models to generate new value propositions and provide innovative customer solutions. DEPA promises to open up consumer bank accounts to third-party providers, thereby, unlocking banks’ data-lakes and providing a level playing field with other financial services providers.
There are four recognised criteria for being a barrier to entry — inimitability, rarity, value and non-substitutability. Large technology corporations hoarding data to their own advantage do not fulfil any of the above. While participating in the deliberations on non-personal data, the authors of this article have strongly advocated the need to break these entry barriers down and look at data as commons.
Open banking and sharing with consent
Legislation can hinder innovation if it is technically restrictive or impacts the speed of technological progress, and an uncertain regulatory space may create an atmosphere of risk for investments. There is a need to achieve an optimal balance between the predictability of the regulatory environment and adaptability to technological and scientific progress.
Rather than letting the private sector drive the technology, the Indian government has sought to impose standards, and even cooperation, through regulations, technological architecture and frameworks. The “Indian way” to digital empowerment intends to create a transformative platform that exhibits an entirely novel approach on data protection, sharing, consent and privacy.
DEPA and the ORGANS principles
DEPA democratises access and enables secure portability of trusted data between different service providers. It involves the creation of a standardised technology architecture implemented within the right institutional constructs.
DEPA’s technology architecture is an interoperable, secure, and privacy-preserving framework for data sharing through:
1. A technology standard for a machine-readable consent artefact;
2. Open APIs for data sharing; and
3. A standard for financial information.
Consent under DEPA will adhere to the ORGANS principles, that is:
1. Open standards: the approach needs to be interoperable across institutions
2. Revocable: individuals must be able to revoke consent
3. Granular: consent must be provided each time, should stipulate for how long certain data is accessed, etc.
4. Auditable: machine-readable logs of consent should be provided
5. Notice: must be provided to all parties
6. Secure by design
DEPA features and advantages
This will develop a novel consented data-sharing architecture to accomplish these goals. Findings so far have shown that, in currentday applications, consent is handled very loosely and, oftentimes, insecurely.
DEPA has the following features which ensure that there is a practical means to access, control and selectively share personal data stored across multiple institutional datasets:
A. Electronic Data Consent (EDC): Guiding principles for the sharing of user data across different services with user consent have been outlined previously in two key policy documents, namely, the “Policy on Open Application Programming Interfaces (APIs) for the Government of India”, published by the Ministry of Electronics and Information Technology (MeitY), and the “National Data Sharing and Accessibility Policy (NDSAP) 2012” by the Department of Science & Technology. Electronic consent allows for data to be electronically and securely shared with service providers on an as-needed basis, while maintaining traceability to ensure that the data trails can be audited in the future.
B. Technology tools for consented data sharing: The Indian government is envisaging a comprehensive technology framework to enable the effective and secure implementation of DEPA. The technology framework should be open, secure, user-centric and application-agnostic. Using electronic consent, rather than requiring users to share credentials like passwords or to sign paper documents, transactions can be done and services rendered. With this framework, data consumers (like government departments, employers, lenders, etc) can securely access data of users from providers (like government departments, banks, etc)
C. Consent management system: DEPA’s institutional architecture involves the creation of new market players known as consent managers who play the role of enabling consent management for the user. These consent managers are ‘data blind’ and will not see user data themselves, rather they will serve as a conduit for encrypted data flows.
D. Individual-centric approach: The individual-centric approach of DEPA encourages user control on data sharing for empowerment. By giving people the power to decide how their data can be used, DEPA enables an individual to control the flow of and benefit from the value of her personal data, relying on not only institutional data protection measures, but also restoring individual agency over data use.
E. Promotes user control on data sharing for empowerment: The objective of DEPA is to provide the tools and utilities that enable us to build systems that can provide the user with the mechanisms for protecting and sharing their data. It is imperative to engender a trusted mechanism for the sharing of data by giving the people control of their data. DEPA opens up whole new models for privacy protection and auditing data flows while keeping the user at the centre.
Issues at this point
In 2015, the European Union acted to create a ‘digital single market’ for payment services in Europe, which is similar to what India is attempting. The EU’s Second Payment Services Directive (PSD2) strengthened consumer rights, introduced new security measures and provided the regulatory infrastructure for its own form of Open Banking (‘OB’). DEPA is principally trying to achieve comparable objectives.
A study by the global consulting firm Roland Berger, “Adapt or die? Why PSD2 has so far failed to unlock the potential of Open Banking”, finds: “In the implementation of PSD2, there is still a wide gap between ambition and reality. The established financial service providers have limited themselves primarily to meeting regulatory requirements.” Banks in the EU had a deadline until March 2019 to establish a “sandboxed” environment that third-party providers could access and use to test products. However, according to open banking platform Tink, 41% of the 442 European banks surveyed failed to meet the deadline.
Learning from the EU experience, driving changes in technology infrastructure at this scale may not be easy, and consumer awareness and stakeholder change management will also be crucial factors in its success or failure.
Conclusion
The world has seen the Silicon Valley model of innovation where almost everything operates on the principle of least interference and minimal regulation, thus driving immense economic benefits. India has however embarked upon a path of creating regulation led innovation through ‘India Stack’ in the delivery of public services. It is a set of APIs that allows government, businesses, start-ups and developers to use India’s digital infrastructure to deliver private services. These include Aadhaar, Aadhaar-based eKYC, Aadhaar-based eSign for digital contracts, UPI, DigiLocker, etc, and the Open Credit Enablement Network (OCEN) for lending.
What DEPA aims for, in this context, is to put back citizens at the helm of their affairs. They decide what data they want to share, with whom and for what purposes. The proposed architecture ensures privacy and spurs innovation at the same time, unlocking the economic value of data locked up in institutional silos. It is a bold step which, if successful, will ensure the economic inclusion of the underprivileged, a substantial reduction in banking frauds and cybercrime as well as the creation of business opportunities for a large number of smaller players who are disadvantaged in the current scheme of things.
Brijesh Singh is an author and a senior IPS officer. Khushbu Jain is a practising advocate before the Supreme Court and founding partner, Ark Legal.