116 B, Mittal Towers, Nariman Point, Mumbai, India

Introduction

With an ever-evolving, highly dynamic digital space, the world being at our fingertips and our entire existence locked up in data packets, privacy and autonomy of user data are of crucial importance. To this end, India had introduced the Personal Data Protection Bill, 2019 (“PDP Bill”), followed by the Data Empowerment and Protection Architecture (“DEPA”) framed by NITI Aayog, to substantiate the PDP Bill. This article deals with the framework of DEPA and its impact on data privacy.

DEPA tries to make consent the central piece of the mechanism that currently runs data submission, access and its usage. By proposing to provide data autonomy to users by ensuring free, informed and granular consent governed by an intermediary called the “consent manager”, the DEPA framework focuses on providing awareness to individuals with the aid of a mechanism for avoidance of any data breach

The Concept of DEPA

The DEPA architecture aims at streamlining data exchange between the source of data (e.g. bank, health institution etc.), the third party (the one requesting data) and the data user (owner of data, i.e. an individual), whilst reducing breach of privacy and data misuse. DEPA is the final step in the Digital Indian Stacks for secure data sharing as claimed by NITI Aayog, with the first stack being Identity Layer (Aadhar, eKYC), second being the Payment layer (UPI payments) and finally ‘Data Empowerment’ layer.

The entire DEPA architecture is built on the premise that an individual is the best judge to decide the “right use of his personal data”. DEPA allows and empowers users to seamlessly and securely, without any hassle, attain autonomy over their data, derive benefit out of it and share it with third-party institutions under the supervision of consent managers who facilitate and monitor the whole process of consent transmission. The concept of consent managers was first introduced in the PDP Bill, wherein a Consent Manager is “the data fiduciary, a self-regulatory institution which allows the user to access, withdraw, review and manage consent through an API framework (Application Programming Interface).”

Explanation: Consent Manager will access the data stored by different institutions in data sets, seek user consent and only after the user’s grant of consent, send it to third party institutions. Such consent managers are data blind and work as the mediator for encrypted data flows.

The Consent Manager will provide a notice to the user before hosting the process of data transmission. The above notice, among other information, shall contain the purpose for data collection, categories of personal data collected, source of collection and persons with whom such data may be shared. Thus, it maye be gauged that “Consent” is the base-work of the entire DEPA framework, as discussed further herein.

The primary reason for bringing in DEPA is to tackle massive data scandals like Facebook’s “Cambridge Data Analytica Case”( Scandal focused on obtaining the personal data of millions of Facebook users without their consent by British consulting firm Cambridge Analytica, predominantly to be used for political campaigns) and the “Chinese App Ban in India” (wherein 267 apps including PubG, Tik-Tok etc. were banned in India citing compromise on information of Indian citizens and quoting a threat to the sovereignty of the nation). In both the cases, huge amount of user data was illegally used, exported, transmitted and stored without the prior user authorization for commercial benefits. Thus, in light of this, DEPA tries to safeguard users against such bulk printout notarization and physical submission, screen scraping (extraction of data), username/password sharing, with terms and conditions forms providing blanket consent.

Sectorial Implementation

  • Financial Sector: After the Pradhan Mantri Jan Dhan Yojna was launched in 2014, billions of people were added to the formal banking systems and were introduced to UPI payments and eKYC, thus creating a significant digital footprint. Now, using DEPA, individuals and Micro, Small, and Medium Enterprises (“MSMEs”) can strengthen their digital footprints to access affordable loans and insurance, savings, and better financial management products. This will result in more economic inclusion and advanced cash flow funding, wherein the portability and control of data would allow MSME owners to share proof of business, their regular tax (“GST”) payments or receivables, basis which a bank would design and offer working capital loans based on their demonstrated ability to repay (known as flow-based lending) rather than only offering bank loans backed by assets or collateral. The same goes with obtaining insurances, maintaining a credit score etc. An ad-hoc implementation has also been started after the Master Circular of RBI.It is pertinent to note that the consent managers under the financial sector are known as Account Aggregators (“AA”), as notified by the RBI Master Directive. The RBI Directive under Clause 6 defines the consent Architecture for AA and says that no financial information of the customer shall be retrieved, shared or transferred by the AA without the customer's explicit consent. For example, “Digilocker” is a platform that acts as an AA by providing preservation, retention and delivery of electronic records to the user. Further, this entire AA ecosystem is called “DIGISahamati”, a non-profit collective responsible for procedural guidelines for participating institutions.
  • Other Sectors: Along with the financial sector, DEPA is even piloted to set its framework in the Healthcare and Telecom sectors with the help of concerned ministries and existing policies in place, with the advent of time.

The ‘Organs’ Framework

“ORGANS” stands for Open standards (ensuring all institutions use the same approach interoperably); Revocable (by individual users); Granular (provided for each time you share data, stipulates how long data can be accessed for, etc.); Auditable (in machine-readable logs of consent provided), providing Notice to all parties, and after that Secure by design. DEPA provides for an ORGANS framework for attaining their objectives; the framework requires data to be governed by the ORGANS principle.

It could be a hindrance to the already existing laws like the new Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“IT Rukes, 2021”), as it mandates the intermediaries like WhatsApp LLC to trace the first originator of sent messages. This may infringe the whole privacy rights and consent mechanism of such originators as claimed by WhatsApp while battling a suit against Indian Government.

Status of Consent Before DEPA

Before the DEPA or PDP Bill, the organizations would override the existing data regimes by taking blanket user consent under broad terms and conditions to process personal data. No heed was paid to the fact that the users may not understand the scope of such terms and conditions, or to the implications of their consent to personal data. Since there was no proper policy or statute, the entities had weaker obligations to respect user preferences for processing personal data over and above what it is consented for. Consequently, the entities were free to circulate, share and store the data with third party institutions without prior user consent. E.g. WhatsApp released its updated terms of privacy on 4th January 2021, under which it tried to deprive the users of their consent and choice to share data with other apps, including those owned and operated by Facebook. Moreover, this policy was accompanied by a condition under which users who did not accept the updated privacy terms would have to quit using WhatsApp altogether- beginning 8th February 2021- when the updated terms and policies were envisaged to be enforced. Hence, WhatsApp tried to gain haywire autonomy over user’s data, rendering the entire “Consent Mechanism” concept void.

Conclusion

The existing policy framework is well-crafted and appreciated theoretically, but presents multiple technical inconsistencies and loopholes. Additionally, the DEPA framework is yet another nail in the coffin wherein no proper guidelines and infrastructure are apprehended and no ministerial actions or sectorial regulations have been taken into consideration to review the same. Like any other government policy, if not worked upon, the said framework would remain a mere pictorial architecture with a seeming dead end. We, therefore, remain silent spectators of the possibility of intended application and implementationof DEPA, rendering users of the modern India the most revered participants of the digital space or mere wishful thinking. Only time will tell!