Data Empowerment and Protection Architecture

Context

Policy think tank NITI Aayog is seeking suggestions on the Data Empowerment and Protection Architecture.

Background

Policy think tank NITI Aayog has released discussion paper to seek suggestions and comments on the ‘Data Empowerment and Protection Architecture (DEPA)’ draft which aims to promote greater user control on data sharing. The Architecture will empower individuals with control over how their personal data is used and shared while ensuring privacy concerns of individual.

In Detail

In relation to the draft of Data Empowerment and Protection Architecture (DEPA), NITI Aayog has sought feedback from all stakeholders. At the core of the proposed architecture is the institution of a consent management system, which will allow the sharing of the information in view to provide better financial, health and telecom-related products and services to individuals and firms. In a nutshell, DEPA empowers people to seamlessly and securely access their data and share it with third party institutions.

Based on the Personal Data Protection Bill 2019 and the planned Data Protection Authority, DEPA can be applied to various sectors. This could empower individuals with not just financial and healthcare data, but also telecom, educational, or jobs data to better improve access to opportunities.

DEPA is also aimed at enabling better personal financial management services, wealth management, robo advisory, or different types of lending, insurance, and investment use cases and products.

The primary purpose of DEPA is predicated on the notion that individuals should have control over how their personal data is used and shared.

It also pointed out that a well designed data governance framework for the Indian context would enable, not just secure data protection, but also grant users control over data through a safe and seamless protocol to share data across institutions, leading to individual empowerment and well-being.

Key Issues in Data Management

The draft explains that data currently exists at unknown points, it includes that gathering data in this environment is cumbersome and that individuals and small businesses lack control over their own data.

The problem is not that companies are benefiting from the data of individuals but is that individuals and small firms do not getting benefit. The mission of the DEPA is therefore to provide individuals and small businesses with the practical means to access, control, and selectively share personal data that they have stored across multiple institutional datasets.

It also emphasised to maximise the benefits of data sharing for individual empowerment whilst minimising privacy risks and data misuse. By giving people the power to decide how their data can be used, DEPA enables an individual to control the flow of and benefit from the value of her personal data, relying on not only institutional data protection measures but also restoring individual agency over data use.

The report stressed that the Micro, Small and Medium Enterprises will stand to benefit after DEPA fully rolls out. Even pre-COVID, only about 8 per cent of the total MSMEs in the country had access to formal finance, while the other 92 per cent are likely taking loans at onerous terms from ad-hoc sources, and are regularly facing working capital shortages. These small businesses are increasingly transacting digitally.

If portability and control of data could allow an MSME owner to digitally share proof of the business including the tax details and receivables invoices, a bank could design and offer regular small working capital loans based on demonstrated ability to repay, rather than only offering bank loans backed by assets or collateral. Flow based lending is the norm for individuals providing proof of salary to access home and car loans, yet these types of products are yet to take off at scale for MSMEs, partly due to frictions in accessing required data.

Conclusion

The draft for the discussion paper is designed as an evolvable and agile framework for good data governance, given the rapid pace of change in this arena.

India needs a paradigm shift in personal data management that transforms the current organisation-centric data sharing system to an individual centric approach that promotes user control on data sharing for empowerment.

Other countries have responded to data protection challenges by implementing efforts to improve data protection and consent-based sharing (such as Open Banking in the UK or General Data Protection Regulation (GDPR) in the EU), which India can learn from.

Connecting the Article

Question for Prelims

With reference to the Draft Data Empowerment and Protection Architecture, consider the following statements:

1. It aims to empower people to seamlessly and securely access their data.
2. It aims to restrict the sharing of Personal data with third party institutions.

Which of the statements given above is/ are correct?

(a) 1 only
(b) 2 only
(c) Both 1 and 2
(d) Neither 1 nor 2

Question for Mains

In the current digital world, individuals should have control over how their personal data is used and shared. Comment.