data-empowerment-and-protection-architecture-depa

Context: A number of countries have been looking to extend their existing data protection frameworks to ensure that users have more effective control over their data than their regulations currently allow. 

  • These new measures will make it easier for data to flow from the entity that currently holds it to any other data business that might want to use it with the permission of the data subject.
  • One such framework is Data Empowerment and Protection Architecture (DEPA).
  • It promises to be the techno-legal solution that can unlock value in data sharing by giving users more control over their data. This control not only results in increased competition but also fosters innovation. 

International data regulation rules for more user control over data:

  • In Australia, Consumer Data Right will allow consumers in Australia to require any business with which they have a commercial relationship, to transfer that data to any other business of their choice.
  • The EU’s proposed Data Act is intended to implement measures that will create a fairer data economy by ensuring better access to and use of data, and is intended to cover both business-to-business and business-to-government transfers of data. 

Significance:

  • These new regulations will thus both enable and regulate new data sharing arrangements that will intermediate the transfer of data from data businesses which currently hold it to those that have been permitted to use it.
  • They also suggest that it is not enough to protect data if you cannot also ensure that this data is effectively utilized—either for the benefit of the person to whom it pertains or society as a whole.

Challenges:

  • Catching up with technology: Modern data businesses are powered by technology. Technology determines how data is collected, processed and used, and, by extension, the manner in which it is transferred. 
    • Laws and regulation simply cannot keep pace with changes in technology. new consumer-centric measures are likely to fail if they are to be implemented solely through legislation.

India’ case

  • Sector Wise approach: India has adopted a slightly different approach to data transfers. It is being implemented sector-wise through a set of open, interoperable protocols. 
    • This framework is known as the Data Empowerment and Protection Architecture (DEPA), offers a technology-based solution for consent-based data flows, allowing users to transfer their data from data businesses that currently hold them to those that want to use them. 
    • DEPA is a joint public-private effort for an improved data governance approach. 
    • It creates a digital framework that allows users to share their data on their own terms through a third-party entity, Consent Managers.
    • DEPA is being tested in the health sector, as well as others.Recently, the country’s Account Aggregator framework—the first implementation of DEPA—went live in the financial sector.

Features of DEPA:

  • It has been designed as a mechanism that goes beyond data protection through a Privacy Enhancement Technology (PET) to ensure data empowerment by facilitating smooth and secure data flow. 
    • The two building blocks of DEPA: data portability and data interoperability.
    • Data interoperability addresses the ability of systems and services that create, exchange and consume data to have clear, shared expectations for the contents, context and meaning of that data.
  • The Data Protection Committee Report had supported the idea of a Consent Dashboard that would let a data principal have access to a dashboard operated by a third party to keep track of consent to different fiduciaries.
    • The RBI-supported Account Aggregator (AA) mechanism is one such dashboard, following the DEPA model, that allows a user to access their financial data at one place.
    • AAs are Non-Banking Financial Companies (NBFCs) that act as a digital platform where users can see their entire financial data from different entities called Financial Information Providers (FIPs), such as banks, mutual funds, insurance provider and tax/GST platform. 
    • It is also where they can consent to share the data with a Financial Information User (FIU), such as  personal finance management, wealth management and robo advisers. 
    • In the present scheme of AA, FIUs can use only asset-based data such as bank accounts, deposits, mutual funds, insurance policies, and pension funds.[
  • The Open Credit Enablement Network (OCEN) in the financial sector: OCEN allows a user to share with a potential lender their financial data from various sources, such as the Goods and Services Tax (GST) record from the GST system, to prove their creditworthiness without having to show assets. 
    • This data sharing happens through a third-party Consent Manager (CM) through the use of APIs. 
    • The lender in turn decrypts this data and uses their own algorithms to assess the creditworthiness and either approve or reject a loan application. 
    • This way, a small business, who may not have adequate assets, uses its own data to get a loan.

Benefits of DEPA:

  • It encourages competition among players. Consent managers, as the existing AA structure suggests, will sit between multiple data fiduciaries and data users. 
    • Instead of requesting data portability, this data-sharing architecture allows the flow of data from multiple controllers to the desired destination
    • At the same time, the user can determine the terms of data flow such as the scope and duration of data sharing, and can revoke the same.
  • Reduction in transaction cost and increased competition are not the only benefits of DEPA. 
  • It separates consent collection from data flow: “Consent to collect” by a data user does not include “consent to share”. 
    • The CMs are data-blind themselves, as they do not store the data of users and merely act as a conduit. 
    • This means that a Consent Manager does not “determine… the purpose and means of processing of personal data” and is therefore not  a ‘data fiduciary’.
  • Ensures data privacy: Additionally, a data controller does not get to know the identity of the data user. Moreover, the data flowing through the architecture is encrypted and can be decrypted only by the FIU for which it is intended.

Challenges:

  • India still does not have a data protection regulation and implementing a technological solution for data transfers in the absence of a legal framework could undermine the right to privacy under Article 21 of the constitution.
    • The current legislative framework that governs user data in India is the Information Technology (IT) Act, 2000 that requires user consent before any entity shares ‘sensitive data’ with third parties. 
    • It, however, does not provide for a framework that recognises users’ control over their data and mandates data portability. 
  • Lack of data interoperability due to non-standardisation impedes the growth of services that require data sharing.
    • In DEPA, different agents can communicate with each other by effectively integrating datasets through the use of APIs.
      • API is the acronym for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other. Each time you use an app like Facebook, send an instant message, or check the weather on your phone, you're using an API.
    • In the past too, API-enabled services such as the layered digital service and open API framework known as IndiaStack enabling verifiable identity (Aadhar), eKYC data sharing, and an interoperable Unified Payments Interface (UPI) have provided crucial digital tools to facilitate easy transactions.
    • In general, non-standardised APIs is a challenge faced by digital solutions.

Way forward

  • Techno-legal approach to data regulation: Technology businesses are most effectively regulated through a judicious mix of law and technology. 
    • There should be strong, principle-based laws to provide the regulatory foundation, with protocol-based guidelines to ensure compliance.
  • Data Portability: The most fundamental building block of DEPA is the concept of data portability. 
    • Data portability is a right that allows users to request a data holder to share their data with a third party.
    • In current digital markets, a small number of firms hold a large part of users’ data. 
    • The technological and economic characteristics of digital businesses, most notably network effects, lead to market concentration.Data portability is a means to ensure that users do not get locked in.
  • Establishing Data protection regime: The most fundamental legal basis of DEPA is the right to data portability enshrined in Sec 19 (1) of the draft Personal Data Protection Bill, 2019.
    • Further, Sec 23(3) of the draft PDP Bill provides: “The data principal may give or withdraw his consent to the data fiduciary through a consent manager.”. 
    • In turn, a consent manager has been defined as “a data fiduciary which enables a data principal to gain, withdraw, review and manage his consent through an accessible, transparent and interoperable platform.
    • According to the PDP law, a data fiduciary can be an individual, state, organization, or entity that chooses how their data should be stored, processed, and handled.
    • Together, Sections 19 (1) and 23 (3) of the draft PDP Bill form the legislative mandate upon which the DEPA framework will rest.
    • For the widespread use of DEPA, the draft law should soon be concretised in the form of legislation.

Source: Click Here