Update (September 11, 2020 12:30 pm): The deadline to submit comments has been extended to November 30.

NITI Aayog’s newly released draft Data Empowerment and Protection Architecture (DEPA) seeks to break data silos and monopolies so that fintech and healthtech companies can compete on basis of design, analytics and value creation rather than data access. Its secondary aim is to help individuals and small businesses access their data and to securely share it with third party institutions. The latter will be implemented through consent managers — private entities that piggyback on public digital infrastructure and eventually derive profit from it in the form of service charges.

Subtitled “consent-based data sharing framework to accelerate financial inclusion”, the DEPA framework aims to help people get “practical means to access, control, and selectively share personal data” which is stored across multiple databases. The framework essentially proposes the implementation of an RBI Account Aggregator system in all sectors as a way to manage users’ consent. Comments to the draft can be submitted via email until October 1, 2020 at annaroy@nic.in.

To make the consent manager model financially viable, DEPA has proposed that consent managers could charge a nominal fee to facilitate a data exchange. Instead of charging individuals/data principals, DEPA proposes charging the data users in a subscription model. Information Providers could charge a service fee in future, but as of now, in the financial sector, they have agreed to provide data without charges

As per the report, this framework is “set to launch in 2020”. The scale of the project is evidenced by the spectrum of government ministries and regulators involved in the project: RBI, SEBI, PFRDA (Pension Fund Regulatory and Development Authority), IRDAI, Finance Ministry (Department of Revenue, Department of Economic Affairs, Financial Sector Development Committee), Ministry of health and Family Welfare, the National Health Authority, the Ministry of Information and Technology, and TRAI.

This framework will act as the regulatory foundation for sector-specific data regulation that will evolve with the implementation of the Personal Data Protection Bill and the Data Protection Authority proposed therein. Read the summary of the policy here.

Aims to ‘improve private service delivery’

The aim of DEPA is to build digital infrastructure to “improve private service delivery” and must be seen in the continuum of developments that gave rise to Aadhaar and related services, UPI, DigiLocker, OCEN, regulation of non-personal data — as attempts by a lobby of powerful private individuals and companies that have sought to control the telos of digital infrastructure in India as well as dictate the debate around digital rights. The report calls it the “final layer of India Stack” which is described as “a series of digital public goods designed to enable private market innovators to improve digital services for India across a range of sectors”.

The report envisions DEPA, together with India Stack, as a paradigm shift for the Indian ecosystem as the TCP/IP internet protocol or GPS were for internet at large.

At the heart of the framework lies the belief that consent, while not the only backstop, is a “powerful first step” towards “empowering individuals with data”.

Who is behind the DEPA?

According to the acknowledgements page which has been signed by Anna Roy, senior adviser at NITI Aayog, iSPIRT team, specifically Siddharth Shetty and Kamya Chandra, prepared this paper. Shetty is a Fellow at iSPIRT and leads their work on DEPA while Chandra is a Fellow at iSPIRT who has worked on the National Health Stack in the past. iSPIRT has been working on DEPA since at least May 2019.

What is iSPIRT? iSPIRT is a Bangalore-based, private technology think tank that “convert[s] ideas into policy proposals to take to government stakeholders”. It was established in 2013 and its donors include Ajay Data (Infosys), Sameer Nigam (PhonePe), Vijay Shekhar Sharma (Paytm). Its volunteers include Lalitesh Katragadda (ex-Google), B.G. Mahesh (co-founder of Sahamati), Kunal Shah (CRED), amongst many others. It is the think tank behind India Stack, National Health Stack, OCEN and other public tech stacks in India. UIDAI and NPCI are part of the roadmap of India Stack.

Other “non profit organisations” involved in the preparation of the draft: DICE India, Sahamati and CredAll.

  • Sahamati is a non-profit collective of account aggregators that has been set up as a not-for-profit company under Section 8 of the Companies Act. Siddharth Shetty, a Fellow at iSPIRT who co-wrote this framework, is a co-founder of the collective.
  • Credall is a collective of lenders (HDFC, ICICI Bank, Axis Bank, SBI, IDFC First Bank), loan service providers (OkCredit, Open, Cleartax, PaisaBazaar.com, etc.), technology service providers (SignDesk, Decentro, JusPay, etc.), account aggregators and underwriting modellers.
  • DICE India, or the Digital India Collective for Empowerment, is an industry lobby for digital payments providers that “collaborates” with the regulators to make policies.

Infosys co-founder and the man behind Aadhaar, Nandan Nilekani, was also an “individual thought leader” in this project along with Justice B.N. Srikrishna, who headed the committee that formulated the first draft of the Personal Data Protection Bill in 2018, Arundhati Bhatacharya, the CEO of Salesforce India and former chairperson of the State Bank of India, and Rahul Matthan, the founder of Trilegal who also wrote the privacy policy and terms and conditions of Aarogya Setu.

Others include: Arnab Kumar (former Program Director of Frontier Technologies at NITI Aayog who spearheaded the Aarogya Setu project), Pritish Mishra (ex-NITI Aayog who now works as legal counsel for Tala, a California-based fintech company), Ankan De (innovation lead at NITI Aayog), Aaryaman Vir (an iSPIRT volunteer), Gayatri VS, Ayna Agarwal (former policy designer for iSPIRT).

Banks involved in this project include SBI, IDFC First, HDFC, ICICI, IndusInd, Axis, Kotak and other unnamed banks.

Read: Summary: Data Empowerment and Protection Architecture (DEPA)