Tl;dr

IFF has submitted its comments on draft Data Empowerment and Protection Architecture (DEPA) Policy. In our comments, we highlighted four issues we felt the draft policy must address: firstly, that safeguards must be put in place to ensure that truly informed consent is taken; secondly, for sustainable innovation the policy must oriented the use of technologies towards the interests of citizens and move away from making financial sector models it's central framework; thirdly, that a firm and robust regulatory mechanism through a proposed Data Protection Authority for consent managers must be enforced; and lastly, that the role of civil society must be expanded from a watchdog to a important stakeholder with a seat on the table.

What is the DEPA?

The aim of the proposed Data Empowerment and Protection Architecture (DEPA) is to centre consent sharing mechanisms around the rights of users. It categorises individuals/organisations into four distinct types:

• Data Users: Bodies that look to process data to provide a serviceThese include fintech companies, credit providers, and banks.
• Users: Individuals whose consent for processing data is being asked for.
• Data Fiduciaries: Institutions that generate and control the data of users.
• Consent Managers: Bodies that will mediate consent sharing between data users, users, and data fiduciaries.

The DEPA mechanism operates in the following way: a data user sends a request for processing the data of a user to a consent manager. The consent manager then asks the user for their consent. Should such consent be forthcoming, the consent manager then generates a consent artefact that contains details such as the precise type of data that will be processed, who is allowed to process it, and the reason for which the data is being processed. This consent artefact is then sent to the data fiduciary, who then, in a pipeline independent of the consent manager, sends the data to the data user.

Such a model has already begun to be implemented in the financial sector. The RBI has announced a framework for Account Aggregators, who will be consent dashboards for the banking industry. A self regulatory organisation, Sahamati, has already been set up with the help of industry members.

What are the risks it poses?

While such a framework that is primarily focussed on financial models of incentives and regulations may potentially help empower citizens, such hopes must be juxtaposed with the implementation challenges. Millions of Indian citizens possess low levels of education, with digital literacy a distant dream. In such a context, most users would be unable to truly freely choose whether to share their consent. Unaware of their rights as users and citizens, they may not be able to fully comprehend the implications of consenting to sharing their data, and thus risk a breach of privacy and security.

Furthermore, progress on reducing the digital divide has been slow. The Centre’s own data says that as of 2020, “more than 15 crore rural households (94% of 16.85 crore households) did not have computers and a significant number of these households were likely to be digitally illiterate”. A 2018 report by the Digital Empowerment Foundation found that pan India digital literacy levels were no more than 10%. Existing schemes also suffer from focusing on knowledge about the use of computers, which fails to adequately address the problem as most indians access the internet through mobile devices.

A rights centric approach minimises risk, maximises data empowerment

Our recommendations are clustered into 4 principle areas. We have cited several peer-reviewed studies and scholarly literature to buttress our claims and welcome further discussion on their merits on the Internet Freedom Forum.

• Consent in the context of citizen’s rights: The policy foregrounds the consent of the user as primary, which is commendable. It is also welcome that the policy envisions multiple pathways for consent manager business models. However, given the relations of dependency that would inevitably develop between consent managers and data users, as well as the mention of an opt-out model for consent in healthcare and banking, further safeguards need to be introduced to ensure the sanctity of informed consent. Additionally, while we recognise that the reversibility of the consent sharing mechanism may vary across sectors, as far as possible citizen’s right to revoke access must be upheld. Here we also strongly recommend against a default, "opt-in" of consent for which, an, "opt-out" may not provide for a meaningful safeguard.
• Ensuring a citizen oriented policy: A strong data protection regime is an expression of commitment to the protection of the rights of citizens - it is not just a matter of a “prevention-of-harm perspective”. Thus, we must refashion our conception of innovation with human welfare and not just financial incentives. Going beyond viewing data as, "oil" or, a limited, property right, towards a richer conception of digital rights of citizens. For example, while acknowledging the need for increasing access to formal credit, we feel that an increased reliance on Fintech and microlending is not warranted, especially as they can end up having adverse social and economic consequences, and so an alternative usage of the data solicited has to be imagined.
• Need for firm regulatory oversight: We understand that, given the nascent state of existing infrastructure, DEPA must be given room to grow and innovate. However, such growth must not come at the cost of the rights of citizens. A self-regulatory model may result in a situation where overriding the rights of citizens may be incentivised. Thus, a statutory government regulator such as the proposed Data Protection Authority must oversee compliance and set data standards, especially as the policy itself contemplates a large usage of DEPA in the financial sector where self-regulation has been proven to have deleterious effects. The nature of consent managerial organisations must also be clarified in greater details as to whether it is proposed they would on specific functions fall within the jurisdiction of data and financial regulators.
• Role of civil society: It is welcomed that civil society is provided with a clear and substantive role in the proposed framework. However, its current role seems to be envisioned to be something along the lines of a post facto alarm bell to ensure the protection of digital rights. Firstly, while civil society must, of course, play a role in this, it is vital that the proposed Data Protection Authority steps in to definitively monitor such violations or at the least creates a body that would do so. Additionally, civil society organisations should be given a more direct consultative role in the creation of DEPA, as they may provide valuable inputs on the process.

IFF's comments on the policy can be found here.

Important Documents

1. The draft Data Empowerment and Protection Architecture Policy (link)
2. IFF's comments on the draft Data Empowerment and Protection Architecture Policy (link)
3. The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
4. ThePersonal Data and Information Privacy Code Bill, 2019 as introduced as a private members bill by Mr. D. Ravikumar, Member of Parliament (link)

#SaveOurPrivacy

#BanTheScan