SFLC.IN's Comments on Data Empowerment and Protection Architecture (DEPA)
The NITI Aayog released the draft Data Empowerment and Protection Architecture (hereinafter “draft document/ framework”) for consultation on September 4th, 2020. The initial period of consultation for the draft document was till October 1st, 2020 which was later extended to November 30th, 2020. This is a commendable step.
In a participatory democracy, important frameworks like these must be finalised after providing reasonable time to all stakeholders for sharing their inputs and holding transparent consultations on the framework. While we laud the NITI Aayog’s decision to extend the timeline of submissions and being transparent about the agencies involved in drafting of this document, it is important for the agencies assisting in drafting documents like this one to disclose their business interests for the sake of transparency and accountability.
We would particularly like to criticise the fact that no civil society organisations (a crucial set of stakeholders) or its members were consulted in drafting of this framework. The proposed framework has been given sanctity by NITI Aayog. However, it will essentially operate in a regulatory vacuum for the benefit of private entities.
The framework seems to have been finalised with a few private entities, an industry body and some entities structured as non-profits aimed at championing industry interests. The consultation looks like an afterthought aimed at just ticking a box without any meaningful expected output.
We strongly recommend that the framework should be finalised only after the Personal Data Protection Bill has been passed by the Parliament. Creation of a standalone horizontal policy in the absence of a data protection legislation has a possibility of creating more problems than it vows to resolve. The framework needs to be reworked with clear boundaries and regulation by the Government. Industry bodies and industry driven non-profit entities cannot be a complete replacement for a transparent Government body, whose actions can be effectively monitored and challenged in courts, if necessary. There should be a statue regulating the security standards, open standards, rights of data principal, role of consent managers, grievance redressal and requirement of a dispute resolution body which could be the Data Protection Authority as envisaged in the draft Personal Data Protection Bill.
Interestingly, while the “proposed” framework is open for consultation, it has already been implemented in financial sector in the form of “Account Aggregators” without a legislation governing data collection or processing.
The draft document has relied on Ministry of Electronics and Information Technology’s policy on “Electronic Consent Framework”[1] (hereinafter “the consent framework”). However, there is no proper analysis on the legal basis for the framework in the light of the law laid down in Justice Puttaswamy vs. Union of India (2017).
The draft document has relied on various studies and reports on digital transaction, bank account registrations, businesses filing invoices etc. but has nowhere provided the actual numbers as compared to the total transactions, bank account registrations, business filing invoices respectively. This gives an incomplete and rather misleading picture of the current situation.
The draft document at multiple places makes assertions without delving into the specifics. It presumes that India’s financial exclusion is because of lack of trust and asymmetry of data without delving into its reasons including lack of access to formal credit sector, digital literacy, access to digital devices etc. Similarly, while it provides for giving rights over personal data to individuals and small businesses, it does not elaborate as to how this shall be implemented.
Lastly, the draft document mentions that there would be open standards to ensure that all institutions use the same approach interoperably. We recommend that the open standards in DEPA must be in compliance with the Central Government’s “Policy on Open Standards for e-Governance”.
We sincerely hope that our comments on the proposed framework shall be taken into consideration. As an organisation working extensively on promoting and protecting digital rights of Indian citizens for a decade, we would be honoured to assist the NITI Aayog with our research and technology expertise, to help the cause of preserving and promoting digital rights and freedom of citizens.
You can read our comments on the draft document here.
[1] Electronic Consent Framework, Technology Specifications, Version 1.1, Ministry of Electronics and Information Technology (MeitY). <http://dla.gov.in/sites/default/files/pdf/MeitY-Consent-Tech-Framework%20v1.1.pdf>