Data PrivacyData Empowerment and Protection Architecture

January 12, 20220


In an ever-changing and fast-paced digital ecosystem, data protection, privacy, and unlawful data sharing or misuse have all been making headlines in the recent past.  In the present times, not only data protection, but also data empowerment is a pressing concern for the citizens.

Citizens should be given the right to utilize their data for personal development and advancement. With the implementation of the Data Empowerment and Protection Architecture (DEPA), the Government seeks to create an environment that empowers citizens to use their data through institutional and technological design.

 According to NITI Aayog, DEPA “would provide people control over how their personal data is utilised and shared while also ensuring that privacy concerns are handled.” DEPA is also referred to as a “consent-based data-sharing framework for financial inclusion”.

DEPA proposes the establishment of a new type of Consent Manager Institution that would assure that individuals can assent to the sharing of all data and would seek to preserve data rights.

Consent Managers or organisations maintain the “electronic consent dashboard” for users, mediate the connection between a person, a potential data user, and the Data Fiduciary who holds the user’s data.


Even before becoming economically wealthy or financially stable, millions of Indians are creating computerized transaction histories and becoming ‘data-rich’ at unprecedented rates. Personal data assists people in informing and establishing confidence with essential institutions that provide life-altering services, such as hospitals, banks, and potential employers.

Given this, it is unreasonable to deny people control over their data. The DEPA Model reads an individual, rather than conflicting institutional interests, is the greatest arbiter of the correct use of their personal data”. Therefore, the citizens shouldn’t have to fight to get access to and share their information.

Three fundamental building elements are required to orchestrate a paradigm shift to empower individuals with their data: enabling policies, cutting-edge technology standards, and new forms of public and private organisations with motivations that are closely linked with those of individuals.

In India, DEPA aims to create a basis for all three. Given the rapid rate of change in this field, DEPA will not be a static policy. Instead, it will be an evolvable and adaptable framework for excellent data governance.

The DEPA model differs from the model used in the West wherein it not only registers data for consent-based sharing, but also helps people use their data to strengthen themselves.


In 2019, the Government drafted a Personal Data Protection Bill (the Bill) wherein anonymisation of data and the freedom to be forgotten are fundamental themes in the Bill that would enable digital empowerment in India. The Bill also proposes creating a Data Protection Authority to ensure institutions uphold these rights.

Most crucially, the Bill calls for an electronic consent dashboard that would allow data principals to track consent for processing in real time and operationalise their rights under data protection law.

The Bill emphasizes on the fact that personal data cannot be shared or processed without express and informed consent from the subject and such consent must also be voluntary, explicit, clear, and revocable.

DEPA’s claim heavily relies on the Right to Data Portability as mentioned in the Bill. The Right to Data Portability under the Bill currently encompasses personal data collected in the course of delivering services or as a result of profiling by the Data Fiduciary. On the whole, this clause might be changed to only include data submitted by the Data Subject.

DEPA also uses a standard consent architecture with interoperable accounts that allow Data Subjects to transfer to Consent Managers. While the consent architecture can be standardised, interoperable data formats are more difficult to obtain, especially in non-structured sectors. The financial sector may have an advantage due to standardised and controlled data. Other industries, like healthcare, may not be so.

While the comprehensive Bill is yet to be enacted, domain-specific laws and regulations enable the DEPA framework.


Civil Society: Civil society has been urged to act as a “data sharing watchdog”. However, the nature of any cooperation activities is unknown. It is difficult for civil society to be an effective “watchdog” when they are not heavily involved in the framework’s design and evolution.

In order to identify and comprehend their position in the framework and the ecosystem of stakeholders, the civil society must be included in the design and creation of the framework.

Financial Sector Regulators: The Financial Sector Regulators such as the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), Insurance Regulatory and Development Authority of India (IRDAI) and Pension Fund Regulatory and Development Authority (PFRDA) could collaborate to build a viable ecosystem of Account Aggregators (AA) and client security in their respective sectors.

This collaboration will further accelerate the adoption and effective rollout of AA for all data related to assets and liabilities- banking, non-banking, securities, pension funds, and other financial services.

Financial Institutions: To take advantage of this new opportunity and solidify their role in the evolving ecosystem, current financial institutions will need to become Financial Information Providers (FIPs) and Financial Information Users (FIUs).

The Ministry of Finance: The Ministry of Finance could guide the sector-wide implementation with shared integrated adoption among banking, securities, insurance, and pensions.

New Data Protection Authority: According to the Bill, a new Data Protection Authority could be established to allow for the development and regulation of Consent Managers in other industries. They could also establish new data flow auditor institutions to conduct activities like trust score mapping.



The DEPA will be first adopted in the financial sector, with the goal of increasing financial inclusion and economic growth. Even before COVID-19, 92 percent of India’s small enterprises lacked formal financing.

By providing seamless and safe access to data required to evaluate creditworthiness with individual consent, consented data sharing can lower the cost and risk premium of lending to small businesses. The majority of these loans are now secured by collateral.

Small and medium sized businesses can use DEPA to access not only cheap loans, but also insurance, savings, and improved financial management solutions by using their digital footprints. DEPA is the latest phase in a decade-long quest to improve private service delivery by constructing digital infrastructure.

In the financial sector, an AA will be the consent manager. It is a type of Non- Banking Finance Company (NBFC) that has been approved by the RBI to manage consent for the sharing of financial data.

The AAs can charge the FIUs a fee each transaction to ensure the business model’s long-term viability. Any information that passes through the AA must be encrypted. Multiple AAs will be available in the market to provide consent-based services to users and data fiduciaries.


COVID-19 has re-emphasized the importance of developing digital infrastructure to disseminate medical data in the health sector. The National Digital Health Mission (NDHM), which comprises a Health ID and a data exchange framework for personal health information, has been introduced on August 15, 2020.

The NDHM is premised on the National Digital Health Blueprint (July 2019) of the Ministry of Health, which expands on the NITI Aayog’s National Health Stack Strategy document from July 2018.


The current framework for protecting telecom customers’ personal information/data is insufficient. To safeguard telecom customers from data misuse by a wide variety of data users and operators in the digital realm, all entities in the digital ecosystem that manage or handle their personal data ought to be subject to a data protection framework.

Following a Telecom Regulatory Authority of India (TRAI) consultation report on privacy released in July 2018 and a workshop held by TRAI Chairman in August 2020 with key industry players announcing the collaboration allowing telecom companies to become financial information providers and users in AA, DEPA is being launched in the telecom sector.


1. Role of the Consent Manager is unclear if legal basis for data processing is not consent: A safe and smooth mechanism to communicate data among institutions is the core goal of the DEPA architecture. Those who rely on consent as a legal basis for processing personal data can maintain and record consent.

Besides consent, the proposed data protection framework allows for other permissible grounds of processing. Further research should be done on the potential loss of control when relying on other valid grounds to see if the consent manager can help in this case as well.

2. Creation of self-regulatory organisations seems unfeasible: Self-regulatory organisations might complicate consumer issues. However, in practise, it may be challenging to balance the demands of Consent Managers, data providers, and consumers.

The DEPA also lacks formal data sharing guidelines for self- regulatory Organisations, consultation procedures, and a complaints mechanism. Regulators will play a crucial part in this and may be the determining authority, but the same has not been finalised.

3. Quintessential concern has to be the proper and smooth implementation of the present policy: To acquire consent, market players currently use One Time Password or click-and-browse agreements, as well as screen scraping and seeking secret passwords.

Companies have built goods and systems around the existing consent method; therefore, getting existing players to switch to DEPA will be difficult.

As every incumbent player has their own established mechanism, changing the framework will need creating new standard APIs to establish the common sharing mechanism. So, if DEPA becomes mandatory in each sector, numerous bottlenecks can be expected. Companies that use data as a competitive advantage are likely to want to avoid it.

DEPA is more likely to be adopted by banks and NBFC than by established e-commerce or social media companies. It remains to be seen how this will be implemented in other areas lacking organisation and oversight, and where data resources may be asymmetric amongst market participants.

4. Lack of clear guidelines/liabilities: The DEPA framework does not specify how the Data Principal will have visibility into any data processor that the data fiduciary engages. Particularly focusing on granularity of consent, the Data Principal must be able to know who has access to his or her data.

Further, the notification requirement under the Bill stipulates that the notice must contain the details of individuals and companies including other Data Fiduciaries or Data Processors with whom the personal data is shared. Moreover, there is no clarity as to the set technical standards for data storage and processing.

The DEPA is viewed as a well-intended measure to preserve fundamental rights of an individual. The emergence of the Internet services over the last decade resolved the lengthy issue of user openness and privacy. Legislative commenters and IT heads have praised the policy for addressing the elephant in the room.

The well-structured policy appears to address all issues that the individuals are facing now. DEPA has introduced an infrastructure which will empower several citizens and transform the traditional model of data usage.


In this framework, DEPA seeks to restore users control over their affairs. The users determine what data to share, with whom, and why. The proposed design protects privacy while fostering innovation, releasing the economic value of the data locked away in silos.

The RBI-backed DEPA model will update consent-based data sharing facilities and norms, much like UPI did for money transactions, DEPA is a new Indian form of data governance that can be shared with the globe.

It’s vital to remember that DEPA only deals with personal data; any derived or analytical non-personal data (NPD) can be handled by the system’s participants.  However, in terms of individual control, it does provide a level of control that has hitherto been unavailable. Furthermore, the AA structure has sparked interest among smaller players who are preparing to apply for licences.

However, while DEPA appears to be a good idea on the surface, it is pertinent to note that it is a time-consuming technique that requires practise in all areas before being implemented across the country. At the moment, there is no law in India that protects the data of Data Fiduciaries. DEPA is intrinsically tied to the Bill, and implementation of the DEPA will be difficult without it.

– Team AMLEGALS assisted by Ms. Unnati Jain (Intern)

For any query or feedback, please feel free to get in touch with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.