New NITI Framework may Help Improve India’s Data Protection Standards

Newspaper Rainbow Series     16th September 2020     Save    

Context: NITI Aayog, the Government’s main think-tank, last month released a discussion paper on a new data-sharing framework.

Concerns of misuse, security, and privacy violations

  • Increase in data breaches:
  •  In 2019, in the United States, an advanced tech market, there were 1,473 instances of data breaches
  • Slow Response: A 2020 study of 17 geographies done by Ponemon Institute for IBM Security shows India to be the fourth-worst in the time taken to identify and contain a data breach.
  • Lack of consumer education: In India, the lack of consumer education has created issues even with money transfer, which most users approach with greater caution.
  • Systemic failure in maintaining safeguards.

Data Sharing and Economic growth

  • Positive Correlation: In most countries, data sharing has driven economic growth and innovation. 

Legislative Provisions and Evolution of Data Protection in India:

  • In 2000: The Information Technology Act 2000 offered some data protection.
  • In 2010: First Aadhar number issued -  kickstarted nationwide debate on data protection and privacy.
  • In 2012: eKYC launched; first large scale, state-driven consent-based sharing of data.
  • In 2015: DigiLocker launched; expanded consent-based data sharing of documents and certificates.
  • In 2017: DEPA was unveiled, Supreme Court declares privacy as a Fundamental Right.
  • In 2018: Justice B N Srikrishna Committee submits its report and draft law on data protection.
  • In 2019: Account aggregator model launched.

Benefits of Data Empowerment and Protection Architecture (DEPA)

  • Positive Correlation with economic growth: In most countries, data sharing has driven economic growth and innovation. 
    • From super apps in China to banks in the US, to fintech companies in Africa.
    • Financial Inclusion:  seeks to accelerate financial Inclusion by advocating the sharing of data by users
  • Challenges current global thinking about data protection: 
  • European philosophy, which is geared towards protecting user data often at the cost of business innovations – 
    • DEPA says this approach would be counterproductive for India, a developing country. 
  •  The American way, which is geared towards tech businesses, and innovations, but raises questions on whether they have too much power and if they will use it responsibly- 
    • DEPA seeks to address this by defining who has access to data and by making user consent the key.
  • Managing the user consent: DEPA proposes a new set of entities to manage user consent called account aggregators
  • While account aggregators will manage the flow of user data, they won’t have access to it
  • DEPA, however, doesn’t cover data misuse by the giver (here, banks) or receiver (here, robot advisors).

Conclusion: Even when data-protection frameworks look alike, how well they work depends on the technical, legal and institutional capacities of different countries.