For registration call @ 9958826967

Data Empowerment and Protection Architecture (16 September 2020)

Data Empowerment and Protection Architecture (16 September 2020)

Why in News:

Data Empowerment & Protection Architecture (DEPA) Draft has been prepared and put in public domain by NITI AAYOG. 


NITI Aayog has released a framework on Data Empowerment and Protection Architecture (DEPA) which it calls a “consent-based data-sharing framework to accelerate financial inclusion”. The apparent aim of this framework is to allow people to access their data and securely share it with third party institutions.


With various initiative of the government like PM Jan Dhan Yojana and with various other schemes, added information are being generated and there have been various cases of misuse of data without the consent of the ultimate data users.

Lending companies use a host of mechanisms to obtain data about users from different sources and in particular.

The kind of consent structure that India have is in the very fine print of font eight and three page long consent which nobody really reads. With this kind of background, government setup the Shri Krishna Committee.

The committee's recommended on several key issues such as consent, setting up of a data authority, definition of personal data and sensitive personal data along with data localization.

In a country like India with many unique challenges, people leverage their data base, but leverage in a responsible manner. Thus, a framework on Data Empowerment and Protection Architecture (DEPA) was released by NITI Aayog to allow people to access their data and securely share it with third party institutions.

Summary of the Debate

Present infrastructure of Data Protection:

  • On 24 August 2017, a nine-judge bench of the Supreme Court in the case of Puttaswamy v. Union of India has declared that the right to privacy is a fundamental right protected under Part III of the Constitution of India.
  • A committee headed by retired Supreme Court Judge Justice BN Srikrishna Committee was constituted by the union government in 2017, to deliberate on a data protection framework.
  • The committee submitted its report on "Data Protection Framework" to the Government in July, 2018.
  • The committee has suggested measures to be taken when it comes to protecting personal information of Indian citizens, the role and duties of data processors, and the rights of individuals. The report also talks about the penalties that should be imposed for violation of these data protection measures.
  • The Personal Data Protection Bill 2019 (PDP Bill 2019) was tabled in the Indian Parliament by the Ministry of Electronics and Information Technology on 11 December 2019. As of March, 2020, the Bill is being analysed by a Joint Parliamentary Committee (JPC) in consultation with experts and stakeholders.

Key Features of DEPA:

  • It aims to provide a safe and trusted sharing of data in which privacy is preserved.
  • Itempowers individuals with control over their personal data, by operationalising a regulatory, institutional, and technology design for secure data sharing and also to seamlessly and securely access their data and share it with third party institutions.
  • The DEPA will be implemented by RBI, SEBI, IRDAI, PFRDA and the Ministry of Finance.
  • The consent given under DEPA will be free, informed, specific, clear, and revocable.
  • The report mentioned the three key building blocks required toempower individuals with their data:
    • Enabling regulations
    • Cutting edge technology standards
    • New types of public and private organisations with incentives closely aligned to those of individuals

Private Consent Manager institution:

  • The idea of consent manager came from the idea of an ‘’Account Aggregator’’ which was introduced by RBI in 2016 and based on the Right to Privacy judgement by Supreme Court which created certain rights for the Indian citizen such as Right to Data Portability, Right to data-minimization, etc.
  • The whole idea of a Consent Manager is to ensure sharing of data in a secure and seamless manner and keeping mind of the fact that this Consent Manager is not supposed to store the data in the system, they have to just allow transfer of a data from a financial information provider to a financial information user.
  • The individuals can give consent as per MEITY-defined standards that use standard application programming interfaces (APIs) such as the ones used in RBI’s Account Aggregator ecosystem.

            Data Empowerment & Protection Architecture (DEPA)


Implementation is one aspect where one has to look into it. But this effort to regulate this immense data generation will determine the answer to business, to economy, to citizens right, to national security at the same time and individual privacy. This approach will lead to a greater digital transparency and will involve various players.

Important points made by the Guests

Anna Roy, Senior Advisor, Niti Aayog 

  • Digital India initiative added responsibility of dealing responsibly with data becomes a priority.
  • The government has been very conscious that there should not be any data misuse. At the same time, we should be in a position to leverage this very important asset. In India, lots of data are being generated, we have over 1 billion Aadhar users, 1,176 million(2018) mobile users and we also generating lots of data not only in the financial sector but also in another sector.
  • The guidelines of the DEPA refer to different organs which is open, auditable and also revocable, the revocable is very important thing because if a person giving its consent today then it should not mean it is irrevocable.
  • The five principles on which this architecture is based is very broad based and addresses all concerns. The roadmap in India is basically to create a value proposition in the framework rather than do it through dictate, for example; In UK, there is an open banking where they forced their bank to share data. But in India, we want to have a value proposition where people on their own will be incentivize to be part of the system and willing to share the data whenever they see value in it.

Pritish Mishra, India Legal Counsel, Tala 

  • The basic idea behind this DEPA report is to ensure seamless and a secure based sharing of data between one party to another.
  • Looking at the current digital records due to the advent of internet and penetration of internet connectivity across different spectrums of India, each individual is generating a huge amount of digital ledger and record of themselves and it is very important to ensure that these citizens have control over the data and they should know how exactly their data are being used as far as they can use this data to empower themselves.
  • So, basically the idea behind this DEPA is to make sure that there is a secure data sharing framework based on a very strong consent-based framework which is taken care in DEPA report.
  • We also have to make sure that if there is any sharing of data across different parties, it is done by a certain entity, a ConsentManager. The entire idea is to ensure that this data can be used by citizen of the country to make their life better and to empower themselves financially, economically and digitally.
  • The idea behind the guiding principal of this DEPA is 'evolving', since this is something which has been tried out in the financial sector primarily. We are moving towards health sector as well as telecom sector later on.

  Khushbu Jain, Data & Social Media Law Expert

  • In the absence of Data Protection Bill to come in place and to take a form of act or in the absence of National Health Mission, the DISHA which was replaced, in the absence of these two to come in place and in the existence of few guidelines under the IT Act where the critical and sensitive data of a person is safeguarded. There is huge potential as far as data generation is concerned.
  • The lending company used a host of mechanism to obtain data of users from different sources.
  • The DEPA will bring in the consent aspect that is, it is essential that users provide consent to the service provider or the data provider before sharing any data to any third party or with the provider who is requesting access to that specific consent.


Upload File