India: Proposed unique data sharing framework in the FinTech sector
In August 2020, the National Institution for Transforming India ('NITI Aayog') released a draft framework on the Data Empowerment and Protection Architecture1 ('the Draft') in consultation with four Government regulators: the Reserve Bank of India ('RBI'), the Securities and Exchange Board of India, the Insurance Regulatory and Development Authority, and the Pension Fund Regulatory and Development Authority and the Ministry of Finance. The Draft is out for public comments until 30 November 2020. Inika Charles, Aaron Kamath, and Gowree Gokhale of Nishith Desai Associates discuss the Draft, how it will work, and when it will be implemented.
Through the Draft, NITI Aayog aims to institute a mechanism for secure consent-based data sharing in the FinTech sector, which they believe will be 'a historic step towards empowering individuals with control over their personal data.' The Draft aims to build over existing regulation by the RBI on 'Account Aggregator' ('AA') models, through which individuals will be able to share their financial data across banks, insurers, lenders, mutual fund houses, investors, tax collectors, and pension funds in a secure manner. While this document released by the NITI Aayog is focused on the implementation of the Draft in the financial sector alone, a similar framework has been proposed to be introduced across all sectors, beginning with the health and telecom sectors.
What is the Draft trying to solve?
NITI Aayog recognises that while companies benefit from individual's data, individuals and small firms do not reap the same benefits. To summarise, the Draft aims to:
- restore autonomy and user control over their personal data in a practical manner, and with their informed consent;
- build-in accountability for institutional data controllers, and an alignment between new public or private institutions and the needs of individuals around their data;
- make personal data more accessible and affordable to access by breaking down data silos, whereby the Draft would enable personal data to become an important, reusable resource accessible to all with appropriate permissions, and aims to reduce lengthy practices such as notarising physical documents, sharing documents in person, email attachments, browser uploads, etc;
- create a shared open, technology agnostic infrastructure to enable a decentralised management of personal data, allowing interoperability and easier data portability, and ensuring reciprocity of data use and of the provision of data;
- promote data minimisation, whereby only data necessary for the purpose at hand is shared; and
- promote financial inclusion. As per the Draft, the undocumented financial background of individuals in poverty prevents them from accessing financial products such as insurance and credit for businesses. The Draft would collect this previously undocumented data which can then be further shared to give such individuals access to financial products, and would lead to such individuals having a credit score, access to wealth management, and robo-advisory for financial products, for example.
How will it work?
Source: NITI Aayog: Data Empowerment and Protection Architecture
As depicted above, the Draft will create new entities known as consent managers. The introduction of consent managers has also been suggested in the Personal Data Protection Bill, 2019 ('the Bill'). Consent managers in the financial sector will regulated as AAs by the RBI, and a non-profit collective or alliance of these players will be created called the DigiSahamati Foundation ('Sahamati'). The RBI defines an AA as one that undertakes the 'business of providing under a contract, the service of, retrieving or collecting such financial information pertaining to its customer, as may be specified by the Bank from time to time.' Sahamati, on the other hand, is a collective of the AA ecosystem, involved in the implementation of the Draft and the AA framework.
The Draft also proposes to make the model of a consent manager financially viable, with the possibility of the consent manager charging a nominal fee for data exchange.
Consent managers are to be 'data blind,' and only act as a conduit for encrypted data flows. While NITI Aayog does not explain the process in detail, as per the above, it appears that consent managers will manage requests for personal data, facilitate consent for such a request, and once the appropriate consent (as per the below standards) has been procured, will access the requested information and share it with the requester. The Draft has also clarified that the authorisation process will be centralised, enabling the free flow of consent between the information provider and the information user. The Draft also stresses on the importance of portability, allowing individuals to easily switch their consent manager as per their preference.
Standards of consent
As per the Draft, the consent to be taken from individuals for the provision of their data builds on concepts introduced in the Bill, and must:
- follow open standards (ensuring all institutions use the same approach interoperably);
- allow individuals to revoke consent at any stage;
- be granular (consent provided for each time individuals share data, and stipulates how long data can be accessed, etc.);
- auditable (in machine readable logs of consent provided using consent logs issued by the Ministry of Electronics and Information Technology ('MeitY');
- provide notice (through email, SMS, in-app notice, and other notification mechanisms) to all parties when consent is taken or revoked, and when data has been requested, sent or denied; and
- be secure by design, where there must be end-to-end security of data (PKI, DSC, tamper detection) and it must be network agnostic and data-centric.
APIs for data sharing
The Draft prescribes that common Application Programming Interfaces ('APIs') be adopted to enable a seamless flow of and encrypted data flow in response to data requests. Institutions (such as banks) adopting the Draft's APIs can provide data in a machine-readable format to all licensed consent managers, who will then provide the data to the information requester upon receipt of appropriate consent. The Draft is the 'final layer' of ‘IndiaStack2,' a set of Government issued APIs available for use by the private sector.
How will it be implemented?
It appears that the Draft is to go live in the financial sector in 2020 under the joint leadership of various Indian Government ministries across the finance, banking, securities, insurance, and pensions sectors, and is also being piloted in the health and telecom sectors. Though there does not appear to be any implementation framework released for the Draft to go into fruition. The Draft also mentions that Goods and Services Tax will be the first government department to become an information provider in the Draft framework. The intention is to flexibly apply the Draft in various sectors, where its implementation will be led by specific institutions to tailor its implementation.
While the AA framework has now been fully implemented by the RBI, there have been no updates post the release of this document on the status of the Draft, or on the integration, or statements made by sectoral regulators (such as the Telecom Regulatory Authority of India) on the implementation of the Draft.
We appreciate that the Draft is a strategy document that sets out the framework for the Draft. While NITI Aayog goes into much detail on the motivation behind the introduction of the Draft's platform, the exact process of how the architecture would be implemented is yet to be detailed beyond the diagram and concepts that have been provided. In order to fully implement the Draft, the relevant Government regulators and ministries would be required to release an implementational framework and guidelines that lay down the processes for the information flow under the Draft, and provide clarity on points such as the below:
- How would the eventual Draft Framework (when released) be read along with RBI's regulations on AAs? Would all AA's qualify as 'consent managers' by default?
- Who are the information users that will be able to make a data request? Are there criterion to be fulfilled in order to be able to make a data request?
- Would information users qualify as ‘data fiduciaries’ (akin to data controllers) under the Bill?
- On what basis can data requests be made? Would this be taken care of in the consent and notice requirement?
- What are the guidelines under which consent managers will function? Will the Bill and the Data Protection Authority of India to be constituted thereunder regulate consent managers?
- What are the standards of encryption to be adopted by consent managers?
- What are the costs that will be involved to integrate into the Draft's Framework, and whether the Draft will bring down any existing costs for consent acquisition?