A proposed government framework for financial services aims to improve data protection while fostering business innovation
Indians are consuming more data today than ever before, thanks to growing smartphone sales, internet penetration, and low data charges. In doing so, they are also generating and sharing more data about themselves than ever before. Who they are, how much do they earn, where do they spend…There’s data there that benefits corporations selling products and services. There’s also data that can help individuals with a better deal on, say, loans and insurance.
The latter in mind, Niti Aayog, the government’s main think-tank, last month released a discussion paper on a new data-sharing framework. The Data Empowerment and Protection Architecture (DEPA) seeks to accelerate financial inclusion by advocating sharing of data by users for their good, on their terms. Even if initially adopted for financial services, DEPA has the potential to be adapted to more domains.
DEPA challenges many current ways of thinking about data sharing and data protection globally. At one extreme is the European philosophy, which is geared towards protecting user data, often at the cost of business innovations. DEPA says this approach would be counterproductive for India, a developing country. A case in point is street vendors. Today, they are unable to prove their creditworthiness to access a bank loan. But what if they could use mobile payment systems to show daily cash flows, which gets them an online loan?
At the other end is the American way, which is geared towards tech businesses, and innovations, but raises questions on whether they have too much power and if they will use it responsibly. DEPA seeks to address this by defining who has access to data and by making user consent the key.
DEPA proposes a new set of entities to manage user consent, called account aggregators. They will act as intermediaries between information providers (say, banks) and information users (say, robot advisors). While account aggregators will manage the flow of user data, they won’t have access to it. DEPA, however, doesn’t cover data misuse by the giver (here, banks) or receiver (here, robot advisors).
Across the world, there’s a tradeoff between efficiency and innovation and the risk of misuse, security, and privacy violations. Take a mobile app that rewards you for paying credit card bills. It takes your consent to scan your email and fetch your outstanding bill. But what if it starts compiling your individual transactions, and selling that information to others?
What if such data get stolen in a data breach? In 2019, in the United States, an advanced tech market, there were 1,473 instances of data breaches, according to the Identity Theft Resource Centre, a US non-profit. These exposed about 164 million sensitive records and 705 million non-sensitive records.
The urgency to get it right is greater for India as it doesn’t fare well in controlling data breaches. A 2020 study of 17 geographies done by Ponemon Institute for IBM Security shows India to be the fourth-worst in time taken to identify and contain a data breach. A data breach in India, on average, lay exposed for 313 days.
In most countries, data sharing has driven economic growth and innovation. Chinese superapps WeChat and Alipay are dependent on extensive data sharing in the ecosystem. In the US, large banks are forging data-sharing deals with other companies. In Africa, fintech innovations have happened on the back of data sharing.
Rather than let the private sector drive the technology, some governments have sought to impose standards, even cooperation, through regulations and frameworks. For example, the European Union (EU) passed its Payment Services Directive (PSD2) to harmonize payments regulations across EU countries, giving customers more control over their banking data.
How each country approaches data protection differs depending on its needs and dominant worldview. In India, while the Information Technology Act 2000 offered some data protection, the government’s own experience in digital technology over the last decade forged this framework. It started with Aadhaar in 2010. Then came eKYC in 2012, a way to digitally share data from the Aadhaar database that allowed banks and telecom companies to onboard customers faster, but raised questions on data security and protection.
Even when data-protection frameworks look alike, how well they work depends on the technical, legal and institutional capacities of different countries. In India, the lack of consumer education has created issues even with money transfer, which most users approach with greater caution. For example, in the Unified Payments Interface (UPI) system, many customers have fallen for scams.
Comparitech, a UK-based pro-consumer website, examined data protection laws and institutions of several countries on 14 dimensions. Most countries fell short of acceptable standards. India’s overall score showed a “systemic failure to maintain safeguards".
How well the technology works depends on the broader ecosystem. In that, India has a long way to go.