Impact of the DPDP Act 2023 on the Account Aggregator (AA) Ecosystem

28 Sep 2023

Rahul Matthan, Founder-Partner and Head of TMT practice at Trilegal Partners, and Siddharth Shetty, Architect and Co-Author of Data Empowerment and Protection Architecture (DEPA) and co-founder Sahamati, had a conversation on the recent Digital Personal Data Protection Act 2023 and its impact on the Account Aggregator (AA) ecosystem. Read about the themes the conversation delved into:

India’s Journey for Data Governance

The journey towards engendering a data governance regime in India dates back to the early 2010s when the discussions around privacy and data protection began. During this formative period, a basic draft of a data protection law emerged in 2011-2012. However, it remained relatively simplistic due to the country’s nascent state of data protection awareness. However, the landscape evolved significantly by 2018, when India had engaged in a rigorous debate surrounding data protection and privacy, primarily in the context of Aadhaar.

Meanwhile, Europe enacted the General Data Protection Regulation (GDPR), becoming a global benchmark in data protection regulation. Consequently, the 2018 draft of India’s data protection law drew inspiration from the GDPR and its comprehensive regulatory framework. Subsequent iterations of the draft, which spanned from 2018 to 2022, grew increasingly complex as they sought to address various aspects of data protection in an ever-evolving digital landscape. By 2021-2022, Europe saw a noticeable shift, with some pushback against overly stringent regulatory frameworks.

In parallel to these developments, India witnessed the emergence of its digital public infrastructure, driven by private entities. This unique dynamic led to the inception of the Data Empowerment and Protection Architecture (DEPA), introducing the concept of empowerment within the Indian context.

The 2022 draft of the data protection law reflected this shift in perspective, emphasizing empowerment more, mirroring the European focus on data subjects’ rights. Ultimately, this approach culminated in enacting the Digital Personal Data Protection (DPDP) Act in 2023, hailed as one of India’s most robust data protection legislation.

With its strong articulation of data protection principles and empowerment, this Act represents a pivotal moment in India’s journey towards comprehensive data governance. It harmonizes the need for privacy with the digital public infrastructure and sets the stage for the Account Aggregator ecosystem’s role in shaping India’s data landscape.

Building Trust in the Digital Economy

It’s important to delve into the significance of the Digital Personal Data Protection (DPDP) Act and understand its role in building trust within the digital economy. Drawing parallels with GDPR, it becomes evident that regulatory measures can have unintended consequences on competition and market dynamics. In contrast to the initial doubts surrounding RBI’s introduction of Two-Factor Authentication (2FA) norms, the move has since enhanced trust in digital transactions significantly, keeping fraud rates in India the lowest globally.

Data protection and empowerment are crucial in fostering trust within the digital economy. Initially, there was resistance and skepticism regarding the need for such regulations. Still, global events, like the Snowden revelations and incidents like Brexit and Cambridge Analytica, underscored the potential harm arising from unregulated data use. The accumulation of data in the hands of a few entities can lead to misuse and harm. Internationally, a growing consensus has been on regulating data use to mitigate risks.

India recognized its rapid digitization and the impending wealth of data, necessitating a dual approach that aims to prevent harm while enabling individuals to harness the value of their data. Over time, this perspective evolved, as seen in milestones like the right to privacy judgment, which acknowledged data’s value and potential benefits. The need for data regulations arises from realizing that leaving data management entirely to the market can lead to imperfections and misaligning societal objectives. Regulations provide a framework to ensure innovation aligns with broader societal goals, promoting trust in the digital economy.

Individual Consent and Fiduciary Accountability

The Act centrally focuses on its approach to consent, which is intricately linked with accountability. It acknowledges the crucial role of accountability, especially concerning data fiduciaries– entities that store, manage, use, and safeguard customer data. These data fiduciaries are processors and custodians of personal data and are effectively liable for accountability.

The traditional consent model, characterized by lengthy consent forms, left individuals with minimal agency. Consent alone does not absolve entities of their responsibility to act ethically and prevent harm. In the DPDP Act, consent is approached with a strong focus on individual agency while concurrently introducing accountability. The act seeks to strike a balance where consent is meaningful, individuals retain agency, and data fiduciaries are held accountable for their actions, ensuring ethical and responsible data processing.

This contemporary approach to data regulation underscores the imperative need for consent and accountability to work in tandem. Historically, consent has been treated as a checkbox exercise, resulting in individuals encountering lengthy privacy policies without fully grasping their implications. This approach has led to “consent fatigue,” where individuals are inundated with consent requests. Additionally, the digital era’s data-centric nature has created a “consent paradox” where individuals need extensive information for informed consent, yet too much information can be overwhelming.

To surmount these challenges, a more effective approach to consent is proposed. It emphasizes providing real-time, granular, and specific consents that are relevant when needed. This approach aims to address the consent paradox and fatigue. However, its successful execution requires vigilance, as a poorly implemented system could rekindle previous issues. Electronic consent is a promising development that requires continuous monitoring and improvement to avoid repeating past mistakes.

Techno-Legal Approach

India’s data protection regime, introduced in 2023, faces a unique situation compared to regions like Europe and the US. India lacks the institutional infrastructure for effective data fiduciary management and data rights enforcement, making it crucial to innovate in compliance. Implementing the Act in a country with tens of millions of companies and a population of 1.4 billion individuals is a significant challenge. Traditional methods of legislation implementation would lead to overwhelming disputes and bottlenecks due to the vast scale of the task.

Transitioning to compliance involves a fundamental shift in how organizations handle data, departing from outdated practices like purchasing data sets for sales calls. While this transition may lead to initial legal disputes, it’s necessary to modernize the system. However, merely eliminating old practices isn’t enough. Businesses need alternatives and incentives to change. India’s digital public infrastructure can play a pivotal role by facilitating consented data sharing, benefiting businesses and individuals.

The DPDP Act of 2023 aligns seamlessly with the Data Empowerment and Protection Architecture (DEPA), particularly the consent artefact. DEPA represents a techno-legal approach to transforming the Act’s principles and policy into code standards governing data activities. This paradigm offers a promising avenue to operationalize the Act effectively. DEPA provides a foundation for operationalizing the Act with its code-based standards. This also empowers individuals with granular control and real-time data access, enabling informed decisions and fostering trust in the digital ecosystem.

Enforcing the law requires a balanced approach with penalties for violations and incentives for compliant behavior. The DEPA framework and the DPDP Act 2023 can bridge the three-decade gap, ushering in a more efficient, compliant, and user-centric data governance model.

Consent Managers & Consent Templates

An exciting development in the DPDP Act 2023 is the recognition of consent managers as a distinct class of entities. This shift marks a promising step in establishing a robust and effective data protection regime in India, encouraging innovative solutions and dynamic implementation of data protection principles. Consent Managers have been implemented within the financial ecosystem through the Account Aggregator (AA) framework.

The privacy principles outlined in most privacy laws, including the DPDP Act, involve notice, consent, purpose specification, data minimization, and data retention. In the AA ecosystem, consent templates (CTs) facilitate operationalizing these principles by enabling organizations to comply effectively with statutory obligations.

CTs ensure data collection aligns with the intended use and enforce data minimization by specifying the data needed to fulfill those purposes. Consent templates simplify the consent process, ensuring individuals have transparency and control over their data and addressing consent fatigue and complexity. Thus, CTs are instrumental in translating the abstract concept of notice and consent into practical digital tools.

Implementing these constructs requires collective efforts from the ecosystem, including crafting consent templates that reflect these principles. Rather than reinventing the wheel, organizations can leverage the tools provided by the AA ecosystem to shape their workflows in compliance with the DPDP Act.

Way Forward

There is an imperative need for different market players across ecosystems to collaborate and align their workflows with the principles of the DPDP Act. This collaborative effort is essential to ensure that templates and practices are compliant and customer-centric, considering various use cases and domains.

The evolution from the launch of DEPA in 2017, which provided the technical tools and standards, to the development of institutional frameworks like consent managers and account aggregators, and finally to the enactment of the DPDP Act, which provides the overarching legislative framework, the data governance regime has completed one full circle.

The DPDP Act can extend the impact of AAs beyond finance, opening up possibilities for sharing data in various sectors while ensuring data protection and privacy. This transition allows market players to innovate and offer new data governance tools and services that align with the changing landscape. The confluence of legal and technological perspectives is vital in navigating the evolving data protection and privacy landscape.

Listen to the full conversation here: