The third and final piece of the India Stack puzzle focuses on establishing a new model for data governance in India. Enshrined in a policy framework known as the Data Empowerment and Protection Architecture (DEPA), the ‘data’ layer of India Stack aims to restore the ownership and control over user data to its rightful owners.

The past decade has seen the global conversation around individual privacy and data ownership change in a significant way. Seminal pieces of legislation like the General Data Protection Regulation (GDPR) in the European Union, Open Banking in the UK, and the California Consumer Privacy Bill in the United States have sought to empower individual citizens with agency and control over their personal data. DEPA represents India’s attempt at creating ‘a secure consent-based data sharing framework’ to accelerate the financial inclusion of its citizens.

Where Aadhaar first helped seed India’s economy with hundreds of millions of new economic participants with bank accounts, UPI then gave those account holders an easy and cheap way to transact digitally. In similar fashion, the third layer of India Stack helps those same account holders to leverage the data trail they leave behind as they go about transacting and operating in the digital economy.

At its core, there are three main pillars that make up the DEPA framework.

A landmark Personal Data Protection Bill which, for the first time ever, gives Indian citizens a numbers of rights pertaining to their data

An electronic consent artefact, which establishes a standardised and programmable digital template for capturing user consent to share their personal data with third parties

A new category of regulated entities known as ‘consent managers’ (in the Financial Services sector these will be known as Account Aggregators). These AA’s are tasked with playing the role of traffic cops in a typical data value chain. They provide an interface to facilitate the ‘easy sharing and consumption of data from various entities with user consent’.

India has so far lacked a mechanism for sharing data between individuals and institutions in a secure, standardised manner. Typically this has led to a reliance on antiquated data sharing practices like screen scraping or manual printing and scanning of sensitive information like bank account statements or utility bills. In financial services in particular, the lack of an efficient apparatus for aggregating personal data has made it unviable for financial institutions to cater to the individuals and businesses that need it most.

The Account Aggregator framework seeks to change that by providing a catalyst for India’s new data democracy, where the time and cost of retrieving and sharing user data will no longer be a hindrance in building sustainable financial products. Consumers can approve/manage/revoke all their consent agreements in one place, while at the same time institutions can clearly define their data requests at a granular level. For the first time, individuals and businesses have the ability to prove any data about themselves in a permissionless and verifiable manner.

The entire AA system is interoperable by design, so a service provider that integrates with one AA app can make data requests to users of any other app too. This takes away the need for custom integrations with different banks, and it also gives users the freedom to use whichever AA they want to.

While initially earmarked to be piloted in the financial services industry, the grander vision is to enable consent-based data sharing across a number of important sectors like healthcare and e-commerce where ordinary citizens will have the ability to leverage their own data to avail of relevant products and services like loans, telemedicine, portfolio advisory and a litany of other use cases that are waiting to be developed.