As data related to commerce and finance increasingly flows across borders, India’s success in building digital platforms that are open, identity-based, affordable, adaptable and accessible is receiving heightened attention – especially in the Indo-Pacific, the new arena for geopolitical and technological cooperation.
The India Stack and Modular Open-Source Identity Platform (MOSIP) encourages competition, innovation and inclusion while enabling developing countries to leapfrog the development phase for digital platforms as public goods. India’s Unified Payments Interface (UPI) payment protocol, part of the India Stack, is being offered to countries in the Middle East and South East Asia, including Japan. Now through MOSIP, the open-source, unique identity systems developed in India are being adopted and adapted by countries from Sri Lanka to Samoa and the Philippines, and from Morocco to Ethiopia. With the growing use of this technology among middle-income and developing countries, India has taken a step forward, developing a techno-legal architecture for empowering owners of data generated by and through these systems. Called Data Empowerment & Protection Architecture, or DEPA, it will ensure that individuals have control over their own information and data under laws that allow its use to be audited and managed.
Deployment of DEPA began in September 2021, with signs of early success in overcoming limitations of both the proprietary technology systems of the U.S., which come with a high financial cost, and of China, which carry a high geopolitical cost. Unlike those systems, DEPA vests ownership of data and control over its management and usage in its original owners, individual and collective, not in service providers.
This holds great importance in the Indo-Pacific, the world’s fastest-growing, most diverse and therefore most data-rich region. India has the second-most digitized citizenry after China, and Indonesia is the world’s third-largest user of social media,  while Kenya has overcome its lack of a robust banking system to become a global hub of fintech innovation. As countries like India and the U.S. aim to make the Indo-Pacific a free, safe and open region, the Indian system’s promotion of a free and open internet with individual ownership and control of data, can become the norms by which Indo-Pacific nations can stay secure and open.
The Principles of a techno-legal approach for managing data
DEPA is based on the principle that individuals or enterprises should own their personal information, and therefore have authority to allow or disallow its use for political or commercial purposes. It is a natural progression of the India Stack, an open API-(Application Programming Interfaces, that allow apps to talk to each other) based technology architecture that links India’s identity system to individual data, payments and government services. India Stack is already transforming India’s economy.
The four layers of the India Stack architecture
Source: India Stack
The presence-less layer is based on India’s Aadhar foundational identity; The paperless layer is based on digital storage, e-signatures and e-KYC; the cashless layer is based on digital payments, most notably the Unified Payments Interface (UPI) and the consent layer that enables the seeking of and managing consent is provided by the original owner of the data.
More commonly known as the ‘Consent Layer of the India Stack,’ Data Empowerment and Protection Architecture (DEPA) marks a paradigm shift in personal data management and processing that transforms the currently prevalent organization-centric system to a human-centered one. By giving people the power to control how their data can be used, DEPA is enabling the collection and use of personal data in ways that give individuals access to financial, healthcare, and other socio-economically important services in a safe, secure, and privacy-preserving manner. The increased portability of secure data is democratizing access especially to socio-economic services.
DEPA covers all asset, liabilities, and telecom data. Its guiding principles are:
- Restoring individual agency
- Promoting informed consent for every data transaction (rather than blanket consent for data use)
- Building in accountability for institutional data controllers (so consent is not the only backstop)
- Building an open infrastructure for data sharing (minimizing bilateral or closed-loop networks)
- Building incentive alignment between new public or private institutions and the needs of individuals around their data
- Ensuring accessibility and affordability of data-sharing
- Remaining technology agnostic (through open standards)
- Supporting data minimization
- Ensuring reciprocity of data use and data provision (institutions cannot be users of data in the system without also being providers)
- Enabling other key data rights
- Ensuring evolvability of technology and institutions by design; and using penalties as deterrents to data misuse where required.
A closer look at the Indian example
Over the last decade, India has disproven the notion that high-tech is just for the educated privileged and wealthy. With DEPA, it is now empowering individuals in the usage of technology and ownership of data. Its approach stands in sharp contrast to the corporation-centric approach of the developed west or the state-centered approach of China.
The first use cases for DEPA so far are in fintech – lending, wealth management, personal finance management – although similar services will soon be extended to the areas of health and education. DEPA is being rolled out for financial and telecom data in India through the creation of ‘account aggregators’ licensed by the Reserve Bank of India. These are regulated entities that, by digitally sharing financial data (based on consent provided by the owners of the data) across institutions ranging from banks to insurers to pension funds, facilitate access by individuals and small businesses to finance. Control of the information accessed by the account aggregators does not rest with them, but with the individual. Registering with the aggregator is voluntary and consent can be withdrawn at any time.
In India, only 8% of MSMEs have collateral and hence access to formal credit. Using an account aggregator, MSMEs can get short-term capital based on past turnover (seen through the Goods and Services Tax records) that helps demonstrate their future capacity to repay. Microcredit also can be available based on the flows of money in their bank accounts, past payments of Goods and Services Taxestelephone bills, and other data.
As of mid-November 2021, 70 financial institutions, including banks and insurance companies with about 300 million eligible accounts and eight licensed consent managers, have come together through DEPA and are averaging more than 1,200 consent requests every day. Investors say the speed is unprecedented: Bajaj Finserv can approve a consumer loan for a refrigerator or two-wheeler in India in 4 minutes. This is perhaps the fastest in the world; the closest competitor is China.
DEPA offers an opportunity to build a more robust financial ecosystem, in which financial institutions, regulators, finance ministries, and civil society can design new products and monetize financial predictions, analytics, and scoring. A data-protection authority and auditors for trust score mapping can emerge to complete the circle.
Situation in other developed countries
While data protection is an area of concern around the world, national approaches have been piecemeal, not comprehensive or multi-sectoral. Unlike India, most countries do not currently consider consent a paramount issue.
China’s Personal Information Protection Law, which came into effect November 1, 2021, offers a measure of security and privacy, but does not empower individuals concerning their own data; rather “personal information handlers” are empowered to assess and determine the use of the data – a very different concept from India’s system of ‘consent managers.’ In China, the government can use data for national security, developing Artificial Intelligence and other capabilities. China also has a Data Security Law, but its entire focus is national security and privacy, not empowerment. Beijing’s recent clampdown on companies like Alibaba and its Alipay subsidiary, which gave out small loans, raises significant questions about the role of the government in managing customer data and limits the ability of the company to deal with the data of citizens of countries where China has geopolitical ambitions.
In the U.S., platforms and enterprises have access and often ownership of personal data. The country has no national data protection law yet, though state laws exist; the California Consumer Protection Act gives consumers “more control over the information that businesses collect from them.” The absence of private ownership of personal data has resulted in a public debate on the necessity to reign in the big platforms and protect citizens’ data.
The European Union has a General Data Protection Regulation (GDPR) which protects consumers rather than empowers; it has no technological framework.
The UK is pushing Open Banking, but it is narrowly focused on banking. Open Banking is torn between the market and the regulators, has no common architecture and limited ability to scale up.
Australia, like India, has an interoperable technology infrastructure for governance. It is updating its Privacy Act and is leaning towards Europe’s GDPR to gain greater alignment with the EU on “trade in personal information.” For now, the framework is limited to certain sectors, mostly financial. The updated act is set to be discussed, tabled, and passed in 2022.
Japan has no legislation on data empowerment and protection.
Situation in developing Indo-Pacific countries
Objective 16.9 of the UN Sustainable Goals is designed to provide a legal identity system for all countries by 2030. One billion people possess no “official proof of identity”  and one of two women in low-income countries have none. Nearly a quarter of developing countries possesses no ID system at all, while others have ones that are partial or for specific purposes. None are open, open-source or ‘foundational’ – that is, not function-specific, multi-sectoral and interoperable for fundamental developmental purposes. The World Bank began its Identification for Development agenda in 2014, and an Asian Development Bank report in 2016 focuses on a foundational ID system for Asia and the Pacific in particular. The ADB report found that just seven countries in Asia and the Indo-Pacific – Cambodia, India, Indonesia, Malaysia, Pakistan, Philippines and Vietnam – had any kind of identification at various stages of adoption. Indonesia has an advanced biometric system but lags in other areas.
Small island nations are also lagging. Tonga legislated an ID system in 2016, but progress has been slow. Fiji initiated a rollout of an ID system only in 2019.  Larger countries like Nigeria have IDs, but as many as 30 national systems have no consolidation across sectors.
Some advances are being made. Vietnam announced this year it will advance to a chip-based ID card. The Philippines is deploying MOSIP, to enroll its citizens in future government schemes, India-style. The process of registering people is well underway, despite the pandemic. The Philippine Statistics Authority was able to set up registration sites nationwide, ensuring proper health protocols were followed and achieved its 2021 target of registering 50 million Filipinos for their National ID, using MOSIP, in under a year.
Imperatives for implementing DEPA
Countries of the Indo-Pacific region are looking at the Indian model because it is open-source, interoperable, auditable, and secure – and it enshrines individual rights, ownership, and empowerment. It has been tested on a continental scale and is starting affordable deployment in the Indo-Pacific region in financial services, government-subsidy schemes, health care, and education.
Moreover, it alone has a technological and legal framework around its ID system. A comprehensive framework will be available soon. This is essential to development and security individually, nationally and geopolitically, for several reasons:
- For the individual, it ensures the right to control how her/his own data shared and used.
- At the national level, it offers a crucial tool to speed up development programmes without compromising citizens’ rights.
- Geopolitically, it offers an alternative to the warfare and contestation that are coming to define the digital and cyberspace world, in which countries, state-sponsored hackers and terror groups are breaching and attacking networks, disrupting infrastructure operations, undermining democratic elections, creating global scams and thwarting national boundaries.
India can promote its digitalization-as-development experience to other countries in the Indo-Pacific. In 2020, the Ministry of External Affairs set up a new division called New and Emerging Technologies (NEST), but it does not include promotion of Indian-innovated digital public goods. A more salesman-like approach is needed.
Necessary first is the involvement of the NEST division and an updated I-TEC program. These provide training, engagement through pilot programs in relevant projects adjusted to local conditions, customer support and budgets, management and deployment.
Next, Indian missions abroad should familiarise themselves with the service, and drive it in concert with other like-minded missions that share the same goals. Multilateral and aid agencies and Exim Banks can be involved, and a common technology legal and policy architecture can be developed through central banks and the Bank of International Settlements.
As Amitabh Kant, the chief executive of Niti Aayog, states in his introduction to the draft bill of the Data Empowerment and Protection Architecture, “DEPA inverts the traditional Western model where data is simply used to advertise and sell products to one where data can be used to empower a billion Indians. It can show a new India Way on data governance that allows us to offer inclusive and affordable financial products that help businesses recover from the crisis and chart a path towards sustainable growth.”
Manjeet Kripalani is Executive Director and Co-Founder, Gateway House and Sanjay Anandaram is Executive Board Member, Modular Open Source Identity Platform.
This compendium has been published by Gateway House, with the support of the United States Embassy, New Delhi. Read the full compendium here.
The views and opinions expressed in this paper are solely those of the authors. The views expressed in the paper do not necessarily reflect those of the United States Embassy, New Delhi.
For interview requests with the authors, or for permission to republish, please contact firstname.lastname@example.org.
© Copyright 2022 Gateway House: Indian Council on Global Relations. All rights reserved. Any unauthorized copying or reproduction is strictly prohibited.
 World Bank. Identification for Development (ID4D) Global Dataset. http://data.worldbank.org/data-catalog/id4ddataset (accessed 1 February 2016).