How India can adhere to the Digital Personal Data Protection Act

In India, stakeholders are confused on how the recently established Digital Personal Data Protection (DPDP) Act will apply to parental consent and age verification requirements. A possible solution is for the nation to leverage India Stack’s APIs to enable data permissions for its citizens, according to The Hindu Business Line.

The DPDP Act requires the national government to establish the Data Protection Board of India. The board would hold standards for data fiduciaries in light of India Stack, the multi-layered DPI infrastructure that has slowly grown since the 2009 launch of the Aadhaar digital ID program.

India Stack consists of a set of open-source APIs and digital public goods to implement identity, data, and payment services to the general population to facilitate economic growth. As India’s DPI infrastructure developed, the country’s volume of data dramatically increased, creating a need for a corresponding regulatory framework.

The Data Empowerment and Protection Architecture (DEPA) is the framework behind the data layer of India Stack. It leverages APIs to empower citizens to control how their data is used.

An API acts as an intermediary between systems. It uses definitions and protocols to enable different apps to communicate with each other to achieve a function, sometimes while remaining completely invisible on the user interface.

One way an API can be used is by establishing layers of security between the requesting application and the infrastructure of the responding service by requiring authentication. When a website requests an individual’s location, for instance, a user has the option to allow or deny the request.

DEPA is designed to give citizens a secure way to share their data with third parties. Individuals must provide consent for each piece of personal information through a ‘consent manager,’ or an account aggregator. Users consent by signing a machine-readable e-document called an ‘artifact,’ that outlines how they want their data to be shared.

Currently, most applications of the consent manager system deal with the financial sector. However, in light of the DPDP, India could potentially adopt a similar manager for data beyond finance. The country may also benefit from adopting a framework similar to the EU’s European Digital Identity (eID), which enables minors to use a digital ID wallet to disclose their age without other data.

Article Topics

data protection  |  Digital Personal Data Protection (DPDP) Act  |  India  |  India Stack  |  legislation