Privacy checks can be built into software architecture

Source: Livemint

Relevance: Protecting Right to Privacy and enabling digitization

Synopsis: India’s Data Empowerment and Protection Architecture (DEPA) is becoming an important tool to strengthen the privacy framework in India. It not only gives us better control over our data transfers, but also covers nearly all the modern principles that are central to privacy.

Principles central to privacy laws

Central to privacy laws anywhere in the world is a set of principles that define how personal data can be collected and processed. These are:

  1. Notice and consent – provides for informed consent of Individuals before collecting or processing of his/her data
  2. Purpose limitation – to ensure that the purpose for which data is collected is described clearly 
  3. Data Minimization – to collect only a limited set of data that is required for the fulfillment of a specific purpose
  4. Retention limitation – to ensure that data is not retained for more than required to achieve the purpose
  5. Use limitation – to ensure that data is used for the purpose for which it has been collected.
Positives of DEPA

DEPA addresses three out of the five principles outlined above – Notice and consent clause, Purpose Limitation and data minimization. Let’s see how it does that.

  • Notice and consent clause principle: DEPA uses the MeITy electronic consent artefact to process data-transfer requests. What this means is that each time a data fiduciary makes a request for data, it has to provide information on what specific data it needs, the purpose to which that data will be put, and the duration for which it will be retained for the same. As a result, every data transfer request will provide users with due notice and can only be completed if consent is provided in relation to that specific request.
    • A consent artifact is simply a machine-readable electronic document that specifies the parameters and scope of data share that a user consents to in any data sharing transaction
  • Purpose Limitation and data minimization: Data-transfer requests under DEPA are based on pre-designed templates: data fiduciaries will have to choose from a set of such templates. These templates will be designed to cover a broad range of uses for which data might be requested, while still ensuring that only that much data as is necessary to fulfil those uses is requested.
    • By using consent templates, DEPA ensures that both the purpose limitation and data minimization principles are met.
Inadequacies of DEPA
  • No protection after data is collected: It doesn’t seem to be capable of protecting what happens to the data after it is collected. There is nothing to prevent a data fiduciary (digital companies) from using the data for other purposes or retaining the data for longer than the agreed time.
Suggestions
  • Incorporate technological safeguards: If DEPA is to be an end-to-end solution for privacy, we have to incorporate technological safeguards that address the issues of Use Limitation and Data Retention as well.
  • Use of innovative technologies: We need to use innovative technologies like Confidential Clean Room which restrict access of data for the specific purpose and also helps in providing solution to the issue of Data retention.

Conclusion

India’s Data Empowerment and Protection Architecture offers a technological solution that embeds privacy principles directly into the technology architecture. Done right, this might well be the solution that regulators have been looking for.  

Terms to know:

Print Friendly and PDF