Why in News?
India’s evolving data governance landscape is transitioning towards a consent-based data-sharing model that prioritizes user empowerment, transparency, and interoperability.
The Account Aggregator (AA) framework and the recently enacted Digital Personal Data Protection (DPDP) Act, 2023 both reflect this transformative shift.
What’s in Today’s Article?
- The AA Framework - Consent-Driven Financial Data Sharing
- The DPDP Act, 2023 - Broadening Consent Management
- Draft DPDP Rules, 2025 - Key Provisions and Recommendations
- Towards a Unified Data Ecosystem - The Way Forward
- Conclusion
The AA Framework - Consent-Driven Financial Data Sharing:
- Key features:
- A multi-regulatory initiative led by RBI, SEBI, Insurance Regulatory and Development Authority of India (IRDAI), Pension Fund Regulatory and Development Authority (PFRDA), and Ministry of Finance.
- Operationalised under RBI’s NBFC-AA Master Directions, 2016, it enables secure, real-time, and machine-readable sharing of financial data (banking, loans, tax, investment, pensions).
- It empowers users to give, manage, and withdraw data sharing consents, and currently functions at population scale, promoting efficiency, productivity, and customer-centric
- Significance of the framework:
- It promotes digital economy, financial inclusion, data protection, and e-Governance.
- It demonstrates inter-agency coordination and the move towards a data fiduciary model.
The DPDP Act, 2023 - Broadening Consent Management:
- Core provisions:
- Introduces Consent Managers (CMs) to enable individuals (Data Principals) to control their personal data across sectors.
- Aligns with AA’s core principles - explicit, informed, and revocable consent.
- Applicable across sectors: Health, education, employment, digital commerce, etc.
- Techno-legal architecture:
- Emphasizes user-centric data flow.
- Operates through intermediaries registered with the Data Protection Board (DPB).
Draft DPDP Rules, 2025 - Key Provisions and Recommendations:
- Highlights of the draft rules:
- Mandatory DPB registration: Ensures accountability and standardization across all CMs.
- Sector-specific consent managers:
- Supports domain-specific frameworks like the Financial Health Records (FHR) under National Health Authority (NHA).
- Encourages innovation through interoperable APIs.
- Commercial arrangements with data fiduciaries:
- Allows sustainable business models for CMs.
- Emphasizes that fiduciary duties toward Data Principals must not be compromised.
- Critical recommendations:
- Avoid regulatory overlap with AA.
- Ensure alignment between sectoral frameworks and the broader DPDP architecture.
- Build a future-ready, unified consent infrastructure.
Towards a Unified Data Ecosystem - The Way Forward:
- Synergy, not redundancy:
- Leverage the maturity of the AA ecosystem to inform the rollout of the CM framework under the DPDP Act.
- Promote interoperability and avoid parallel regulatory setups.
- Significance: This will reflect India’s approach to data sovereignty, digital empowerment, and governance reform.
Conclusion:
India stands at a crucial juncture in shaping a robust, user-centric data governance framework. By integrating lessons from the AA model and ensuring coherence in implementing the DPDP Act, the country can pioneer a scalable, secure, and inclusive consent-based data-sharing infrastructure.
This will be crucial for both digital inclusion and data protection in the 21st century.
