“IndiaStack” as a name evolved for the set of modules and APIs (Application Programming Interfaces) that started with the creation of India’s Aadhaar in 2009, the foundational ID for each resident of India. Over time, additional layers of the stack got added that provided for a cashless, presence less, paperless and consent based set of interactions. The architectural principles of “India Stack” are being adopted and adapted into areas as diverse as drones, financial inclusion and healthcare.
iSpirt is a non-profit organization set up in Bangalore in 2013 by volunteers committed to societal transformation using software and digital public platforms. Its members include many that helped design, develop and deploy different elements of the India Stack. It currently has over 100 volunteers who work on a pro-bono basis on different projects at different points in time. People join, volunteer on specific projects and initiatives, move on and may re-join.

India, from the start, decided to approach digital platform governance in a different way than other countries. The Chinese model is where the state exercises a blanket governance. In the U.S. model, this is driven by the private businesses with oversight by the law and Congress. Within the EU, they are searching for a way to manage and maintain with a legal basis, eg GDPR. In India, both the private and the public sectors have deployed digital platforms owned ultimately by the government for all to use. End users use the services (eg digital payments) that have been built atop these digital platforms by private businesses and public entities. . Businesses can design and innovate new services for their customers and partners using these platforms. In a sense, the platform is like roads. The state will construct them and anyone can design and deploy any vehicle to run on them following rules. The users, the public, can use these vehicles (such services) and go where they want to go.

The most fundamental benefit is that it is a “public good” platform. That is, it is owned by all – via the state – for all to use and benefit. It is answerable to the people, to the law of the land and is responsible for ensuring privacy, security and sovereignty of data even as it allows its free flow. Governance improves, leakage reduces, and people can access and avail of services that were otherwise inaccessible or unaffordable.

The most basic part of the digital public platform is the ID system for the entire population. Named “Aadhaar,” it holds biometric data which are the fingerprint, the iris, and the face, all connected to an individual ID number. This system allows an online identification of the individual so this basic layer is called the “Presence less Layer”(layer without the presence of the individual). The next layer is a combination of API such as “Digital Locker” which allows individuals and businesses to exchange various documents online, “e-KYC(electronic Know Your Customer),” “e-Sign(electronic signature),” and “e-Receipt” and is called the “Paperless Layer.” On top of this comes the “Cashless Layer” which includes “United Payment Interface,” the API to transfer money between businesses and governments. Finally, on top of this sits the “Consent Layer” that combines the various API for data sharing, use, and authentication. This framework is being deployed for taxation, healthcare, logistics, to drone management, to travel and to many other areas.

Actually, there is no one grand designer. It is the coming together of extremely talented, committed, knowledgeable people many of whom are part of iSpirt. It all started when the state decided to introduce the digital ID system, “Aadhaar” in 2009. We soon realized that when the citizens are provided with an ID, there needs to be a system to authenticate, and store such ID which led to developing a system for electronic storage and verify the individuals which became the “Digital Locker” and “e-KYC.” In other words, we designed as we went. It was probably around 2014 to 15 that it was conceptualised as a single concept, IndiaStack.

India is an extremely unique country in the world. We have many different languages, customs, behaviors, socio economic strata across our 1.3 billion people. It is also a large country with different geographical and infrastructural conditions. Literacy levels, financial status vary widely and therefore are also challenges. . It is an extremely difficult challenge to bring all of our people with such varying conditions under a single platform and a single economic system. The Indian model is unique and when the project began there wasn’t any model to follow! Today, India is becoming a model to consider for many countries. Most countries around the world are like India.

The strength of iSpirt is that we have digital experts with amazing professional backgrounds who are highly driven to achieve the mission of societal transformation. We are a volunteer organization and we work with, but not for the government, regulators, private and public entities. . We do not take funds from the government or regulators. It’s a form of public-private-partnership and having a neutral organization like us helps to smooth out the various partnerships required. The support of the state is critical of course for any public good and the Indian government has been very much the force pushing digital platforms for societal transformation. . The system has shown its capabilities at scale and scope in India. . And now, we believe that the unique approach of India’s digital public platforms can help the 6 billion people of the world – out of the world population of 7 billion - that are in countries like India.

When the state provides benefits or services such as pensions, subsidies, credit, healthcare and many other services, data on the identity and eligibility of the recipient is critical. This is a huge exercise given the size, scope and diversity of India. . Same can be said for tax collection/payment. In other areas, we find that a massive volume of personal data is spread out including medical data, financial, education-related data, transaction data, and other public data. . We can’t substantiate the validity of data unless they can be exchanged in a reliable manner and the digital public platform is what makes this possible. If you have a digital ID, you can participate on the platform to enjoy the various services, both public and private.

I believe there are three areas in data governance and the principles vary across the three.

Personal data, corporate data, and machine data. The principle in personal data governance is usage based on “owner consent.” An announcement of the Sahamati (“agreement/consent”) a collective of “Account Aggregator” was announced in India on July 25th 2019 wherein data can be shared between data providers and data users seamlessly with the consent of the owner of the data. There is also draft bill on personal data protection being discussed in Parliament that should get passed in the next 12months. And the bill is in line with the Supreme Court’s ruling on data privacy.
Clear policies have not been laid out yet for inter-corporate and inter-machine data, In order to guarantee safety in the data flow, these data flows need to be verified from legal, policy, and technological perspectives. The model can be based on the principles of personal data protection.

That isn’t accurate The Supreme Court of India in September 2018 ruled that Aadhaar was constitutional and could be used by the government for say, Income Tax purposes and for delivering benefits and welfare schemes. The Supreme Court ruled that Aadhaar cannot, however, be made mandatory by private entities for providing services.

Several countries are debating the setting up of a data regulator. For an international governance framework to evolve, there needs to an agreement at several levels. With international data exchange, even if there is a legal and policy agreement, it’s pointless unless the systems are compatible. We need to think about how these architectures can speak to each other. There are many challenging scenarios, for example, if the data of a client of a company with head office in India is stored in a server in Japan, which jurisdiction does it fall under?

Like with IndiaStack, I think it’s important to take it step by step. Start with something simple. What IndiaStack excels in is that it’s a modular, flexible, scalable and open API structure. This allows us to easily add on the new services, exchange data and integrate with other systems. Starting small and make it work. This breeds confidence to take on a bigger challenge. I think this is the only way to go about it.