India’s journey towards a dedicated privacy law started with the
Puttaswamy judgment in 2017, which recognised privacy as a fundamental right under the Constitution of India, and expressed the need for a comprehensive data protection regime in the country.
After extensive public debate and discussion, the
draft Personal Data Protection Bill, 2019 (the former PDP Bill) was
withdrawn by the Ministry of Electronics and Information Technology (Meity) in 2021. A new version, the more simple
Draft Digital Personal Data Protection Bill, 2022 (DPDP Bill)
has been issued. Industry feedback has been invited until the 17th of December, 2022.
How Indian and foreign fintech companies are impacted by the DPDP Bill
Fintech companies, Indian and international, will fall within the scope of the DPDP Bill. Currently, the primary privacy regulations applicable to fintech companies in India include scattered sectoral regulations with privacy and confidentiality obligations,
which are issued by the various financial regulators in the country. The Information Technology (Sensitive Personal Data or Information) Rules, 2011 (the IT SPDI Rules), which are issued by Meity under the Information Technology Act, 2000, also apply to all
body corporates within India including fintech companies. While under these rules, financial information is classified as sensitive personal data or information’ (SPDI) and thus
subject to enhanced protections; the proposed DPDP Bill does away with this distinction. Instead, it applies uniformly to ‘digital personal data’, removing earlier distinctions of sensitive and critical personal data.
While the DPDP Bill does contain separate provisions for children’s data (such as parental consent), it adopts the approach of identifying and notifying ‘significant data fiduciaries’, for which enhanced obligations will be prescribed including the conduct
of independent data audits and carrying out data protection impact assessments. Therefore, Indian and foreign fintech companies will need to ensure their data processing activities which are in India or which target people in India are compliant with the DPDP
Bill.
The DPDP Bill excludes some categories like non-automated processing, offline personal data, personal and domestic use, and personal data in records that are over 100 years old. The DPDP Bill, while having only 30 provisions compared to 98 in former versions,
covers:
- Extra-territorial application: This applies to any ‘digital personal data’ processing within India, and also to such processing outside India if in connection with profiling of or in relation to offering goods and services to data principals (the
equivalent of data subjects) within India.
- Notice and consent: Notice must be provided in English and in any other language specified under the Indian Constitution. Consent, as is typical of data protection laws, must be freely given, specific, informed, and unambiguous, and
must be provided via a clear affirmative action. Data principals will have the right to withdraw consent.
- Non-consent based processing: Exceptions to consent, which the DPDP Bill terms as ‘deemed consent’ are specified, allowing non-consent based processing in cases of voluntary submission of digital personal data to a data fiduciary, for processing
required to perform a function under a law, to comply with a judgment or order, for employment and related purposes, in public interest such as fraud prevention or credit scoring or M&A, and for reasonable purposes which will be prescribed. These are important
exceptions which many businesses will turn to for the processing of data.
- Consent managers: Consent managers registered with the Data Protection Board of India (the Board) will act on behalf of the data principals to help them give, review, and withdraw consent. India already has some consent managers via the
Account
Aggregators (for financial data sharing between regulated entities), which also manage data portability.
- Data fiduciary obligations: Basic data fiduciary (the equivalent of a data controller) obligations are imposed which will apply to companies processing ‘digital personal data’, such as an obligation towards data quality, requirement for technical
and organizational measures, data breach notifications, limitations on data retention, grievance redressal requirements, and rules for transfers to data processor. A Data Protection Officer must be appointed. Significant data fiduciaries will have enhanced
obligations and will be notified by the central government based on factors such as volume and sensitivity of personal data processed and risk of harm.
- Data principal rights: Rights such as the right to information, to correction, and to grievance redressal are included, while rights (such as the right to be forgotten) have been excluded. The right to withdraw consent and to notice are previously
discussed.
- Cross-border data transfer: The earlier mandates for data mirroring and data localisation under previous versions have been replaced with a white-listing process. The central government will notify countries and territories outside India to which
data will be transferred.
- Data Protection Board of India: The Board will be appointed by the central government to carry out functions such as determining non-compliance, imposing penalties or direct measures to be taken in case of a breach, together with any other obligations
imposed on it by the central government. Appeal from a decision of the Board will lie to the High Courts.
- Penalties: The penalties for non-compliance is as prescribed in the Schedule, which is up to Rs. 500 crore per instance. For example, failure to take reasonable security safeguards attracts a penalty up to Rs.250 crores, while non-compliance by a
significant data fiduciary attracts Rs.150 crores.
Conflict with sectoral law
The IT SPDI rules also apply to fintech entities. Apart from this, there are numerous sector specific privacy regulations (such as telecom, financial, health). Examples in the fintech sector include the recent
Digital Lending Guidelines, the
Account Aggregator Framework, and the
Digital Payment Security Controls. General confidentiality provisions also exist, such as RBI obligations which require banks to ensure that
customer consent is present before data is disclosed.
Fintech innovation necessitates coordination and cooperation not only across financial regulators (insurance, pension, securities and banking), but also with other sectors such as telecom (for OTT services for example) or for Meity. The former PDP Bill allowed
the Data Protection Authority of India to enter into Memorandums of Understanding with other regulators/ authorities to ensure regulatory coordination. The current DPDP Bill, while an overarching regulation, results in a similar conflict with sector-specific
regulations.
The
Explanatory Note to the DPDP Bill issued by Meity provides clarity here, specifying that the DPDP Bill will apply only to the extent of such a conflict; the sectoral regulation will prevail. Regardless, the final data protection regulation will call for
a sector-wise review of its application, conflicts arising, and the interpretation to allow compliance by financial entities. A particular conflict can arise where the sectoral regulation expressly permits more relaxed privacy protections as compared to the
DPDP Bill, though in most cases it will be the opposite, where the sectoral regulation prescribes more stringent protections.
Examples of some conflicts are:
- Data retention: The DPDP Bill allows data fiduciaries to retain personal data as long as required for business purposes. It draws the standard exception to retention or withdrawal of consent requirements to allow retention as required
under another law. For example, under the Prevention of Money Laundering Act, 2002, transaction records are required to be maintained for
at least five years. Turning to sector-specific regulation, the Digital Lending Guidelines require regulated entities to frame policy guidelines in relation to storage of data,
including the type of data and the length of time for which the lending-related data can be stored.
- Consent requirements: The Digital Lending Guidelines require regulated entities to obtain prior and explicit consent of the customer for any collection or processing of their personal data, leaving an audit trail. The
Peer-to-Peer Lending Master Directions, 2017 on the other hand prescribe explicit consent for accessing a participant’s credit information. Here, for example, the deemed consent
allowed for voluntary provision of data under DPDP Bill will not suffice.
- Cross-border data flows: The Bill prescribes that personal data can be transferred outside India to notified jurisdictions. However, the RBI notification on
Storage of Payment System Data, dated April 6, 2018 read with
FAQs requires storage of data relating to payment systems by system providers only in India. The Digital Lending Guidelines as well as the
Payment Aggregator Guidelines, 2020 also require that all digital lending and customer-related data be stored only in servers located in India. Regulated entities will need to ensure
that any cross-border transfer of data complies not only with the requirements under the DPDP Bill, such as that the territory in question must be white-listed, while also ensuring adherence to these regulations.
- Grievance redressal: In terms of remedial measures, many RBI regulations such as the Payment Aggregator Guidelines, contain mandates in relation to customer grievance redressal. Then under the RBI
Integrated Ombudsman Scheme, 2021, customers can approach the Integrated Ombudsman for the redressal of their grievances after 30 days of not receiving a reply from the regulated entities, or upon dissatisfaction with the resolution provided by the regulated
entity. However, the DPDP Bill allows customers to approach the Board within 7 days of non-receipt of reply from the concerned data fiduciary, and shorter periods may also be prescribed. Here, the RBI provided period should prevail.
For a full discussion on the latest policy developments each month, do check out
Cashfree Payments’ Policy Radar.