Reintroduction of the Data Protection Bill: Analysing the Implications for FinTech

/0 Comments/in , , , /by

– Financial Services Division (finserv@vinodkothari.com)

Background

The Ministry of Electronics and Information Technology (MeitY) introduced the revised draft of the Digital Personal Data Protection Bill, 2022[1] (‘Bill’) on November 18, 2022 for public comments. The Bill is intended to be technology and sector-agnostic and hence, shall serve as a broad guide for digital data protection across all sectors. It is expected that sector-specific regulators shall develop regulations based on the legislation passed based on the said Bill.

In this write-up, we intend to cover the broad prescriptions of the said draft Bill and their impact on the fintech industry.

Applicability

The said Bill is proposed to be applicable on processing of digital personal data within the territory of India. The digital personal data for this purpose shall include the personal data that is obtained from an individual to whom the personal data relates, to be known as Data Principal, digitally or personal data obtained physically and then digitised.

Further, it shall also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any profiling of, or activity of offering goods or services to Data Principals, within the territory of India. Profiling is defined as ‘any form of processing of personal data that analyses or predicts aspects concerning the behaviour, attributes or interests of a Data Principal.’

That is to say, if the processing of digital personal data of a customer in India is of such nature that the same is utilised to understand and predict the customer behaviour, transactions pattern and interest, in order to offer then relevant products, then the provisions of the said Bill shall be applicable even if the processing of data takes place outside the Indian territory. This must be read with section 17 of the Bill, which provides that the Central Government shall notify the countries to which the personal data can be transferred by the Data Fiduciaries. It is pertinent to note that IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘SPDI Rules’)[2] allowed the transfer of data to an entity outside India which had the same level of data protection as envisaged under the SPDI Rules.

Our Comments: This practice is common in the fintech industry where the fintech is a part of a foreign corporate group or uses the services of foreign tech companies to evaluate their customer’s behavioural patterns. It is noteworthy here that the earlier proposed bill on data protection completely barred sharing of information outside India, which could have resulted in a complete disruption in the fintech business models, which are largely data-driven.

The Guidelines on Digital Lending[3] (‘DL Guidelines’) provide that Regulated Entities (‘REs’) cannot share store customer information in servers located outside India. Importantly, fintechs offer financial products based on the outcomes of customer profiling, which in many cases is done at a group level/service provider level; usually outside India.

One may contend that the aforementioned provision only bars storing of data outside India and not processing/profiling of data. However, as is common knowledge, the fintech models are developed on machine learning which essentially means, self-learning by the technology from its existing data. If one were to bring back the data to India after processing the same, and not allow the storage of the same outside India, the same may disrupt the machine learning models.

The Bill may propose allowing storage of personal data outside India with adequate safeguards.

Exclusions and Exemptions

It has been provided that the provisions of the Bill shall not be applicable to:

  1. non-automated[4] processing of personal data;
  2. offline personal data;
  3. personal data processed by an individual for any personal or domestic purpose; and
  4. personal data about an individual that is contained in a record that has been in existence for at least 100 years.

Given the definition of the terms “automated” and “processing” in the draft Bill, any piece of digital data is likely to be considered as automatically processed as one or more operations performed on it will be automatic.

Further, section 18 provides exclusions from the applicability of the Bill. One important exclusion is when the personal data of Data Principals not within the territory of India is processed pursuant to any contract entered into with any person outside the territory of India by any person based in India. Hence, in case where (a) the Data Principal does not belong to the Indian territory, (b) the data does not belong to the Indian territory and (c) the transaction is taking place outside the Indian territory; but the processing of data happens in India, the Bill shall not be applicable.

Major Provisions

The following are major propositions of the Bill:

1.   Setting up of a Data Protection Board

The Bill proposes setting up of a Data Protection Board (‘Board’) by the Central Government, which shall carry out the functions of ensuring compliance with provisions of the Bill. The Board has been entrusted with powers similar to the regulators.

Our Comments: The Bill essentially brings Fintechs and Regulated Entities engaged in digital transactions within the ambit of the Board. It is noteworthy that Lending Service Providers (‘LSP’) and Digital Lending Apps (‘DLA’) are outside the purview of the RBI, hence, the DL Guidelines has vested the RE with the duty to ‘ensure’ that the LSPs and DLAs deal with customer’s personal data with utmost care of confidentiality as the RE is required to do.

However, DLAs and LSPs, along with REs engaged in digital transactions, would now be brought under the purview of the Data Protection Board of India. This calls for fintech entities to enhance the data security and align the customer data privacy policies with the existing laws and technological standards. This also brings for the question if it would result in overlapping jurisdiction of RBI and the Board in respect of data security compliances by REs.

2.   Defining data principal, data fiduciary and data processor

The Bill defines these terms based on the rights of the party on the data. The owner of the data or to whom such personal data related is termed as Data Principal; The person who requires the data to be processed and shall utilise the data for a purpose is termed as Data Fiduciary and the entity which shall process the data on behalf of the Data Fiduciary is known as Data Processor.

Our Comments: Here it becomes crucial to determine whether an LSP shall be considered a Data Fiduciary or Data Processor. LSPs are defined under DL Guidelines as ‘An agent of a Regulated Entity who carries out one or more of lender’s functions or part thereof in customer acquisition, underwriting support, pricing support, servicing, monitoring, recovery of specific loan or loan portfolio on behalf of REs in conformity with extant outsourcing guidelines issued by the Reserve Bank.’

LSP is an “agent” acting “on behalf” of the RE, for the purpose of providing financial services of the RE. However, from the perspective of the Bill, the classification of LSP shall be based on the nature of services provided by such LSP or the role played by them. Hence, if the LSP is only processing the personal data on behalf of the RE and not processing/storing the same for providing any other services on its own, may apparently be considered as a Data Processor and not subject to the more rigorous prescription applicable to Data Fiduciaries.

On the other hand, one may argue, in Fintech models it is oft that the LSP who is the entity interacting with clients (providing the DLA[5] or other such public platform) and majorly collecting, storing or processing data from the customer directly and acting as an outsourced service provider to the RE on a principal-to-principal basis and utilisation of teh data may be done by the LSP for its own purposes as well.[6] Hence, the obligations applicable to a ‘Data Fiduciary’ should become equally applicable to an entity playing such a role.

Nonetheless, the Bill as it stands places onus on the Data Fiduciaries to ensure that its provisions are also complied with by the Data Processors employed by them and this appears to be similar in lines to how the RBI’s Digital Lending Guidelines are drawn to ensure compliance by LSPs.

3.   Obligations of Data Fiduciary

The Bill provides for the obligations of the Data Fiduciary, which broadly include the following:

  1. Data processing shall be done only for a lawful purpose for which the Data Principal has given or is deemed to have given her consent
    1. For requesting consent for processing the data, an itemised notice containing a description of personal data sought to be collected and the purpose of processing shall be provided. Here, providing an itemised list would mean listing down the nature of data, and the purpose of processing the same.
    1. Report to the Board in case of a personal data breach. Reporting of cybersecurity incidents to CERT-In is already mandated under the IT Act and Rules[7] and FinTechs registered as NBFCs with RBI are also required to inform the RBI on occurrence of cybersecurity incidents[8].
4.   Consent Vs. Deemed Consent

The Bill recognises two kinds of consents that may be received from the Data Principal- (a) Explicit consent and (b) Deemed consent.

Consent under section 7(1) of the Bill is defined as any freely given, specific, informed and unambiguous indication of the Data Principal’s wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of her personal data for the specified purpose.

Further, section 8 of the Bill recognises the circumstances which shall be deemed to be the consent of the Data Principal for processing of data. The following are some of the instances which may be considered deemed consent with respect to transactions on fintech platforms:

  • Where the Data Principal voluntarily provides personal data and it is reasonably expected that she would provide such personal data
  • For compliance with any judgement or order issued under law
  • In public interest for prevention and detection of fraud, recovery of debt, credit scoring, etc.

Our Comments: DL Guidelines allow access and sharing of data subject to ‘prior and explicit consent’ of the customer, even if the data is being provided by the customer. Hence, there is a disconnect in the Bill and DL Guidelines. The same may be aligned.

5.   Withdrawal of Consent

Section 7(4) of the draft Bill allows the Data Principal to withdraw her consent subsequent to which, the Data Fiduciary should cease to process the personal data. The Bill explicitly provides that the consequences of such withdrawal shall be borne by such Data Principal, meaning thereby that the Data Fiduciary is well within its right to cease business transactions with the Data Principal. Further, under section 7(8) of the Bill, a Data Fiduciary is not entitled to refuse the services to Data Principal when the data Principal denies to give consent for the collection of additional personal data not necessary for the purpose of transaction.

Our Comments: The DL Guidelines have a similar provision where the borrower has to be mandatorily provided with an option to revoke and withdraw consent. However, the DL Guidelines did not spell out the consequences of such revocation or withdrawal of consent, leaving some room for controversy as to whether the RE can end the transaction with the borrower or not. Now there seems to be abundant clarity that the Data Fiduciary has the discretion to stop offering services to the borrower in the event the borrower revokes her consent, where such data is integral to the transaction. However, if there is a request for personal data that is not necessary for the purposes of the transaction in question the Data Fiduciary cannot cease service on denial or revocation of consent. Hence, the draft Bill defines the situation as to when the RE can refuse its services on grounds of denial/ withdrawal  of consent by the borrower. This provision is significant as it highlights the need for collection of personal data to be justified in terms of the specific transaction it supports.

6.   Auditable Consent

Section 7(9) of the Bill mandates that where the Data Principal’s consent is necessary for processing her personal data and a question regarding this arises in any proceeding, the Data Fiduciary shall be under the obligation to prove that requisite notice was provided to the Data Principal for obtaining the personal data and the consent was duly obtained.

Our Comments: This signifies that Data Fiduciaries have to keep an audit trail of the consent obtained. A similar provision finds place in the DL Guidelines where the REs have to ensure that the prior and explicit consent of the borrower obtained should have an audit trail.

7.   Concept of Significant Data Fiduciary

The Bill introduces the concept of Significant Data Fiduciary (SDF). The Central Government shall notify entities or a class of entities as SDFs, based on factors such as volume and sensitivity of personal data processed, risk of harm to the Data Principal, potential impact on the sovereignty and integrity of India, etc. The major requirements prescribed for SDFs are:

  • Appointment of a Data Protection Officer who shall be responsible for addressing the grievances of Data Principals;
  • Appointment of an Independent Data Auditor who shall evaluate the compliance of the SDF with provisions of the legislation based on the Bill; and
  • Undertake Data Protection Impact Assessment and periodic audit in relation to the objectives of this Act

Our Comments: One may expect detailed guidelines for complying with the aforementioned requirements. The powers of Central Government may also be delegated to the Board.

In case regulated fintech entities are notified as SDFs, the question one may have is whether the GRO of such an entity can act as a Data Protection Officer. In our view, since the role of such an officer is to address grievances of the customers, specific to data protection, the role of a Data Protection Officer may be assigned to the GRO provided they are directly responsible to its Board of Directors.

8.   Right to grievance redressal

The Bill provides for the manner of redressal of grievances of a Data Principal. As per the Bill, every Data Fiduciary must have a grievance redressal mechanism to address the grievances of its Data Principals. The Data Principals may register their grievances with the Data Fiduciary in the manner provided in their grievance redressal mechanism. If the Data Principal is not satisfied with the response or when no response is received within 7 days, it can approach the Board.

Our Comments: DL Guidelines allow a borrower to lodge a complaint with the RBI Ombudsman if any grievances, including data related grievances, are not resolved by the RE within 30 days.

The borrower would now have a dual respite available to her- either to approach the RBI Ombudsman or the Data Protection Board. The borrower could lodge a complaint with the Data Protection Board if there is a data specific grievance. Also, if the complaint is related to personal data collection and processing, the borrower might not need to wait for 30 days to receive a reply from the grievance redressal officer of the RE. The borrower would be at liberty to approach the Data Protection Board if her grievances are not addressed within 7 days.

9.   Data Storage and Retention Policy

Prevention of Money Laundering Act, 2002 and rules thereunder and RBI guidelines lay down the period for which the data and transaction records have to be mandatorily preserved entities. Hence, the extant law provides only for the minimum period for which entities must retain the data, and not the period after which the data must be deleted. This gap is filled by section 9(6) of the Bill which provides that the data cannot be retained by a Data Fiduciary when its retention is not necessary for legal and business purposes and when the purpose for which it was collected is no longer served. This particular provision hints towards strong discouragement for retaining the personal data longer than is necessary under law and for the entity’s business.

Our Comments: It is common practice in the fintech industry to retain the transaction logs even after the regulatory timelines for minimum retention requirements have elapsed. The purpose is to develop historical records which serve as a guidance for future forecasts. The regulatory timelines for minimum retention period are long enough to serve as historical data and it may not be a concern deleting the same after the regulatory period is over. However, the data trends would be a critical requirement for the business which once derived from the data, may be retained.

10. Disclosure to Data Principal

Section 12 imposes the obligation upon the Data Fiduciary to disclose a summary  of the personal data processed by the Data Fiduciary and providing the identities of all the Data Fiduciaries with whom personal data has been shared. The obligation of disclosure to the Data Principal is cast only upon the Data Fiduciary. The Data Processor, who is processing the personal data of the Data Principal, does not have an obligation to disclose under the Bill.

Our Comments: FinTech companies collect personal data from a number of sources other than the Data Principal and also tend to share collected data with third parties, hence, it may become a challenge to provide the said summary to the Data Principal. The timelines and scope of such summary that will be allowed to Data Fiduciaries for providing such data will be important in determining the sophistication of the system that they will have to put in place.

Fintech companies also use cloud services (public or private) to store customer data; there is a question as to whether the identity of such service providers that are being used by the company needs to be divulged; something that businesses may be reluctant to disclose. This will largely depend on whether such cloud storage service providers will be considered as ‘Data Fiduciaries’ or as ‘Data Processors’ merely processing personal data on behalf of the Data Fiduciaries.

Sensitive Personal Data: Omission of section 43A of IT Act

Section 43A of IT Act provides for compensation to a person whose sensitive personal data has suffered a security breach and allows the Central Government to define what is “sensitive personal data” and notify rules to ensure reasonable safeguard of such data. The SPDI Rules are laid down under section 43A of the IT Act. With the omission of this section, the SPDI Rules would also stand repealed. It is pertinent to note that SPDI Rules do not draw a distinction between a Data Fiduciary and Data Processor. Any body corporate handling personal information is subject to equal rigours of SPDI Rules, thereby meaning that REs, LSPs and DLAs, all of these entities have the same compliance obligations therein. On the other hand, the Bill appears to focus more on Data Fiduciaries under the Bill than on the Data Processors. Of course, as discussed earlier, the provisions already included in the Bill and any future Rule notified by the Central Government in terms of personal data protection and security, relevant Data Fiduciaries will have to ensure their Data Processors also comply with.

The Bill, however, makes a stark departure from section 43A in as much as it does not provide for compensation to an individual whose data has been breached. Hence, by omitting section 43A, an aggrieved Data Principal  would not have a specific recourse for being compensated for the loss of  her personal data.

Concluding Remarks

While the Bill appears fairly technology friendly,  inclusive, aims at protecting individual privacy while still ensuring ease of doing business like allowing cross-border transfer of data; much power has been given to the Central Government to frame rules under the proposed Act and the devil may well lie in the rules and regulations that will follow.

[1] https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf

[2] https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf

[3] https://rbidocs.rbi.org.in/rdocs/notification/PDFs/GUIDELINESDIGITALLENDINGD5C35A71D8124A0E92AEB940A7D25BB3.PDF

[4] “automated” means any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;

[5] Digital Lending Application (DLA) – Mobile and web-based applications with an user interface that facilitate digital lending services.

[6] For a more detailed analysis of the relationship among LSPs and REs and the obligations arising out it, refer to our article here – https://vinodkothari.com/2022/10/lending-service-providers-for-digital-lenders-distinguishing-agency-contracts-and-principal-to-principal-contracts/

[7] Ref. para 12(1) of the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013.

[8] Ref. para 3.6 of Master Direction – Information Technology Framework for the NBFC Sector

Our other articles on data protection:

  • https://vinodkothari.com/wp-content/uploads/2020/02/Data-Protection-Bill.pdf
  • https://vinodkothari.com/2019/11/restriction-on-sharing-of-information/
  • https://vinodkothari.com/2019/09/sharing-of-credit-information-to-fintech-companies-implications-of-rbi-bar/
You might also like
NBFCs licensed for KYC authentication: Guide to the new RBI privilege for Aadhaar e-KYC Authentication
2022 in retrospect: Regulatory activity in the financial sector
Introduction of Digital KYC
Webinar on KFS & APR - New Rules by RBI on Retail & MSME Lending
Workshop on Emerging Regulatory Framework for NBFCs and digital lending
De-novo Master Directions on PPIs
The future of Loan-loaded Prepaid Payment Instruments
Moving to contactless lending, in a contact-less world
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *