Data PrivacyFinTechCompliance with regards to Protection of Consumer Data in the FinTech Sector

January 26, 20220


Since the Personal Data Protection Bill, 2019 (the Bill) has been introduced in the Parliament, it has been making headlines.   The Bill attempts to create a framework for protecting the citizen’s privacy by preventing technology companies from keeping and processing ‘sensitive’ personal data without their express permission.

The Bill has been in the works since the Supreme Court declared Right to Privacy as a fundamental right and advised the Government to put in place a strong data protection framework.

The Bill, once enacted, will eventually have an influence on FinTech companies that process personal and financial customer data. The enactment of the Bill will introduce additional compliance on the FinTech companies as well as regulate third party data transfers, storage of personal data across borders, and other several aspects pertaining to data privacy.


Application Programming Interface (API) based banking is a popular mode of banking in the FinTech sector.  API allows third-party applications to have access to a bank’s data in order to deliver a service. The appropriate data in the bank’s database is accessible via an API that only allows access to the data that has been requested and approved.

The Reserve Bank of India’s (RBI) Account Aggregator (AA) framework does not allow for such data interchange or data transfer. This framework establishes certain data security criteria. The entire procedure is managed contractually in the case of FinTech offered services. The Bill aims to enact such data security regulations.


The enactment of the Bill is likely to cause significant disruptions in FinTech businesses. The RBI and the Securities and Exchange Board of India (SEBI) are yet to issue solely FinTech-specific rules, for the industry as a whole.

The introduction of the Bill might pave way for consent-based data exchange in the FinTech industry. Financial institutions typically fail to price risk effectively due to a lack of data on each individual.

Customers would feel free to divulge their personal data if the Bill is properly enforced, and the FinTech businesses would be able to better personalise their products and services with more data at their disposal.

The Bill aims to implement cross-border data transfer limits as well as prohibit the processing of sensitive personal data outside of India. Apart from that, corporate entities are not permitted to access consumer data after the reason for which it was collected has been fulfilled. It can only be accessed with the customer’s explicit authorization. In a way, such provisions provide a regulatory stumbling block for FinTech companies as the FinTech industry collects a huge chunk of personal data of its customers.

The Bill shall also present a hurdle for FinTech businesses since it compels them to plan for increased regulatory duties. These businesses deal with a lot of sensitive personal information. All sorts of personal financial data are classified as personal sensitive data under the law.


Section 3(18) of the Bill defines Financial Data as “any number or other personal data used to identify an account opened by, or a card or payment instrument issued by, a financial institution to a data principal, as well as any personal data about the relationship between a financial institution and a data principal, such as financial status and credit history.”

Section 3(36) of the Bill further stipulates that financial data shall fall under the ambit of sensitive personal data. Therefore, FinTech companies need to comply with the provisions of the Bill while processing or storing any sensitive personal data or financial data of its customers.

The Bill attributes several rights to the individuals in order to safeguard the data provided to the corporate bodies. The rights include:

  1. The right to request confirmation and access from the Data Fiduciary that is handling the individual’s personal data;
  2. Right to correction and erasure of the personal data in case the same is erroneous, incomplete, or out-of-date personal data;
  3. Right to data portability as and when required, to any other Data Fiduciary;
  4. Right to be forgotten, which means that the personal data is to be erased when such data is not needed or consented to.

Section 12 of the Bill provides an exception wherein personal data may be processed if such processing is necessary for the performance of the Government, or any licensing/certification purposes, or in order to comply with any order or judgment, etc. Even if these non-consensual grounds are used to handle personal data, users must be notified under Section 7(1)(e) of the Bill.


The new era of digital banking, online payment systems, digital lending, etc. has spawned a slew of new businesses that makes it simple to make payments digitally, borrow or lend money online, etc. FinTech companies often attract users to their platform and offer a simple application procedure for loans and other financial services.

For the purpose of its functioning, FinTech companies process and store a large amount of consumer data, both personal and financial. Some of these organisations store their data in India, while others opt to store it elsewhere. Even storing data on a cloud platform is fairly common nowadays.

The Data Principal’s Consent: Personal data of the Data Principal can only be processed after receiving the Data Principal’s explicit consent. According to Section 11 of the Bill, the consent must be free, explicit, unambiguous, revocable, and most crucially, aware of the requirements of notice for collection or processing personal data as stated in Section 7 of the Bill.

The FinTech companies shall need to provide a notification to the customer at the time of the collection of the personal data, including key details such as the purpose for which the personal data is being processed, the ability to withdraw consent, and so on.

Furthermore, if the personal data is not gathered from the Data Principal and is obtained from other sources, the FinTech organisation must still provide a notice or inform the Data Principal at the earliest, or as soon as it is reasonable to do so.

Data Localisation Norms: Data localization has been a major concern for FinTech companies, particularly those with a worldwide presence and offices around the globe.  The Bill places stringent limitations on data storage.

According to the Bill, sensitive personal data must be stored only in India and cannot be subject to third party transfers across the borders. However, if the need arises, such sensitive personal data can be transferred across the borders after providing the legitimate reasoning and obtaining consent of the competent authority.

Furthermore, FinTech companies that opt for cloud-based solutions have additional challenges in terms of data storage. It is pertinent to note that such cloud-based data storage might lead to breach in the storage regulations as stipulated in the Bill, as usually such cloud-based servers are accessible by people across the globe.

The Government in India is not the first Government to impose strict data localization requirements. Due to national security concerns and threats, China, Indonesia, and other nations have enacted strict data localization regulations. The regulations in other nations allow for the storing of ‘essential data’ locally.

Privacy by Design: Privacy by Design is a notion that combines privacy with the technology of the entity processing the data. This approach has also been implemented in the European Union as a part of the General Data Protection Regulation (GDPR).

FinTech companies, like other Data Fiduciaries, must ensure the implementation of Privacy by Design policy that includes the characteristics outlined in Section 22 of the Bill, which includes the obligations of Data Fiduciaries, technology used for processing the personal data, ensuring transparency in processing of data, etc. The Data Protection Authority may certify that the policy that has been developed.

Data Protection Officer: According to Section 30 of the Bill every important Data Fiduciary shall appoint a Data Protection officer holding such qualification and experience as may be stipulated by the Bill. A major data fiduciary is one who has been alerted by the Authority based on the Thus, every company that has been designated as a substantial Data Fiduciary by the Data Protection Authority established under the Bill must comply with the law and appoint a Data Protection Officer.

FinTech companies that have been designated as important Data Fiduciaries shall need to comply with the requirements as stipulated in the Bill, once the Bill is enacted.

Right to be Forgotten: As discussed before, the Bill provides the Right to be Forgotten wherein the individual can request for the erasure of his personal data if the information is outdated or no longer required.

This might be contradictory to other regulations since other statutory rules may mandate FinTechs and Non-Banking Financial Companies to keep data for a longer period of time.


The Bill favours the Data Principal by conferring several rights on them and imposing limits and requirements on the Data Fiduciary. In terms of client acquisition and turnaround speed, the open flow of information is critical for FinTech companies. Imposing data localisation and other severe regulations adds additional costs, which might make it difficult for FinTech platforms to find clients.

Overall, the Bill favours the Data Principal; nevertheless, it should ideally strike a compromise between the two – data freedom and consumer privacy rights.

There has been an understanding that the Bill is an “evolvable and agile framework,” rather than a “static policy product.” It is pertinent to note that understanding the technological-legal (techno-legal) complexities of the Bill and tackling crucial concerns like cyber security and operational hazards require more research and discussion.

The Bill has the potential to be the techno-legal solution that unlocks the benefits of data sharing by giving individuals more control over their personal data. This control not only improves competition, but it also promotes innovation.

– Team AMLEGALS assisted by Mr. Rohan Sehgal (Intern)


For any query or feedback, please feel free to get in touch with or

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.