The rapid development of technology, upsurge in demand for digital delivery of financial services, and change in expectations in regards to speed, safety, security, and convenience of digital services, majority of online users have become comfortable with the idea of sharing their sensitive financial data in return for benefits of digital delivery of financial services.
Sudden upsurge in demand of digital delivery of financial services led towards platforms finding ways to collect, verify, and streamline sensitive financial data through varied modes such as uploading statements manually, scraping of online accounts, partnership with banks, and connecting to employee’s payroll software etc.
Since it was a cumbersome and unsecured method, the Reserve Bank of India (RBI) introduced Non-Banking Financial Company-Account Aggregator (NBFC-AA) framework in the year 2016, to securely collect, compile, consolidate, synthesize and organize the financial data on a single platform and present the information in a manner, which makes it easy for the financial service providers to analyze and utilize to provide financial services.
Existing data privacy framework in India has certain checks and balances to safeguard sensitive financial data of an individual. Since AAP functions entirely on technological platform and deals with transmission of sensitive financial data between Financial Information Providers (FIPs) and Financial Information Users (FIUs), it is pivotal that robust and secured data privacy framework is present to regulate the AAP being setup in India.
Currently, the Data Empowerment and Protection Architecture (DEPA), Information Technology Act, 2000 (IT Act) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT Rules) majorly provides the data privacy framework for these digital platforms.
In continuation to the previous Blogs on the Sphere of Regulatory Compliance for Account Aggregators, this Blog shall focus upon the effects of Personal Data Protection Bill (PDPB) on Account Aggregator Platforms while setting it up in India.
EXISTING DATA PRIVACY FRAMEWORK
The sensitive financial data which has been collected digitally by these digital platforms need to be governed and regulated in order to safeguard from potential risks. There is always a risk of data breach and leakage which might put the sensitive financial data such as bank details, card details, PINs and passwords at risk.
Currently, the existing data privacy framework consists majorly of the IT Act and IT Rules, as it specifically deals with compensation for failure to protect data and the Government’s right to issue directions for monitoring and intercepting data, as and when required. However, it is pertinent to note that the IT Act and the IT Rules do not provide an exhaustive regulatory framework for data privacy.
AAPs deal with sharing of sensitive financial data. The India Stack, while keeping in mind the authenticity and security of data, introduced the DEPA mechanism which is also known as the ‘Consent Layer of India Stack’. This mechanism is a positive step towards ensuring data privacy as it provides customers absolute control over their data.
AA does not store sensitive financial data of an individual on their platforms which clearly implies that the potential risks cannot be negated at any cost. Due to the lack of a robust data protection system in India, it is still unclear as to how the grievances will be addressed and taken care of in case of any data breach. In such a scenario, once the PDPB will be enacted, it would provide some clarity on processing of personal data, consent, Right to Erasure, etc.
DEPA IN THE ABSENCE OF THE PDPB
In this era of digitalization the data interoperability is largely hindered by the lack of uniform and standard data protection laws in India. However, by integrating datasets effectively through APIs in DEPA, different agents can communicate effortlessly with one another.
DEPA provides for data portability, which allows the AA platforms to seek consent from the customers in order to share their data with FIPs in an efficient and secured manner in order to avail financial services. Now with the PDPB yet to be implemented, DEPA serves as the sole framework in streamlining data portability and data sharing of the AA platforms.
POTENTIAL EFFECTS OF THE PDPB ON AAPs
- Exceptions to Consent Requirement
Section 14 (2) (e) of Data Protection Bill, keeps “credit scoring” activities under the list of exceptions for which consent may not be taken while processing personal data of a customer. Therefore, if we do a narrow interpretation of this clause, it would result into serious breach of the customer’s Right of Data Protection promised under this ecosystem of AA.
Waving off the requirement to take consent for ‘critical’ financial information or for calculation of credit scores could result into even more targeted advertisements of products that the customers have not sought in or in worst case scenario it can give rise to predatory practices by debt collectors like harassing family and friends.
Under Section 14 (2) (c), consent of the customer is not required by the Data Fiduciary at the time of any “merger or acquisition”, which usually take place between rival companies. A close analysis of the said provision reflects various complications, for example, if a customer gave his consent to Company A to share data based on trust, before the merger or acquisition of such company with Company B, it could lead to potential complications or breaches if not governed properly.
Once these company are merged, financial data of such customers might be shared with other companies without seeking due consent from the customers. Such practices would be unfair to the customers, as they do not trust the other entity. Therefore, this clause can be perceived to enable usurpation of consents collected by a target company.
- Right of Erasure and Correction
Section 18 of the PDPB addresses the right of a Data Subject to correct or erase their data. It states that the Data Principle has a right to “correct” inaccurate or misleading data, “complete” an incomplete data, “update” any out-of-date information, as well as “erase” data that is not required for the reason it was stored initially.
Section 18 (2) of the PDPB provides that in case the Data Fiduciary does not agree with such correction or erasure requested by the Data Subject, then it is required to provide the Data Principle or the Data Subject with “adequate justification in writing” for rejecting of such requests. In case the Data Subject is not satisfied with such justifications, the Data Fiduciary might be required to “take reasonable steps to indicate, alongside the relevant personal data, that the same is disputed by the Data Principal”.
Clause 4 of this Section only requires the FIUs to be informed of the changes being made in a particular data, but not about the mechanism that how FIU’s may end up actually using such data after being informed about these changes.
The Reserve Bank Information Technology (ReBIT) specifications allow the Data Subjects to revoke their consent by making an application to the AA directly, or via FIPs, who are required to inform AA of such changes. However, ReBIT specifications do not specify on how the FIU would be required to handle such data once revocation of consent given by customer is notified or if the FIU is bound by any laws to comply with the request of customers.
- Right to Information on Data Breach
In the event of data breach, Section 25 of the PDPB makes it mandatory for Data Fiduciaries to inform Data Protection Authority, through notice about such breach and whether such breach is likely to cause the Data Subject any harm. The notice should include the “nature” of the data that has been breached; the “number of Data Subjects” affected by such breach, “consequences of such breach”, and the “remedy” being implemented to address the breach.
In case the Data Fiduciary is unable to comply with these requirements, the Data Subject’s right of have information about the breach of their personal data has been completely left at the discretion of Data Protection Authority.
The Data Fiduciaries are not required to provide any reasons for not informing Data Subjects about the breach. Non-disclosure of such breaches allows the Data Fiduciaries to silently resolve security lapses, prevent the customers from limiting their damage and litigate against Data Fiduciaries or external hackers in a timely manner.
OFFENCES UNDER THE PDPB
The PDPB proposes strict punishment for offences including imprisonment wherein any individual attempts to breach the Financial Information shared by the Data Subjects with Account Aggregators.
Section 82 of PDPB states that a person who “re-identifies personal data which has been de-identified by a data fiduciary” and/or “processes such personal data” without the Data Fiduciaries’ explicit consent may be imprisoned for up to three years or be levied with fine up to two lakh rupees or both.
Section 84 (1) of PDPB states that if an offence is committed by a company then every person who was in charge of that company at that time “shall be deemed guilty” and will be liable to be punished. However, the actions which attract such punishment have been defined in rather vaguely manner and the PDPB fails to define what constitutes ‘critical data’ that needs to be handled with extra caution by AAs.
In order to avoid disproportionate penalties, it is essential that the actions which attract punishment and those who are to be held liable should be defined clearly. The manner in which the provisions will be interpreted by the RBI and not an expert Data Protection Authority will also cause serious consequences and will act as a high entry barrier for new entities which will ultimately diminish alternate choices in place of AAs for the customers.
In the current AA ecosystem, by giving the customers more control over their data, DEPA unlocked the value of data sharing in a technologically legitimate secured manner and also increased the competition by fostering innovation.
Nonetheless, the Consent Managers under DEPA framework assumes the role of managing sharing of sensitive financial data between FIPs and FIUs, it has limited checks and safeguards for securing the sensitive financial data of an individual in comparison to PDPB. The Data Protection Authority dedicated to overseeing the privacy of data under DEPA framework can be created under the PDPB to efficiently manage, secure, and share sensitive financial data between FIPs and FIUs.
The Right to Data Portability in PDPB symbolizes the broader legislative mandate and therefore, it is imperative that the PDPB should also be enacted soon to enable the better understanding and regulation of the data which is being collected in bulk by the AA platforms for digital delivery of financial services.
For any query or feedback, please feel free to connect with firstname.lastname@example.org or email@example.com.