Data PrivacyFinTechKYC: Interplay between Data Privacy and FinTech – Part II

INTRODUCTION

In our previous blog we have discussed about the role of Know Your Customer (KYC) policy in addressing the challenges faced by consumers regarding the privacy and security of data stored by FinTech companies in India. In continuation of the discussion, we seek to discuss the ramifications of various Data Privacy issues on the FinTech Sector in the present blog.

It aims to shed light on the possible ways that the upcoming PDP Bill will impact FinTech Companies, as well as the necessary steps to be taken by players in the FinTech Sector so as to mitigate cyber security risks and maximise the advantages of rapid digitization of the Indian economy.

FINTECH INDUSTRY vis-à-vis DATA PRIVACY ISSUES

Data breaches and cyber-attacks have become quite rampant in FinTech sector in India. As per reports from the Ministry of Electronics and Information Technology (MEITY), nearly seven lakh cases of cyber-attacks were reported until August 2020, which shows Fintech sector is not immune from the dangers of Cybersecurity, given the fact that the FinTech sector has mostly benefitted from the unrestricted flow of data. Therefore, data protection is of paramount importance for FinTech players in India.

The Cyber security risks involve Third-Party Security Threats, Data Breaches, Cloud-Based Security Threats, Digital Identity Risks, etc. Thus, to battle the Cybersecurity threats and prevent hackers from gaining access to sensitive data, there should be a balanced approach to innovation to encourage the FinTech Industry’s growth while mitigating the dangers associated with FinTech services.

India lacks a standalone codified law, so far as Data Protection and Privacy are concerned. Thus, with regard to Data Protection, the FinTech Industry is primarily governed by the IT Act and the IT Rules, 2011.

Section 43A of the Act states that a body corporate shall be liable to pay damages to the affected person by way of compensation, in case the body corporate was negligent in implementing security practices for ensuring protection to the person’s Sensitive Personal Data.

Furthermore, Section 72A prescribes penalty for any person including an Intermediary, who while providing services under the lawful terms of contract, discloses material personal information about another person, without his consent, or in the breach of a lawful contract, knowingly or intentionally to cause wrongful loss to that person.

The IT Rules, 2011, inter alia, requires an entity that collects or processes the Personal Data of an individual:

1. To keep in place a Privacy Policy for the security of the Sensitive Personal Data provided by an individual;
2. To obtain prior consent in writing from the provider of Sensitive Personal Data or Information regarding the purpose of usage before such collection;
3. To obtain the permission of the Data Provider before disclosure of the Sensitive Personal Data or Information to a third party;
4. To ensure that the data so collected should not be retained for longer than necessary under the applicable law and to use the information only for the purpose for which it has been collected;
5. To provide an option for the Data Provider to refuse to provide the data or information sought to be collected;
6. To designate a Grievance Redressal Officer and provide his/her details on its website;
7. To allow the Data Provider to access and update their information;
8. To ensure compliance with the requirement for transfer of information.

It has been rightly pointed out, in the Report of the Working Group on FinTech and Digital Banking, that Data Protection is usually governed by the contractual relationship between the parties to the contract, whereby they are free to enter into the contacts for determining their relationship defining the terms of Sensitive Personal Data, its distribution etc. Hence, there is a necessity for exhaustive and a stand-alone legislation on Data Protection in India considering the innovations of the FinTech Sector and the risks to the Personal Data in the hands of these entrepreneurs.

Unlike India, the law in Europe pertaining to Data Protection is codified and comprehensive, in the form of the General Data Protection Regulation (GDPR). The European Parliament, with a view to harmonizing Data Privacy Law all across Europe, agreed upon GDPR on 14.04.2016, which was enforced on 25.05.2018, replacing the 1995 EU Data Protection Directives 95/46/EC.

All the members of the European Union (EU) are required to comply with GDPR, the failure of which will attract hefty fines and penalties. The GDPR imposes strict standards for companies handling data of EU citizens to better safeguard the processing and movement of its citizen’s Personal Data. Regardless of the geographic location, the GDPR extends Data Protection requirements even to the international companies that hold and process the Personal Data of EU citizens.

SALIENT FEATURES OF GDPR

1. Consent: GDPR provides for Opt-In-Consent and Opt-Out-Consent, which forms the basis of the processing of Personal Data. In the case of Opt-In Consent (Express Consent), the Personal Data of the consumer can be used by the Data Controller. Such consent needs to be freely given. GDPR requires the consent to be an explicit authorization to the company to process the consumers’ Personal Data. However, the consumer, under GDPR, also have the corollary right to withdraw such consent at any given point of time, i.e. Opt-Out Consent.

2. Data Protection Officer: GDPR also requires certain companies to appoint a Data Protection Officer (DPO), if their core activities comprise regular and systematic monitoring of consumers for processing of Sensitive Personal Data or Personal Data relating to criminal convictions or offences, or if the organization is a public authority.

The role of DPO under GDPR is:

• To advises the Data Controller on Data Protection obligations;
• To ensure that the Data Controller maintains compliance with the GDPR and other Union or Member State Data Protection Laws;
• To provide advice with regard to Data Protection Impact Assessment (DPIA), etc.

A DPO is required to be independent and expert in Data Protection Law and sufficiently resourced. Further, DPO should directly report to the Top-Tier Management of the organization and it can be either an existing staff member or an external appointee.

3. Notification Requirement for Data Breaches: In the event of a Personal Data Breach, the Data Controller is required to notify the Supervisory Authority within 72 hours after being aware of it. Further, when the Personal Data is likely to cause high-risks to the right and freedoms of the natural person, the Data Controller has to communicate the breach to the Data Subject without any delay.

4. Right to Be Forgotten: Also known as the Right to Erasure, under this Right, a consumer can request the Data Controller to erase, cease, further dissemination or pause the further processing of their Personal Data by the third party, subject to certain exceptions.

5. Privacy by Design: Privacy by Design runs on the philosophy that only necessary Personal Data for each specific purpose is processed. Both Data Controllers and Data Processors are required under the GDPR to take reasonable steps and build systems to secure Personal Data of its consumers.

6. Right to Access: GDPR entitles the consumers to obtain from the Data Controller confirmation of whether or not their Personal Data is being processed and, in that case, access to the Personal Data and certain information such as, the purposes of the processing, categories of Personal Data concerned, the estimated period for which the Personal Data shall be stored, to whom shall the data be disclosed etc.

GDPR is a concrete set of progressive regulations which seeks to ensure transparency and accountability as well as the security and privacy of Personal Data. In India, on the Srikrishna Committee’s Recommendations, the draft Personal Data Protection Bill (PDPB) was tabled before the Lok Sabha, in 2019 and examined by a Joint Parliamentary Committee, which is more or less in line with the GDPR.

FinTech Companies collect and process Personal Data of individuals for their business operations. Since the PDPB is likely to have a significant impact on how the data is stored, processed, managed and shared, FinTech companies should understand the ramifications of the same. The PDPB defines a Data Fiduciary as any person (including a state, company, juristic entity or individual) who determines the meaning and purpose of processing Personal Data.

Data Fiduciaries can be classified as Significant Data Fiduciaries based on factors such as the number of users whose Personal Data is being/has been collected, the volume of the Personal Data processed, the sensitivity of such data, turnover of a Data Fiduciary, risk of harm due to processing carried out by the Data Fiduciary, use of new technologies for processing, etc.

Given the volume of Sensitive Personal Data handled by FinTech companies such as names, PAN, Bank Account details, Credit history etc, which fall within the category of Sensitive Personal Data under the PDPB, they are likely to be classified as Significant Data Fiduciaries which would entail further compliances by the FinTech companies.

THE PERSONAL DATA PROTECTION BILL (PDPB) AND ITS IMPACT ON THE FINTECH SECTOR

The PDPB aims to increase the country’s information ecosystem’s accountability and transparency, while also addressing loopholes and severe Data Security problems. The PDPB, once enacted, will establish a comprehensive framework for data privacy and protection that governs the access, use, processing, and storage of Personal Data of an individual. Some of the salient features of the PDPB include:

1. Data Localization Norms: PDPB proposes a Data Localization requirement for Sensitive and Critical Personal Data. Such data must be stored in India only. Sensitive Personal Data may be transferred outside India, but it shall be continued to be stored in India. Such data may be transferred only for the purpose of processing, with explicit consent, subject to certain conditions under Section 34. Critical Personal Data, on the other hand, can only be stored and processed in India.

2. Consent: As per the PDPB, the Personal Data of the consumer (Owner of the data) can only be processed after receipt of their explicit consent which must be free, specific and clear. As per Section 7 of the PDPB, every Data Fiduciary is under an obligation to give to the Data Principal a notice at the time of collection of data specifying information such as, the purpose for which the data is being processed, nature and categories of such data being collected, identity and contact details of the Data Fiduciary or Right for the Data Principal to withdraw consent, the procedure for the same etc.

3. Privacy by Design: Privacy by Design is a philosophy that combines privacy with the technology of the entity by processing the data. This approach has also been implemented in the EU as part of GDPR. Data Fiduciaries are required to prepare ‘Privacy by Design’ Policy containing essential features as provided under Section 22 of the PDPB, which must be sent to the authority for certification. This would ensure more transparency and accountability.

Section 29 requires the Significant Data Fiduciary to get the policies and the conduct of its processing of data annually audited by an Independent Auditor. Following a Data Audit, a Data Auditor may assign the Data Fiduciary a rating in the form of a Data Trust Score.

4. Data Protection Officer: Section 30 of the PDPB requires every Significant Data Fiduciary to appoint a Data Protection Officer (DPO) possessing requisite qualifications and experience as may be prescribed by regulations for carrying out functions such as, providing advice and information to the Data Fiduciary on matters relating to fulfilling the obligations stipulated under the PDPB, monitoring the Data Fiduciary’s Personal Data processing activities to verify that they do not violate the PDPB’s provisions, providing advice to Data Fiduciary for carrying out DPIAs and on development of internal mechanisms that would satisfy principles under Section 22, etc.

5. Right to Be Forgotten: The Data Principal has, subject to certain conditions, the Right to Erasure of the Personal Data which no longer serves the purpose for which it was processed.

Although Data Localization seems to be a crucial policy for ensuring security and protection of rights in the digital economy by limiting data accessibility to territorial borders, it will cause a major blow to the FinTech Industry.

Data Localization will lead to changes in the business models of MNCs, local firms and most significantly Start-Ups. These Start-Ups will be unable to choose cost-effective Cloud Service Providers globally, instead will look for localized options, resulting in high operational costs, thereby hindering innovation. It will also compel them to participate in product re-engineering based on complex regulations, resulting in higher technical and operational expenses.

In the Financial Services Industry, PDPB might pave the door for Consent-Based Data Sharing. Due to a lack of data on each individual, financial organizations frequently fail to price risk appropriately. Customers would feel free to divulge Personal Data, as the chances of misuse would reduce if PDPB is properly enforced, and FinTech companies will be able to better customize their products and services with more data at their disposal. Further, Credit Scoring could be a way of incentivizing the FinTech companies to improve their Data Protection Infrastructure with respect to KYC and other Sensitive Personal Data.

FinTech companies operate in a complex environment in which data interacts with various dependencies. The erasure of a single data point or data set that is part of a broader chain of data that makes up a financial transaction can be difficult. To meet such demands, FinTech firms may need to increase their capabilities which would, in turn, involve time and money.

The PDPB has immense potential to prove to be a game-changer in the Data Protection and Privacy regime. By holding corporations accountable for Data Breaches, PDPB will increase the pressure on companies to strengthen their security measures. FinTech companies, on the other hand, as potential Significant Data Fiduciaries, should gear up for the upcoming legislative overhaul, given the challenges they might inevitably face.

MEASURES TO SAFEGUARD DATA PRIVACY

FinTech companies should put in a continuous effort towards framing policies and measures for Data Protection and Privacy as these requirements are not a one-time task and need to be constantly upgraded with the changing economic scenario.

The FinTech Industry in India is growing at an exponential pace. However, cybercrimes and cyber-attacks can potentially cause several hindrances in the FinTech market. Although implementing such measures may be a costly affair, it would help the company flourish in the long run by instilling confidence in the consumer.

Some of the measures can be:

1. FinTech companies should embed, into their initial technological design phases, Security Protocols as well as Cross-Platform Harmonization. Embedding such measures will mitigate future vulnerabilities like cross-platform contamination. FinTech Start-ups should further develop and expand their procedural testing and audit processes to be compatible with multiple platforms;

2. FinTech companies should also follow Ethical Hacking whereby an attempt is made to hack one’s own platform from within the organization and a reward to be given to anyone who spots weaknesses or inconsistencies in the overall code, which furthers the process of internally developing and improving the security of the platform;

3. FinTech organizations should design a definite Cyber-Risk Prevention Framework and ensure its implementation in the company’s daily business operations. This is especially required for FinTech Start-ups, as due to the possibility of lack of requisite capital or infrastructure, they are more prone to cyber-security threats;

4. The RBI came up with the “Enabling Framework for Regulatory Sandbox” in 2019, a variation of the UK’s Regulatory Sandbox 2015. This Sandbox provides opportunities to FinTech businesses, including Start-ups satisfying certain eligibility criteria such as, the net worth of at least INR 2.5 million, satisfactory Credit Score, demonstrable ability to comply with the applicable Personal Data Protection Laws, adequate IT infrastructure etc., to test their products in a controlled regulatory environment.

The Sandbox mechanism was introduced with the idea to allow the testing of products and technology which are not currently governed by any regulation, need certain testing regulatory relaxations, promise to better deliver financial services. These Sandboxes are designed for the short term so that multiple Sandboxes having various themes such as retail payments, digital KYC, marketplace lending etc. may be operationalized.

AMLEGALS REMARKS

The FinTech Sector has seen a substantial and direct beneficiary of the rapid digitization and globalization of the Indian economy. However, the benefits of such a massive shift towards digital financial markets have also brought along the increased risks associated with rampant cyber security attacks, data breaches, etc.

These risks become even more pronounced in the absence of a specific, exhaustive and stand-alone legislation on Data Privacy in India. GDPR, with the example it has set globally, has influenced the upcoming PDP Bill to a very large degree. In particular, the importance of Data Localization, especially from the point of view of the FinTech Sector, has finally been acknowledged in the PDP Bill.

In order to keep the current streak of growth going, players in the FinTech Sector must ensure that they make continuous efforts with the help of data privacy policies and measures, since cybercrimes and cyber-attacks can potentially cause several hindrances to the FinTech market.