Data PrivacyFinTechThe Digital Personal Data Protection Bill, 2022 – Its implication on Fin-Tech Companies in India

INTRODUCTION

The Fin-Tech Sector of India in the past few years has witnessed an exponential growth, as a result of  rapid advancement in technology coupled with India’s profound customer demand, diverse capital flows, higher tech savvy personnel and enabling framework policy.

In India, today Fin-Tech pose a great challenge to the traditional financial infrastructure as more and more traditional services shift towards a new technological paradigm such as, using a Payment Apps or E-Wallets instead of traditional cash payment options and with the rapid shift in digitization, use of consumer data collected, while using the digital services has become a widespread practice to analyze consumer spending patterns and liking trends as well as to deduce market predictions.

Especially with the rise in popularity of contact-less payments post COVID-19 and the cessation of charging commission on UPI transfers, the data generated though e-payments systems make Fin-Tech companies no less than owners of gold mines of the sensitive personal data of its consumers.

Therefore, despite the plethora of opportunities that Fin-Tech offers for the financial sector, considering the mammoth amount of data Fin-Tech companies collect, it also faces various challenges in terms of privacy, consumer protection, transparency, data security and cyber security.

India currently does not have a standalone codified law, so far as Data Protection and Privacy are concerned. Thus, with regard to Data Protection, the FinTech Industry is primarily governed by the IT Act and the IT Rules, 2011. However, the Ministry of Electronics and Information Technology (“MeitY”) considering the urgency for a codified law has released the first draft of the Digital Personal Data Protection Bill, 2022 (“the Bill”).

In this article, we attempt to analyze the Bill, 2022 and what will be its implication on the Fin-Tech Sector in India.

THE SEVEN FOUNDATIONAL PRINCIPLES OF THE BILL

The Bill is primarily based on the following seven aspects, keeping in mind the global standards of data privacy:

1. The Personal Data should be used by organizations in a manner that is lawful, fair to the individuals concerned, and transparent to individuals.

2. The personal data should be used for the Limited Purposes for which it was collected.

3. That only Limited Data shall be collected that is necessary for attaining a specific purpose.

4. That reasonable effort should be made to ensure that the data of an individual is Accurate and kept up to date.

5. That data shall be stored only for a Limited Duration, which is necessary for the stated purpose for which personal data was collected.

6. That Reasonable Safeguards shall be taken to ensure that there is no unauthorized collection or processing of personal data.

7. That the person who decides the purpose and means of processing personal data should be Accountable for such processing.

THE SCOPE

The new revamped Bill, 2022 is being propped by the Indian legislators to become the Magna Carta of internet laws and internet-based activities. Its predecessor was withdrawn as a result of uproar from both businesses as well as Civil Society Groups for being overly convoluted for the former and being too lenient in terms of government access to the user data for the latter.

The Bill would be applicable only to handlers of Personal data, this is defined under the Bill as ‘any data about an individual who is identifiable by or in relation to such data’.

Depending on the nature of the Fin-Tech company they would face different obligations under the Bill, as a company providing the service of being an investment platform, which merely gives general financial advice, could be treated as Data Processor while a company that directly deals in money lending services and requires crucial personal details would be treated as a Data Fiduciary.

However, since nearly all Fintech companies require some form of KYC information (storing financial data, ID card verification, face verification, document verification) thus all such companies would be classified as a Data Fiduciary and would have to abide by the following provisions of the Bill.

THE IMPLICATION

A. No sub-division in type of Data

Unlike the earlier Draft which bifurcated data into various subcategories such as Personal data and Sensitive Personal Data. Furthermore, the earlier sub-divisions for Health data and genetic data also mandated a higher standard of regulations for the Data fiduciaries.

However, no such division exists in the Bill, 2022, as it unifies both into Personal Data. Therefore, in light of the the new regime, which is much simpler and Fin-Tech companies would not be required to comply by extra-strenuous security.

B. Informed Consent

The main feature of the Act which till now has been missing in the Indian IoT is that the Data Principles would have a substantial amount of control on the use of the data provided to the Data Fiduciaries and Data Processors.

Section 6 of the Bill, 2022 mentions that every Data Principle must be given a Notice. This Notice should contain:

• A description of personal data sought to be collected by the Data Fiduciary in clear and plain language containing, and

• the purpose of processing of such personal data

Thereafter, Section 7 of the Bill mandates that explicit consent is taken of the Data Principle before any personal data is collected from them. The consent should be freely given, specific, informed and should unambiguously indicate the Data Principal’s wishes to impart their personal data for the specified purpose.

In view of the above, Fin-Tech entity operating in providing Digital Insurance would need to confirm the health and medical details of the Data Principle to adequately conduct risk assessment. Thus, in such cases, the Company should clearly communicate how and why the data is going to be used.

Furthermore, in addition to the above, wherever such compliance is necessary, such request for notice shall also be accompanied with the contact details of the Data Protection Officer.

C. Significant Data Fiduciaries

Section 11 of the Bill gives the government the power to notify any Data Fiduciary as a Significant Data Fiduciary. The determinants for this title would be factors such as the volume of data they use, the potential for harm in case of misuse etc.

Therefore, it is likely that most of the of large Fin-Tech companies, are likely to be classified as Significant Data Fiduciaries. These entities attract larger compliance requirements such as:

• Appointing a Data Protection Officer;

• Appoint an Independent Data Auditor; and

• Undertake Data Protection Impact Assessment and periodic audit, as and when required by the Government authority.

D. Extra Territorial Application

Unlike the previous Data Protection Bill, 2019, the new Bill doesn’t mandate the storage of Indian data exclusively in domestically located data centers and instead gives the government the liberty to notify any other countries and territories outside India to which data could be transferred and stored in.

Naturally, with this, the mandate of the Bill, 2022 has been explicitly extended to territories outside India in case the data of an Indian Data Principle is used in ‘Profiling’ i.e., defined in the Bill under Section 4(2) as the act of processing the data collected to predict and analyze attributes of the Data Principles interests, likes and behaviors.

This removal of the restriction of storing Data exclusively in India, will be considered as a welcoming step, as it will help companies in saving huge cost with respect to the establishment of their specific data embassies in India, and periodic compliance to be undertaken by such companies for management of such data. This step will help flourish the Fin-Tech Sector of India. However, in the absence of a robust framework, concerns with respect to data privacy will still persist.

E. High Penalties

The Data Fiduciaries i.e., Fin-Tech companies that deal with the data of customers may be subject to fines of up to Rs. 250 Crore if such Data Fiduciaries do not take reasonable precautions to avoid data breaches. Penalties are anticipated to differ depending on the type of non-compliance by the Data Fiduciaries.

In addition to above, the Data Fiduciaries that do not inform those affected by a data breach risk, a penalty up to Rs. 200 Crore shall be imposed on them. Furthermore, the Data Fiduciaries who fail to protect the personal information of children and fail to fulfil obligations in relation to children could also face penalty up to Rs. 200 Crore

AMLEGALS REMARKS

The FinTech Sector has immense potential in driving India’s economy, especially given the predicted valuation of these companies by 2025. However, one of the major hindrances in the growth of the FinTech Sector is the rising privacy concerns all the more amplified by the lack of a codified Data Protection and Data Privacy Framework in India.

The proposed data protection scheme has been made simpler by the Bill, which also eliminates some problematic provisions that were objected to in earlier drafts. The legislative goal appears to be to support cross-border data flows while being favorable to the Fin-Tech companies.

Although, at this juncture it seems the provisions in the Bill are clear, their implications on the Fintech sector, which is extremely heavy in its use of consumer data, are yet to be seen. The new draft seems to achieve the balance of user safety and ease of doing business however, the final impact can only be anticipated ones the Bill comes into effect and the conflicts arising therefrom can lead into interpretations of the compliance needed to be abided by the Companies.

– Team AMLEGALS, assisted by Mr. Jason James (intern)

For any queries or feedback, please feel free to get in touch with tanmay.banthia@amlegals.com or mridusha.guha@amlegals.com.