The India Policy Series: Analysing the 2022 Digital Personal Data Protection Bill

Be the first to comment

The India Policy Series: Analysing the 2022 Digital Personal Data Protection Bill

Contributed

This content is contributed or sourced from third parties but has been subject to Finextra editorial review.

India’s journey towards a dedicated privacy law started with the Puttaswamy judgment in 2017, which recognised privacy as a fundamental right under the Constitution of India, and expressed the need for a comprehensive data protection regime in the country.

After extensive public debate and discussion, the draft Personal Data Protection Bill, 2019 (the former PDP Bill) was withdrawn by the Ministry of Electronics and Information Technology (Meity) in 2021. A new version, the more simple Draft Digital Personal Data Protection Bill, 2022 (DPDP Bill) has been issued. Industry feedback has been invited until the 17th of December, 2022.

How Indian and foreign fintech companies are impacted by the DPDP Bill

Fintech companies, Indian and international, will fall within the scope of the DPDP Bill. Currently, the primary privacy regulations applicable to fintech companies in India include scattered sectoral regulations with privacy and confidentiality obligations, which are issued by the various financial regulators in the country. The Information Technology (Sensitive Personal Data or Information) Rules, 2011 (the IT SPDI Rules), which are issued by Meity under the Information Technology Act, 2000, also apply to all body corporates within India including fintech companies. While under these rules, financial information is classified as sensitive personal data or information’ (SPDI) and thus subject to enhanced protections; the proposed DPDP Bill does away with this distinction. Instead, it applies uniformly to ‘digital personal data’, removing earlier distinctions of sensitive and critical personal data.

While the DPDP Bill does contain separate provisions for children’s data (such as parental consent), it adopts the approach of identifying and notifying ‘significant data fiduciaries’, for which enhanced obligations will be prescribed including the conduct of independent data audits and carrying out data protection impact assessments. Therefore, Indian and foreign fintech companies will need to ensure their data processing activities which are in India or which target people in India are compliant with the DPDP Bill.

The DPDP Bill excludes some categories like non-automated processing, offline personal data, personal and domestic use, and personal data in records that are over 100 years old. The DPDP Bill, while having only 30 provisions compared to 98 in former versions, covers:

  • Extra-territorial application: This applies to any ‘digital personal data’ processing within India, and also to such processing outside India if in connection with profiling of or in relation to offering goods and services to data principals (the equivalent of data subjects) within India.
  • Notice and consent: Notice must be provided in English and in any other language specified under the Indian Constitution. Consent, as is typical of data protection laws, must be freely given, specific, informed, and unambiguous, and must be provided via a clear affirmative action. Data principals will have the right to withdraw consent.
  • Non-consent based processing: Exceptions to consent, which the DPDP Bill terms as ‘deemed consent’ are specified, allowing non-consent based processing in cases of voluntary submission of digital personal data to a data fiduciary, for processing required to perform a function under a law, to comply with a judgment or order, for employment and related purposes, in public interest such as fraud prevention or credit scoring or M&A, and for reasonable purposes which will be prescribed. These are important exceptions which many businesses will turn to for the processing of data.
  • Consent managers: Consent managers registered with the Data Protection Board of India (the Board) will act on behalf of the data principals to help them give, review, and withdraw consent. India already has some consent managers via the Account Aggregators (for financial data sharing between regulated entities), which also manage data portability.
  • Data fiduciary obligations: Basic data fiduciary (the equivalent of a data controller) obligations are imposed which will apply to companies processing ‘digital personal data’, such as an obligation towards data quality, requirement for technical and organizational measures, data breach notifications, limitations on data retention, grievance redressal requirements, and rules for transfers to data processor. A Data Protection Officer must be appointed. Significant data fiduciaries will have enhanced obligations and will be notified by the central government based on factors such as volume and sensitivity of personal data processed and risk of harm.
  • Data principal rights: Rights such as the right to information, to correction, and to grievance redressal are included, while rights (such as the right to be forgotten) have been excluded. The right to withdraw consent and to notice are previously discussed.
  • Cross-border data transfer: The earlier mandates for data mirroring and data localisation under previous versions have been replaced with a white-listing process. The central government will notify countries and territories outside India to which data will be transferred.
  • Data Protection Board of India: The Board will be appointed by the central government to carry out functions such as determining non-compliance, imposing penalties or direct measures to be taken in case of a breach, together with any other obligations imposed on it by the central government. Appeal from a decision of the Board will lie to the High Courts.
  • Penalties: The penalties for non-compliance is as prescribed in the Schedule, which is up to Rs. 500 crore per instance. For example, failure to take reasonable security safeguards attracts a penalty up to Rs.250 crores, while non-compliance by a significant data fiduciary attracts Rs.150 crores.

Conflict with sectoral law

The IT SPDI rules also apply to fintech entities. Apart from this, there are numerous sector specific privacy regulations (such as telecom, financial, health). Examples in the fintech sector include the recent Digital Lending Guidelines, the Account Aggregator Framework, and the Digital Payment Security Controls. General confidentiality provisions also exist, such as RBI obligations which require banks to ensure that customer consent is present before data is disclosed.

Fintech innovation necessitates coordination and cooperation not only across financial regulators (insurance, pension, securities and banking), but also with other sectors such as telecom (for OTT services for example) or for Meity. The former PDP Bill allowed the Data Protection Authority of India to enter into Memorandums of Understanding with other regulators/ authorities to ensure regulatory coordination. The current DPDP Bill, while an overarching regulation, results in a similar conflict with sector-specific regulations.

The Explanatory Note to the DPDP Bill issued by Meity provides clarity here, specifying that the DPDP Bill will apply only to the extent of such a conflict; the sectoral regulation will prevail. Regardless, the final data protection regulation will call for a sector-wise review of its application, conflicts arising, and the interpretation to allow compliance by financial entities. A particular conflict can arise where the sectoral regulation expressly permits more relaxed privacy protections as compared to the DPDP Bill, though in most cases it will be the opposite, where the sectoral regulation prescribes more stringent protections.

Examples of some conflicts are:

  • Data retention: The DPDP Bill allows data fiduciaries to retain personal data as long as required for business purposes. It draws the standard exception to retention or withdrawal of consent requirements to allow retention as required under another law. For example, under the Prevention of Money Laundering Act, 2002, transaction records are required to be maintained for at least five years. Turning to sector-specific regulation, the Digital Lending Guidelines require regulated entities to frame policy guidelines in relation to storage of data, including the type of data and the length of time for which the lending-related data can be stored.
  • Consent requirements: The Digital Lending Guidelines require regulated entities to obtain prior and explicit consent of the customer for any collection or processing of their personal data, leaving an audit trail. The Peer-to-Peer Lending Master Directions, 2017 on the other hand prescribe explicit consent for accessing a participant’s credit information. Here, for example, the deemed consent allowed for voluntary provision of data under DPDP Bill will not suffice.
  • Cross-border data flows: The Bill prescribes that personal data can be transferred outside India to notified jurisdictions. However, the RBI notification on Storage of Payment System Data, dated April 6, 2018 read with FAQs requires storage of data relating to payment systems by system providers only in India. The Digital Lending Guidelines as well as the Payment Aggregator Guidelines, 2020 also require that all digital lending and customer-related data be stored only in servers located in India. Regulated entities will need to ensure that any cross-border transfer of data complies not only with the requirements under the DPDP Bill, such as that the territory in question must be white-listed, while also ensuring adherence to these regulations.
  • Grievance redressal: In terms of remedial measures, many RBI regulations such as the Payment Aggregator Guidelines, contain mandates in relation to customer grievance redressal. Then under the RBI Integrated Ombudsman Scheme, 2021, customers can approach the Integrated Ombudsman for the redressal of their grievances after 30 days of not receiving a reply from the regulated entities, or upon dissatisfaction with the resolution provided by the regulated entity. However, the DPDP Bill allows customers to approach the Board within 7 days of non-receipt of reply from the concerned data fiduciary, and shorter periods may also be prescribed. Here, the RBI provided period should prevail.

For a full discussion on the latest policy developments each month, do check out Cashfree Payments’ Policy Radar.

Comments: (0)

Sponsored

This content has been created by the Finextra editorial team with inputs from subject matter experts at the funding sponsor.