Safeguarding Data amidst Finances: Analyzing Interface between DPDPA and BFSI Entities

[Ayushman is a student at National Law University Jodhpur.]

The Indian experiment with the right to privacy reached its tipping point in the KS Puttaswamy judgement, where it was enshrined under the ambit of Article 21 of the Constitution of India. In compliance with the same, the nation has undertaken large strides of progressive changes, which inter alia includes the Digital Personal Data Protection Act 2023 (DPDPA / Act). With the specific objective of securing and supervising transfer of data, the Act turned up as, a first of a kind, comprehensive guide spanning across all sectors. Given its holistic nature, its interaction with different sectors is varied. This article attempts to look into one such interaction, with the Banking, Financial Services and Insurance (BFSI) sector. The article would delve into the question of the categorization of the BFSI under the DPDPA, and its supplementary obligations, while also looking at the interplay with sectoral regulations. 

Background: The Genesis of DPDPA

The DPDPA was a culmination of the battle for securing digital privacy, which kicked off nearly half a decade ago. The question on the right to privacy was answered once and for all in KS Puttaswamy. The ambiguity seen in the previous judgements about the status of right of privacy was resolved, and it was given constitutional recognition. The upshot of this was the establishment of BN Shrikrishna Committee, to deliberate a “data protection framework”. The committee submitted a draft bill on personal data protection, which was referred to the Joint Parliamentary Committee and withdrawn, to be revamped before it got its present form as the DPDPA. The bill was tabled again before the Parliament and passed expeditiously this time. 

Based on the ‘fiduciary relationship’ between the individual and service provider, as termed by the Committee, the bill was focused on balancing of the interests, while casting an obligation on the service provider to ensure ‘fair and authorized’ use of the data. Though devoid of a preamble, the bill enshrines this objective in its introductory paragraph. The use of ‘she/her’ in the Act throughout, instead of conventional ‘he/him’, is another testament to the creative legislative novelty. 

The Stakeholders and Balancing Interests

In pursuit of a privacy-based framework, the Act stipulates the unconditional ‘consent’ of the individual whose data is being processed, i.e., the data principal, as a precursor for allowing the service provider to process the data. However, the act restraints from making it an absolute prerequisite, and allows a circumvention in cases of ‘legitimate use’, which inter alia includes grounds such as the sovereignty and integrity of the nation, medical emergency, complying with a judgement or decree, breakdown of public order etc. Hence, the satisfaction of either of the two prerequisites must be proved, in order to process the personal data. Several rights have been provided for the data principal in the Act, these include the right to access information about how their personal data is being processed, the right to correction and erasure of inaccurate or outdated data, and the right to withdraw consent at any time, which obligates the data fiduciary to cease further processing. The Act also grants data principals a right to grievance redressal, allowing them to complain if their rights are infringed or if there is a default in the processing of their personal data. Such provisions tip the balance of power in favour of the individual, imposing heavy accountability on organizations.

On the other hand, there are two stakeholders in the domain of service provider, i.e., data fiduciary, who determines the ‘means and purpose’ for processing the personal data; and the data processor, who processes the data on behalf of the data fiduciary. Although the two overlap, there is a thin line of difference, as the role of processor commences only after the delegation by the fiduciary. 

A third stakeholder can also be carved out, in the form of significant data fiduciaries (SDFs). An SDF is simply a data fiduciary which, by virtue of the scale, nature, and impact of its data processing operations, is deemed to have an amplified impact on data protection risks and thus is subject to more stringent supervisory control. Though based on the discretion of the government, certain factors have been enlisted for consideration, such as the volume and sensitivity of data, risk to the rights of principal, sovereignty etc. The SDFs have a higher threshold of obligations as compared to an ordinary fiduciary, such as in appointment of a Data Protection Officer and Independent Auditor etc. 

Nexus with the BFSI Sector

The plethora of financial services that are provided by companies are termed together as BFSI, which mainly includes insurance, commercial banking, mutual funds, pensions funds etc. BFSI comprises a major chunk of the services sectors and contributes around 27% to the GDP. The growing digitalization and reliance on AI further strengthens the prospects of this sector. The key regulators of this sector are Reserve Bank of India (RBI) (for banking); Insurance Regulatory and Development Authority of India (IRDAI) (for insurance), and Securities and Exchange Board of India (for capital market and mutual funds). While these regulators have been the supervisors in the functioning of BFSI, including related to data processing, the enactment of DPDPA extends the framework of protection to them. 

The Obligations for the BFSI Entities under DPDPA

The wide ambit of financial sector makes its categorization under the Act unintentionally complex. The nature of operations of BFSI entities remain open to qualify as any of the stakeholders under the Act, and its obligations cannot be fixated. 

BFSI as data processors

Within the financial ecosystem, outsourcing is widespread phenomena, for instance the calculations are usually carried out through algorithms which can be an outsourced function. In essence, this means a delegation from another firm to process its data, for any specified and determined purpose, in which the delegatee has expertise. Thus, where a BFSI entity has to play the mechanical role of processing the data as a delegatee, without any role in determining purpose or means, it qualifies as a processor. They exist mainly to guarantee data security and confidentiality, but not to make users' access rights, purpose limitation statements, or consent procedures mandatory. They are subject only to contractual duties imposed by the data fiduciary. This differentiation eases compliance for service providers functioning as processors and indicates their restricted role in controlling the data lifecycle. As a data processor, the entity will have least obligations, as Act does not provide any specific guidelines for them.  

BFSI as data fiduciaries

Usually, the BFSI entities collecting data for services, will be termed as data fiduciaries, unless playing a role as specified in the preceding paragraph. Nonetheless, a generalized inference cannot be drawn and a factual analysis on a case-to-case basis need to be undertaken, which may take into account factors such as control over the data, origin of the data, the processing arrangements, the relevant contractual obligations etc. On satisfaction of the nature of the entity as a data fiduciary, the general obligations are attracted. These include complying with the Act, ensuring accuracy and consistency of the data, taking reasonable security safeguards to prevent breach, intimation of breach, and erasure on withdrawal of the consent or satisfaction/extinguishment of the specified purpose etc.

BFSI as SDFs

The Act does not provide any hierarchical classification of data for protection, based on its sensitive nature. However, it is compensated by creating the classification of fiduciaries and their respective obligations. The collection of financial details, such as biometric, Aadhaar, Personal Account Number, for credit approvals or Know Your Customer compliance, amounts to sensitive information, rendering the rights of the data principal vulnerable. Therefore, the likelihood of a class or a BFSI being notified as an SDF is not farfetched.

The SDFs have to comply with a higher threshold of obligations in addition to the general ones. A Data Protection Officer, needs to be mandatorily appointed as an accountable representative of the SDF. Secondly, an independent data auditor would be required to conduct audits to ensure compliance. Thirdly, a data protection impact assessment would be carried out routinely. 

Who Takes Precedence from the Perspective of Sectoral Regulations?

The regulators in the BFSI sector have come up with various regulations and notifications, such as RBI’s Cyber Security Framework in Banks circular and IRDAI (Maintenance of Insurance Records) Regulations 2015, in an attempt to prevent misuse and breach, while also mandating secured data processing. These were in compliance with the Information Technology Act 2020. However, DPDPA is more oriented towards the rights of the individuals, as against provisioning for mere supervision over the entities, unlike any other pre-existing enactment. The Act enforces its precedence over any other existing law, in case of a conflict. However, an assertion that there exists conflict between sectoral laws and the Act may be unfounded. Rather, a strong case can be made out for the Act complementing the sectoral laws. 

The example of cross-border transactions

The DPDPA while allowing foreign transfers, discourages it, and gives the authority to the government to restrict it on discretion. Moreover, it upholds the precedence of any other law over the DPDPA, which provides for a ‘higher degree of protection’ against the transfer of personal data outside India. The BFSI sectoral regulations perform the very same function, by legally mandating data localisation. Thus, the sectoral regulations hold greater relevance in foreign transfers.

The consent managers 

The DPDPA introduces consent manager as a point of contact for exercising control over the data which he consented to be processed. While intended to protect the rights of data principal, the addition is not a nascent one, as the BFSI sectoral laws had already envisioned and implemented this as account aggregators, introduced for NBFCs. They were appointed intermediaries to ensure that users retain control over data, while at the same time allowing it to be processed smoothly. This is another testament to the complementarity between the sectoral regulations and the Act. 

Thus, while the Act provides for an overarching framework which holds precedence, a conflict is unlikely to arise, for the BFSI sectoral regulations are acting in tandem with the Act’s objective.  

The Way Forward: Assessing Implications

While the obligations may differ to a certain extent, based on categorization of service provider, the essence of operation remains intact, through the twin requirement of serving notice specifying the purpose and; a clear affirmative action for the specific consent. BFSI organizations will have to obtain expressed, well-informed, and precise consent from clients prior to collecting or processing their personal data. This is especially daunting for an industry accustomed to relying on sweeping, blanket consent provisions included in onboarding materials. These consent systems now must be reformed and rendered more detailed, particularly on online platforms, so that individuals are explicitly made aware of how their information is going to be utilized and for precisely which purposes. As a data fiduciary, these obligations might significantly impact their operational efficiency and cross-selling and marketing strategies. The specific consent would limit the BFSI entities from sharing data across their subsidiary networks to promote their services like insurance and mutual funds, without explicit notice and subsequent consent of the data principal.

Secondly, the Act presumes an established framework for obtaining consent throughout the country across all sectors. The BFSI sector, in particular, still has a huge facet of its operations managed and run offline, through branched based interaction with consumers, especially in rural or suburban areas. Mere provisioning cannot suffice and implementation through adequate outreach mechanism is needed as a supplement. 

Thirdly, the status of the cross-border data transfers is also affected by the Act. Although the Act permits personal data to be transferred to countries that are ‘trusted’ by the Indian government, global financial networks must scrupulously review their data storage and processing arrangements. This could mean relocating data centres or renegotiating data processing contracts, particularly for offshore data handling by international banks and insurers. Moreover, the emphasis on data localization, corroborate by sectoral laws, has further complicated the equation for the BFSI firms dealing internationally. 

The emphatic reliance on transparency, while commendable on the face of it, must meet the requisite feasibility. Given the specific nature of the consent, an established and smooth mechanism for seeking or revoking consent for an uncontemplated purpose is necessary. Moreover, the power of revoking consent in the hands of data principal, puts an onerous burden of a meticulous use and track of data by the data fiduciary. The reliance on apt maintenance of records cannot be understated. The Act imposes strict deterrence through humongous penalties, reaching as high as INR 250 crores. Such heavy fines for non-compliance, without establishing any meticulous framework for the ground-level implementation to ensure compliance, only furthers the onus for service providers on top of the sectoral compliances. 

Conclusion 

The DPDPA sets the pathway for establishing an unprecedented data protection regime which had been lacking since long. The vision set by the Puttaswamy appears to be manifesting soon. However, the framework will be tested on the touchstone of feasibility, when applied to the diverse sectors. 

Although the DPDPA encourages enhanced trust between consumer and financial service provider, it also brings heavy compliance burdens. From rebalancing consent mechanisms and revamping IT infrastructure to dealing with third-party risk and dealing with data principal rights, BFSI organizations have to make investments in structural, procedural, and technology-related transformations. Additionally, the likelihood of severe monetary penalties emphasizes the importance of feedback based sustained compliance.

This article focused specifically on the interaction with the BFSI sector. Several problems may crop up in sector-specific implementation, which may even be unforeseeable currently. The success of the framework can only be ensured through a recurrent, effective and smooth response mechanism to deal with the upcoming challenges devoted to each sector. The Act does not finish the job yet, the government must follow up diligently to ensure effective ground-level implementation, else the framework would never see the daylight.