[Varuni is a student at Gujarat National Law University, Gandhinagar.]
India has proposed the latest Digital Data Protection Bill 2022 (DDP or Bill). Through this Bill, it has endeavoured to secure the ambit of digital data before proceeding with legislation encapsulating the entire data protection regime. However, it would be untrue to state that digital data is an unregulated territory. Apart from sectoral regulators, there are several central legislations that regulate digital data.
The framework for the protection of digital data currently is governed through the Information Technology Act 2000 (IT Act) along with rules and regulations framed under the Act. The IT Act along with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI Rules) categorises financial data as sensitive personal data. Accordingly, corporates dealing with such kind of data are required to keep a basic minimum standard of privacy and ask the data provider for their consent by clearly providing the reasons for collecting the data. As far as the transfer of data to third parties under the SDPI Rules was concerned, it required the transferee to follow a similar standard of protection as standardized under the rules.
In the current rubrics, there is a lack of a standardized regulator in the area of data protection. This creates hurdles to the implementation of data protection rules as they are inconsistent. Therefore, the various sector regulators have taken it upon themselves to regulate the flow of data in their respective jurisdictions. Regulators such as the Securities and Exchange Board of India, Insurance Regulatory and Development Authority of India, and Reserve Bank India have framed rules that need to be complied with by the organizations that fall within their purview.
In an effort to curb these problems, the stakeholders called upon the government to legislate an all-encompassing law for data protection. After several failed attempts, the government proposed the DDP. The present article attempts to look at the regulatory framework for the financial sector in the upcoming data privacy regime.
CURRENT DATA PRIVACY FRAMEWORK IN THE FINANCIAL SECTOR
In the case of the financial sector, the RBI acts as the sector regulator for the Banks and Non-Banking Financial Corporations (NBFC) and all kinds of other miscellaneous and residuary financial companies. In the absence of data protection laws, the RBI also acts as the enforcer of data protection guidelines in the sector. In this regard, the RBI has come up with various guidelines for the protection of financial data. These include the Master Directions on KYC, Master Circular on Customer Service Banks, Master Circular on the Issuance of Credit and Debit Cards and many other such directives.
Many of these directions have been made keeping in mind the requirement of the financial institutions and the need to protect the customers of this sector. Some directions are far more complicated than the SDPI rules. As recently as 2021, the RBI, in its circular on data storage by payment aggregators, makes it mandatory from June 2022 to shift to tokenisation technology that bars the entities involved in the payment chain apart from the card networks from storing actual card details. Earlier, in March 2020, the Guidelines on Regulation of Payment Aggregators and Payment Gateways (Aggregator Rules) had mandated the payment aggregators to implement data security standards, prescribing thereunder, the requirement of cyber security audit and reports and framing IT policy. These directions have had a major impact as increased compliance costs for lending startups. Even several major merchants expressed concerns about the limitations of the payments network for tokenisation and its impact on consumer payment experiences. Previously, merchants were able to store card numbers to inform customers about available offers, but this will no longer be possible with tokenisation.
A challenge faced since the privatisation of banks has been the lack of penetration of formal lending in the interiors of India. However, today there are various new-age players in the lending sector catering to the unbanked populations. A major hurdle for these institutions is that they have to navigate a complex regulatory framework whilst expanding their businesses. Through the Digital Lending Guidelines 2022, it is mandatory for lending applications to report their collected data with the Credit Information Companies. The NBFCs also need to comply with the 2017 framework that requires them to deploy IT infrastructure on operations, cyber security and outsourcing. These steps have been taken to make sure that the RBI is aware of any misappropriation or misuse of data. However, it has further increased compliance costs for lending startups and made it obligatory for them to transfer lending contracts from their platform business to their NBFCs.
THE DPP AND THE FINANCIAL SECTOR
The Bill is aimed at solving the issues of data protection and providing a united general framework of protection. The Ministry of Electronics and Information Technology has stated that specialized notifications issued by sector regulators will take precedence over the provisions of the Bill, which leads to ambiguity in certain areas. A series of discrepancies emerge as we move from sector to sector as these are regulated by different bodies.
The earlier version of the Bill, i.e. the Personal Data Protection Bill 2018, included the provision of having a memorandum of understanding with the sector regulators and demarcating the areas of regulation and control. The Bill along with several other earlier rules has created inconsistencies resulting in a complex regulatory structure. In the scheme of the present framework, there is a multiplicity of authorities creating a structure that mandates parallel compliance with several authorities. This is extremely difficult to achieve for startups and MSMEs. Most start-ups have limited resources to spare and having multiple regulators increases compliance costs for small businesses. The Bill envisages creating a system that can lead to hindrances in the development of the digital market and can seriously affect the startup ecosystem. Small businesses have already demanded relaxed rules and larger time frames to comply with the new set of rules imposed by watchdogs, like CERT-In.
In the earlier versions of the data protection bill, a heavily criticised move was the localisation of the data. In the current framework, the government has dropped this controversial clause. However, due to the lack of sector uniformity in the bill, relief from these restrictions would not be available to most verticals in the financial sector. As per the Aggregator Rules, along with other directions, it is required by all banks and payment system providers to localise payment transaction data in India and restrict the storage of such data outside of India. The underlying rationale is that India loses control over such sensitive data when stored abroad and resultant increase in the possibility of a data breach. It is important to note here that data localisation in all instances does not guarantee security and privacy, but it does allow for more stringent regulatory oversight only when the encryption keys are available in India.
There are certain instances where there are similar authorities created through the Bill. For instance, the Bill makes it compulsory to appoint consent managers. These consent managers are to be registered with the Data Protection Board. Yet again, in the case of the financial sector, the rules on Account Aggregators, are in reality consent managers who also handle data portability. Yet another instance is that the grievance redressal system as envisaged under the DDP regime allows one to approach the authority within 7 days of the non-acknowledgement of the authority whereas under the newly created ombudsman regime of the RBI, a customer can approach the authority only after 30 days of the non-receipt from the institution.
The present framework has the potential to create an environment that can lead to considerable resource consumption of economic policymakers and hamper market development. A fragmented set of regulators has created problems the world over, including in the USA. In the absence of a federal law on data protection, multiple legislations and bodies govern data. They come with their distinct compliance requirements that create confusion and hinder the process of financial inclusivity. It has been noted by the Financial Stability Institute’s research that developed countries instead of having specialised agencies, have a single regulatory model when it comes to the financial sector. Experts have opined that in countries like India, where Central Banks are independent bodies, it would make much more sense to have the central bank assume a greater role in regulation than the other bodies.
Currently, the NBFC structure is reaching out to the unbanked sections of society. Undoubtedly, there is increased evidence of predatory marketing by using the unawareness of these populations. While privacy will only be ensured through these compliance mechanisms, it is also important to underline that at most times privacy breaches are a result of a human handling error. The multiplicity of authorities only creates more difficulty when it comes to securing data and ensuring privacy. There is a need to come up with a regulatory infrastructure that allows for the continuous transfer of data and coordination. In the case of financial institutions, there is a need to understand and prioritise the health of the new age; startups that are totally dependent on data to oil their machinery.
Perhaps, the right way of enforcing the mechanism would be to step into a structure similar to the sandbox run by the RBI. The regulatory sandbox is a system where the institutions can develop products and test them with less regulatory burden. The technique has been successful in guiding the new age fintechs in terms of making the right innovation while keeping the interest of the consumer at the centre. The regulator has also stood benefitted to understand that at times regulations act as a hindrance to the growth of the industry. Creating a coordinated sandbox collaboration between authorities can help reduce duplicity and confusion for entities in the sector. There is sufficient support to show that in spaces where there is a need for regulatory framework without hindering the ease of doing business, sandboxing systems enable building of sound regulatory practices.