Data Protection for India’s FinTech @Digital Personal Data Protection Act, 2023

Author: Jayshree Chandra, Senior Partner & Divij Poddar, Associate at ZEUS Law

Published in https://www.asiancommunityne

For half a decade, the Indian policymakers have deliberated on data legislation. Finally, the fourth iteration of the data protection bill received the President’s assent on 11th August 2023 – the Digital Personal Data Protection Act, 2023 (the Act). It is lean, principle-based, and unquestionably essential – its urgency could not have been overstated.

Among the most thriving sectors in the Indian economy is the FinTech ecosystem, a data behemoth. Initially included in the definition of sensitive personal data, financial data remains one of the most vulnerable datasets in the world. Independent of a legislative framework, the RBI has stepped up as an effective regulator for financial data for FinTech players and its regulated entities. RBI regulations and compliances, inter alia, include RBI’s guidelines on digital lending, which promotes transparency, data minimization and purpose limitation; notification on storage of payment system data which mandates data localization; and the notification restricting the storage of actual card data by entities other than card issuers and card networks.

As per the Act, the following two entities handle data:

  1. Data fiduciaries: those who are entrusted with the data of the data principals and shoulder the entire liability under the Act; and
  2. Data processors: those who process the data on behalf of the data fiduciaries and undertake mere contractual obligations against the data fiduciaries.

In the FinTech ecosystem, the entities must first know whether they are a fiduciary or a processor. Many FinTech companies perform neobanking activities while also acting as service providers to banks/ non-banks. The distinction between the two is activity-specific and depends on who is processing or merely collecting data; therefore, one must understand what kind of entity they are before streamlining and setting up processes for complying with the Act. Let’s take, for instance, when a service provider handles the bank’s customers’ data on behalf of the bank, it functions as a processor, while on the other hand, the provider will act as a fiduciary when it collects its own employees’ data, whether to train and educate its AI model or for any other permitted purpose.

While the Act has an entire chapter dedicated to data fiduciaries, it is largely silent on the obligations of the data processors simply because as per the Act, they bear minimum to no liability. This overlooks a crucial aspect, considering that ultimately,, it is the processors who are entrusted with the principal’s data by the data fiduciaries as long as the principals have consented to it (which they can withdraw at any given point). The Act leaves it to the fiduciary and the processor to determine their obligations and duties in the form of a service or outsourcing agreement or any other valid contract.

Another important feature of the Act is the recognition of consent managers. This is a person who is registered with the data protection board and acts as a single point of contact to enable a data principal to give, manage, review, and withdraw her consent through an accessible, transparent, and interoperable platform. Account aggregators of the FinTech ecosystem may be regarded and included within the definition of consent managers as provided under the Act. These are data-blind consent managers that enable consumers and enterprises to move their data between two financial institutions/ platforms enabling them to leverage the potential of aggregating and combining fragmented and siloed financial data from consumers nationwide. Simply put, they allow consumers to access their financial accounts securely and efficiently, in one place, without having to log in to multiple platforms to view and manage their accounts. Therefore, read with RBI’s Master Direction on Account Aggregators, 2016, the account aggregators will also come under the purview of the Act, within the meaning of consent managers. The rights and obligations of the consent managers are yet to be ascertained as rules in this regard are still awaited.

 

The Act marks a significant stride forward for India’s data protection landscape. While the Act addresses a crucial need for safeguarding personal data in a rapidly evolving digital era, its implementation will require a nuanced understanding of roles and responsibilities, particularly within the FinTech ecosystem, as well as a proper review of the rules and regulations that will be prescribed by the Central Government. The Act’s recognition of data fiduciaries and processors, along with the innovative concept of consent managers, underscores the importance of transparency, accountability, and user control over their data. As the FinTech ecosystem continues to flourish, the Act’s provisions will undoubtedly play a pivotal role in shaping how financial data is managed and secured. However, as the regulatory framework takes shape, careful attention must be given to bridging the gap in obligations for data processors, ensuring that the data protection realm remains robust and effective.

(This Article is solely for information purposes, does not constitute legal or professional advisory and should not be relied upon or used as a substitute for legal advice from attorney.)

About the Authors: Jayshree Navin Chandra, Senior Partner at ZEUS Law, has been a practicing lawyer since 2001 with extensive corporate and transactional advisory experience. She advises and represents clients ranging from Fortune 500 companies to start-ups as well as Central and State Government departments and public bodies in a wide range of domestic and cross border transactions, across industries in practice areas including Corporate and Company Law, M&A and Joint Venture, Private Equity, FDI & FII, Real Estate and Infrastructure, Data privacy and protection, Intellectual Property & Commercial Law Advisory.

Mr. Divij Poddar is an Associate at ZEUS Law and works in the Corporate and Commercial practice vertical.

ZEUS Law Associates is an ISO certified full service corporate commercial law firm with a team of dedicated and experienced lawyers well versed in handling domestic and cross border transactions across sectors, jurisdictions and regulatory landscapes. The firm’s practice areas include Corporate and Company Law, M&A and Joint Venture, Private Equity, FDI & FII, Real Estate and Infrastructure, Intellectual Property & Commercial Law, Litigation, Alternate Dispute Resolution, Indirect Tax and NRI Services.