[By Shubham Jain]
The author is a fourth year student of National Law University, Jodhpur.
The issue of privacy and data protection was thrown into the limelight after the Justice K.S. Puttaswamy Judgement which recognized the right to privacy as a fundamental right enshrined under Article 21 of the Indian Constitution.[i] Instances like the AADHAR data leak,[ii] Cambridge Analytica and Facebook data breach;[iii] etc. raised concerns about data protection, existing infrastructure, and the current state of affairs pertaining to cross-broader trading of data.
While the concerns regarding privacy were grabbing headlines, FinTech industry in the country was booming because of demonetization, and government’s push towards boosting e-payments in the country. The term FinTech is often defined as the “technologically enabled financial innovation that could result in new business models, applications, processes, or products with an associated material effect on financial markets and institutions and the provision of financial services”.[iv] The FinTech industry is aimed at bringing technological innovations to the banking and financial sector.[v] According to estimates, the digital payments industry in India is projected to reach USD 700 billion by 2022 in terms of the value of transactions.[vi] FICCI projects the global FinTech sector’s value at $45 billion by 2020, growing at a compound annual growth rate of 7.1%.[vii]
Needless to say, the concerns regarding data protection affect the FinTech industry as well. Therefore it is important to ensure that the data of the consumers provided to the FinTech entities protected, while ensuring the industries growth.
Data Protection and Privacy
The Srikrishna Committee noted that the conception of privacy is based on society and culture which determines what may be construed as violation of privacy.[viii] It further noted that the data protection principles are founded in the trust of citizens over the entities governing it.[ix] The entities could be either the regulatory authorities; or the private corporations. In the US, these relations are dictated by the capitalistic principle of lassiez-faire; however, the courts have recognized the Right to Privacy, as indicated in their constitution.[x] The US has sector specific laws with regards to privacy and use of data by private entities.[xi] The citizen and corporate relations are based on free markets and merely regulating the data handling process;[xii] whereas the state has to follow stricter laws stemming from the principles of liberty.[xiii] The EU is leading the world in terms of regulations regarding data protection; especially with EU-General Data Protection Regulation, 2018 (“GDPR”).[xiv] The EU Approach to data protection is based on upholding human dignity and protecting privacy.[xv] It was further noted that the Srikrishna Committee noted that the Indian citizen-state relationship does not coincide with either US or EU. The Indian Constitution envisions state as a (i) facilitator of human progress as indicated through the DPSPs, and (ii) checks and balances to prevent misuse of power by the state as enshrined in the federal structure and three organs of the government.[xvi] Therefore, the Indian conception of privacy as a right seems to be exercise of autonomy within a limited sphere as prescribed by the regulators. The decisions of the regulators can checked through the judicial review in case of excessive measures or encroachment on rights of citizens.
Fintech – Regulatory Regime
In India, the arena of FinTech is regulated by several regulators like the RBI and SEBI for intermediaries in securities market, IRDA for insurance related regulations and TRAI for regulatory mechanisms related to telecom.[xvii] The FinTech companies often find themselves being governed by overlapping jurisdictions.
The Working Committee Report remarks that FinTech entities are regulated within the framework of ‘payment systems’[xviii] and need the authorization by the RBI.[xix] The RBI has the power to issue directions to payment systems and systems participants;[xx] which may be invoked by the RBI to issue directions. The RBI regulates payment space under the Payment and Settlement Systems Act, 2007 and the Payment and Settlement System Regulations, 2008. Further, RBI Also governs the functioning of peer-to-peer lending through the P2P Master Directions (published in Oct., 2017) which requires P2P NBFCs to register with RBI. Further, RBI recently recognized the need to strengthen the consumer confidence in digital payments and thus launched Ombudsman Scheme for Digital Transactions (OSDT) as a complaint redressal mechanism.[xxi]
Regulating Privacy and Data Protection in Fintech Industry
Transfer of personal data categorized as sensitive personal data is currently governed by the SPD Rules issues under Section 43A of the IT Act. In case of any negligence in implementing, and maintaining reasonable security practices to ensure protection of the sensitive personal data, the body corporate are held responsible, and are required to compensate for leak/loss of data.[xxii] Furthermore, the disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract is punishable with up to 3 years of imprisonment and fine.[xxiii] The data protection, as of now, is merely governed by a contractual relationship between the parties.[xxiv] Terms of the contract are dictated by the service provider, and the users have very little or no say in the same. The provisions of the IT Act are not sufficient to ensure protection of the sensitive information and data of the consumers. Concerned the sector’s recent boom, RBI issued notifications mandating data protection and localization. It has also showed concerns about the security standards/measures, and has assumed unfettered access to the data.[xxv] RBI also recommended the need for exhaustive stand-alone legislation on data protection in order to ensure customer faith in the FinTech Industry and protect the citizens from exploitation of personal information.[xxvi] The Sectoral Regulators are already taking initiative to protect the data of the consumers.[xxvii]
The Working Committee has recommended that the data must be classified based on extent of their sensitivity and risk of exposure associated with the same.[xxviii] The FinTech entities were to ensure that the data does not suffer from any “loss of confidentiality, loss of integrity, and loss of availability”, by implementing the safe transaction principles.[xxix] The RBI also suggested requirement of establishing a Network Management System along with standard procedure to ensure safety of data for all the FinTech entities.[xxx] Another pertinent observation was that the banking sector activities must not be outsources by the FinTech entities, and defining the plausible attack scenarios.[xxxi]
Impact of the Personal Data Protection Bill, 2019
The Indian Personal Data Protection Bill, 2019 is similar to EU-GDPR.[xxxii] Some of the similarities are as follows:
- Notice and consent requirements for the processing of personal [xxxiii]
- Limitations on the processing of personal data, including minimization requirements.[xxxiv]
- Compliance requirements for data processors, such as incorporating privacy by design, and the appointment of data protection officers to conduct periodic data protection impact assessments and data [xxxv]
- Providing positive rights to users, such as the right to data portability and the right to [xxxvi]
- The requirement of data localization with no constraints on the transfer of other personal data outside India.[xxxvii]
- Regulation and supervision by a proposed Data Protection [xxxviii]
- Penalties, including the prohibition of processing, and financial consequences for noncompliance.[xxxix]
It is important to note that the bill, as well as the Srikrishna Committee proposed to make the relation between the data principal and the data processors as a fiduciary relation.[xl]
The cost of compliance with the Personal Data Protection Bill, 2019 for the FinTech industry would be detrimental to the growth of the industry. The EU already had an existing cross-sector privacy framework. The GDPR was implemented to strengthen the existing regulatory regime.[xli] The United Kingdom conducted an impact assessment for corporations for compliance with the EU GDPR. It was found that the costs to appoint data protection officers, conducting data protection impact assessments, and notifying the supervisory authority of data breaches, and implementing the GDPR would be exorbitant; it found that the benefits would outweigh its benefits.[xlii] However, Indian privacy framework is governed by the IT Act. Considering that no such previous legislative framework existed in India, the cost of compliance with the same, especially for the nascent FinTech industry would be huge. The same could hamper the growth of any new entities bringing innovation in the field of Banking and Finance.
Conclusion and Recommendations
The Personal Data Protection Bill, 2019 can substantially impact the business models of the FinTech entities because they heavily rely on technology like AI and Machine Learning to cut costs related to customer acquisition and providing services. Therefore, requirements in the Personal Data Protection Bill can potentially inhibit the growth of FinTech in the India.
The RBI realizes the importance of protecting the FinTech Industry from overregulation, while allowing enough room for innovation.[xliii] In order to ensure that the new companies with lesser capitals don’t have to face the brunt of the cost of data protection, the RBI through its regulatory sandboxes could set up the data servers which can be used by the FinTech services to store and process their data which would enable them with access to the Big Data, and therefore their Machine Learning and AI software would be able to function with greater efficiency. However, in order to prevent the consumers from any exploitation of data by these entities, anonymization of data would is critical.
Balancing the rights of citizens and ensuring innovation in the FinTech industry is critical to foster citizen’s belief and growth of the industry. Therefore, the bill’s impact on the FinTech entities needs to be evaluated carefully.
[i] K.S Puttaswamy & Anr. v. Union of India & Ors., 2017 (10) SCALE 1.
[ii] Hindu Business Line, “1Bn records compromised in Aadhaar breach since January: Gemalto” Available at: https://www.thehindubusinessline.com/news/1-bn-records-compromised-in-aadhaar-breach-since-january-gemalto/article25224758.ece.
[iii] BBC, “Facebook ‘to be fined $5bn over Cambridge Analytica scandal”, Available at: https://www.bbc.com/news/world-us-canada-48972327.
[iv] Financial Stability Board, “MONITORING OF FINTECH”, Available at: https://www.fsb.org/work-of-the- fsb/policy-development/additional-policy-areas/monitoring-of-fintech/.
[v] PrincewaterhouseCooper, “SECURITY CHALLENGES IN THE EVOLVING FINTECH LANDSCAPE”, Available at: https://www.pwc.in/assets/pdfs/consulting/cyber-security/banking/security-challenges-in-the-evolving-fintech- landscape.pdf.
[vi] Reuters, “India Digital Payment Systems Market: Industry Is Anticipated To Reach US $700 Billion by 2022”, Available at: https://www.reuters.com/brandfeatures/venture-capital/article?id=21598.
[vii] Komal Gupta, Gireesh Chandra Prasad, “Panel to find ways to make business easier for FinTech firms”, Available at: https://www.livemint.com/Politics/wcouR2gV2KJzzoQuezNxYK/Government-sets-up-panel-on- Fintech-to-make-regulations-more.html.
[viii] Whitman, James Q., “The Two Western Cultures of Privacy: Dignity versus Liberty” (2004). Faculty Scholarship Series. 649. https://digitalcommons.law.yale.edu/fss_papers/649, (Accessed- 5th Aug 2019).
[ix] Whitman, James Q., “The Two Western Cultures of Privacy: Dignity versus Liberty” (2004). Faculty Scholarship Series. 649. https://digitalcommons.law.yale.edu/fss_papers/649, (Accessed- 5th Aug 2019).
[x] Roe v. Wade 410 U.S. 113 (1973); Griswold v. Connecticut 381 U.S. 479 (1965).
[xi] Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians.” Available at: https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf; (“Srikrishna Committee Report“).
[xii] Srikrishna Committee Report, at 4.
[xiii] Whitman, Supra 8.
[xiv] Juliana De Groot, “What is General Protection Regulation? Understanding and Complying with GDPR Requirements in 2019.” Available at: https://digitalguardian.com/blog/what-gdpr-general-data-protection- regulation-understanding-and-complying-gdpr-data-protection.
[xv] Srikrishna Committee Report, at 4; also see Whitman, Supra 8.
[xvi] Srikrishna Committee Report, at 5.
[xviii] Section 2(i), Payments and Settlement Systems Act, 2007.
[xix] Section 17, Payments and Settlement Systems Act, 2007.
[xx] RBI, “Report of the Working Group on FinTech and Digital Banking”, (Published- Nov., 2017), Available at: https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/WGFR68AA1890D7334D8F8F72CC2399A27F4A.PDF, at 58. (“RBI Working Committee Report”).
[xxii] Section 43(A), Information Technology Act, 2000 (IND.).
[xxiii] Section 72A, Information Technology Act, 2000 (Ind.).
[xxiv] RBI Working Committee Report, at 53.
[xxv] Parikh V., Kamath A., Senthilnathan A., “India steps towards localisation of payment systems data”, Available at: http://www.nishithdesai.com/fileadmin/user_upload/pdfs/NDA%20In%20The%20Media/News%20Articles.
[xxvi] RBI Working Committee Report, at 53.
[xxvii] Department of Economic Affairs, Ministry of Finance, Government of India, “Report of the Steering Committee on Fintech related issues, 2019”, available at: https://dea.gov.in/sites/default/files/Report%20of%20the%20Steering%20Committee%20on%20Fintech_2.pdf.
[xxviii] Id at 54.
[xxxi] Id, at 56.
[xxxii] Anirudh Burman, “Will GDPR Style Data Protection Law work for India?” (Published-May 15, 2019) Available at: https://carnegieindia.org/2019/05/15/will-gdpr-style-data-protection-law-work-for-india-pub- 79113.
[xxxiii] Personal Data Protection Bill, 2019, Sections 7,11.
[xxxiv] Personal Data Protection Bill, 2019, Sections 4,5,10.
[xxxv] Personal Data Protection Bill, 2019, Sections 22.
[xxxvi] Personal Data Protection Bill, 2019, Sections 18(1)(d).
[xxxvii] Personal Data Protection Bill, 2019, Sections 33, 42.
[xxxviii] Personal Data Protection Bill, 2019, Sections 30,26,22,27,32,28.
[xxxix] Personal Data Protection Bill, 2019, Sections 57-66.
[xl] Srikrishna Committee Report, Supra 3, at 6.
[xli] Data Protection Directive, 1995. (EU).
[xlii] UK Ministry of Justice, “Impact Assessment: Proposal for an EU Data Protection Regulation,” (Published – November, 2012) Available at: https://consult.justice.gov.uk/digital-communications/data-protection-proposals- cfe/results/eu-data-protection-reg-impact-assessment.pdf.
[xliii] RBI Working Committee Report, at 58.