The Digital Personal Data Protection Act, 2023 (“DPDP”) has had an arduous journey in the country’s decade long process of evolving general data protection regime for India. The DPDP is is the data protection legislation of India after having received the presidential assent. The DPDP is set to have a profound impact on various industries, including but not limited to the fintech sector. With the increasing reliance on digital platforms and data-driven services, the DPDP aims to strike a balance between protecting individuals' personal data and fostering innovation in the fintech space.
Nevertheless, the DPDP seems to raise the following concerns for the fintech industry:
(a) Who is the Data Fiduciary (“DF”) – The first and most fundamental challenge of the DPDP comes to surface upon reading of clause 2(j) of the DPDP which clearly shows that a DF is a person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. However, considering the nature of the fintech industry wherein usually two parties i.e., regulated entity and the fintech operate, it becomes unclear if only the bank or if the fintech company would also be considered a DF. The entities involved will have to identify the exact nature of their relationship to specifically establish the extent of their obligations prior to such collection and processing of personal data.
(b) DF or Significant Data Fiduciary (“SDF”) – The second fundamental challenge that arises for a fintech company is to establish whether the entity would be considered a DF or an SDF. In particular, the DPDP stipulates that the central government may designate certain DFs as SDFs upon taking the following factors into consideration: (i) volume and sensitivity of personal data processed, (ii) risks to the rights of data principals, (iii) security of the state, and (iv) public order. Considering the heavy reliability of the fintech companies on technology and technological platforms and the sheer volume and sensitivity of the personal data processed by them, it is highly likely that a majority of them may be classified as SDFs. The fintech companies identified as SDFs will have certain additional obligations including: (i) appointing a Data Protection Officer, (ii) appointing an Independent Data Auditor; and (ii) undertaking impact assessment and compliance audit.
(c) “As-is basis” vs. “Accuracy” requirement – It is pertinent to note that as of now the personal data being collected was on an “as-is” basis. Whereas a perusal of the DPDP shows that a DF processing such personal data is now statutorily obligated to ensure its completeness, accuracy and consistency. This appears to be an additional obligation on the DFs. As a result, the DFs now while dealing with entities (which may include fintech entities) engaged in data collection and/or processing will have to ensure that the agreement executed with the such entities contains a stipulation indemnifying them from any costs and/or damages which may arise from the data being inaccurate, incomplete and/or inconsistent.
(d) Privacy Policy vs. notice requirements: It is pertinent to note that the DPDP provides for the provision of a prior notice whereas several regulations including but not limited to the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“SPDI Rules”) and Guidelines on Digital Lending, 2022 (“DL Guidelines”) provides for the requirement of a “privacy policy”. It remains unclear if the two requirements of prior notice and privacy policy refer to one and same document or if there is a distinction between the two. Fintech companies bound by the sectoral laws and regulation would require clarity on the above mentioned to draft documents post which it may take up processing/collection of user personal data.
(e) Grievance Manager and/or “Consent Manager” – It is pertinent to note that the SPDI Rules, applicable on all fintech companies collecting sensitive personal data such as passwords; financial information such as bank account, credit card, debit card or other payment instrument details, requires a body corporate to appoint a “Grievance Officer” whose name and details are published on the website. Adding to this, the DL Guidelines necessitate that Regulated Entities (i.e., banks) ensure that LSPs engaged by them shall have a suitable nodal grievance redressal officer to deal with Fintech/ digital lending-related complaints/ issues raised by the borrowers. The DL Guidelines require that the details of this officer are to be made available on the website and the key fact statement made available to the borrowers. As per the DL Guidelines, in case the Regulated Entity is unable to solve a dispute within 30 days, the borrower is entitled to lodge a complaint over the Complaint Management System (CMS) portal under the Reserve Bank-Integrated Ombudsman Scheme (RB-IOS). For entities currently not covered under RB-IOS, complaint may be lodged as per the grievance redressal mechanism prescribed by the Reserve Bank.
In a notable development, the DPDP now requires the appointment of a “Consent Manager”. As per clause 13 of the DPDP, “Data Principal shall have the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager.” It is now unclear if a fintech company requires two separate designations to deal with grievances related to consent, which was previously being dealt by the nodal grievance officer alone. This also becomes crucial in view of the fact that the Consent Managers are required to meet certain requirements (including but not limited to registering with the DPBI) as mentioned in the DPDP whereas the nodal grievance officer is under no such obligation. Furthermore, if a borrower files a complaint with the Consent Manager and the same is not resolved by the Regulated Entities within the span of 30 days, it is unclear if the borrower can lodge a complaint over the CMS portal.
(f) Data localization clash – The DPDP's silence on data localization clashes with DL Guidelines stipulating India-based servers.
(g) Increased data breach reporting obligations – One more aspect to be looked at is the data breach angle. It is pertinent to note that the Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks cconcerned with managing risks in outsourcing of financial services requires a bank to immediately notify the RBI in the event of a data breach of security and leakage of confidential customer related information. Furthermore, The Computer Emergency Response Team ("CERT-In") has notified new directions dated 28th April 2022 wherein it has specified that any service provider, intermediary, data center, body corporate and government organization to mandatorily report cyber incidents to CERT-In within 6 Hours of noticing such incidents or being brought to notice about such incidents.
The DPDP adds to this already long list of disclosures by specifying that in the event of a personal data breach, the DF shall give the Data Protection Board of India (“DPBI”) and each affected DP, intimation of such breach in a prescribed format. This adds to the already long list of compliances of the fintech companies.
(h) Startup exemption - It is also interesting to note that the DPDP vide clause 17 (3) states that the Central Government may, having regard to the volume and nature of personal data processed, notify certain DFs or class of DFs, including startups, to be exempt from the provision of section 5 (prior notice requirement), section 8 (3) (completeness and accuracy of data requirements), sections 8 (7) (data erasure requirement), section 10 (additional obligations of SDFs) and section 11 (data principal’s right to access her data). As per a news report of Business Today dated 08th August 2023, presently a staggering 3087 of fintech companies are registered as startups with the Department for Promotion of Industry and Internal Trade (“DPIIT”). Given the prevailing status of the Indian fintech sector predominantly in its nascent phases, the prospect of exemption from the aforementioned statutory obligations becomes a pertinent consideration. While the rationale behind this particular exemption remains to be conclusively elucidated, it is imperative to underscore that until such time as the central government formally notifies specific startups, fintech entities would remain bound to observe the regulatory requisites delineated above.
(i) Monetary penalty assessment – Notably, clause 33 of the DPDP introduces a crucial dimension by emphasizing that when assessing the quantum of monetary penalty, the DFBI should consider the repetitive occurrence of breaches. Within the context of the dynamic fintech landscape, stakeholders are strongly urged to proactively gather information about the nature and frequency of data breach incidents experienced by potential partner entities. This diligence becomes pivotal as it empowers fintech enterprises to make informed decisions and form collaborations that align with their commitment to data protection and regulatory compliance.
As the DPDP's enactment reshapes the contours of data protection and privacy in India, the fintech sector faces both opportunities and challenges. Effective navigation of this evolving landscape necessitates a comprehensive understanding of the DPDP's provisions, proactive adaptation to its requirements, and strategic alignment with existing regulations to ensure the continued growth and innovation of the fintech industry.
