The Indian fintech sector is predicted to generate revenues of approximately USD 190 billion by 2030. This is in part driven by the focus on growth and innovation across business categories ranging from digital lending, and payments processing to insurtech and wealth-tech. Additionally, the growth is facilitated through the adoption of artificial intelligence, automation, and cloud computing. However, this fast-paced growth of the fintech industry is accompanied by increasing information security challenges. With a rising amount of personal data assets collected by fintech companies, the risks of cybersecurity incidents and attacks also rise, making it indispensable for fintech to comply with the newly enacted data protection law in India. The best data protection law firms in the industry will assist such organisations in managing incidents and making appropriate breach notifications to regulators.
This note intends to provide an overview of privacy laws in India applicable to fintech companies in line with the privacy act in India.
Indian data protection laws of general application comprise the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) issued under the Information Technology Act, 2000 (“IT Act”). The SPDI Rules presently constitute the data privacy laws in India. The Rules impose additional obligations on the collection and processing of “sensitive personal data or information” or “SPDI”, including financial data. Businesses are obligated to obtain consent prior to collecting SPDI and comply with the cybersecurity stipulations outlined in Cybersecurity Directions issued by the Indian Computer Emergency Response Team (“CERT-In”) under the IT Act. Similarly, fintech companies are also required to report certain cybersecurity incidents to CERT-In within six hours of knowledge and comply with these rules and directions under the IT Act.
Additionally, Indian financial sector regulators such as the Reserve Bank of India, and the Securities and Exchange Board of India prescribe data protection and cybersecurity standards for regulated entities. Such regulated entities pass on these data and cybersecurity obligations to their outsourced service providers. Fintech companies might also be subjected to sectoral obligations contractually passed on by regulated entities.
In August 2023, the Indian government enacted the Digital Personal Data Protection Act, 2023 (“DPDPA”) into law, which will replace the SPDI Rules once enforced. The government is expected to notify the Digital Personal Data Protection Rules in 2024. The DPDPA primarily regulates “data fiduciaries.” Under DPDPA, “data fiduciaries” are defined as organisations that determine the purposes and means of processing personal data. Organisations that process personal data on behalf of data fiduciaries are defined as “data processors”. The DPDP Act 2023 does not directly regulate “data processors.” In an outsourcing context, fintech companies may characterise themselves as data processors to regulated entities (data fiduciaries). However, if fintech companies use personal data for business improvement, innovation, or to train their AI/ML models, they are likely to constitute data fiduciaries. Businesses must perform a careful analysis of their processing operations and vendor/customer relationships to determine their status under the DPDPA.
The DPDPA emphasises that personal data may only be processed for a lawful purpose with the “consent” of the data principal, or certain “legitimate uses”, such as an individual’s voluntary provision of their data, or employment purposes. Furthermore, the DPDP Act 2023 exempts certain purposes, fully or in part, from its purview, including processing personal data to enforce any legal right or claim, the prevention, detection, investigation, or prosecution of any offence, or debt recovery purposes. Accordingly, fintech companies must analyse appropriate grounds for processing personal data, and whether such processing is exempt from obligations under the DPDPA.
The DPDPA imposes additional obligations relating to data processing. For instance: under the DPDPA 2023, privacy notices are required where the legal basis of processing is consent or the individual’s voluntary provision of their data. Fintech companies need to revamp their data privacy policy in India to align with the DPDPA. The DPDP Act 2023 empowers the Data Protection Board of India to impose penalties as high as INR 250 crores in cases of non-compliance. The board is expected to be established by the Central Government in 2024, following the notification of the Data Protection Act Rules.
To summarise, these laws collectively constitute the Data Protection Laws in India applicable to fintech companies. Hence, fintech companies are often encouraged by data protection lawyers in India to proactively adhere to data protection and cybersecurity laws. Doing so not only helps them steer clear of penalties but also shields them from regulatory scrutiny and safeguards their reputation.
If you have any queries or would like to know more about the DPDPA, 2023, reach out to Spice Route Legal, recognised as the best data protection law firm in India. Email id: contact@spiceroutelegal.com.
This website is owned and operated by Spice Route Legal, and is exclusively meant to be a source of information on the firm, it’s practice areas, and its members.
It is not intended and should not be construed as any form of advertisement, solicitation, invitation or inducement of any sort from the firm or its members.
Spice Route Legal does not warrant that any information provided on the website is accurate, complete or updated, and further denies liability for any and all loss or damage caused to the user as a result of their reliance on the content provided.
The information made available on this site must in no way be relied upon, or construed, as legal advice. If you need legal assistance, we recommend you seek help from competent counsel licensed to practice and advise in the relevant jurisdiction.