WHO ARE LENDING SERVICE PROVIDERS?

Lending service providers (“LSPs”) are those entities who are engaged by regulated entities – banks or NBFCs (“REs”) – to carry out certain functions on their behalf. These functions may include customer acquisition, underwriting support, pricing support, servicing, monitoring, and recovery of specific loans. LSPs act as intermediaries between the borrower and the RE and may exercise their functions through a digital lending application (“DLA”). The Guidelines on Digital Lending, 2022 (DL Guidelines) were issued by the Reserve Bank of India in September 2022 under the Banking Regulation Act, 1949, the Reserve Bank of India Act, 1934, the National Housing Bank Act, 1987, the Factoring Regulation Act, 2011 and the Credit Information Companies (Regulation) Act, 2005. The DL Guidelines require REs to regulate the conduct of LSPs and DLAs and impose data protection-related obligations in this regard.

In addition, India enacted the Digital Personal Data Protection Act, 2023 (DPDPA) in August 2023. While the government is yet to notify the effective dates for its implementation, LSPs will be required to ensure observance of its provisions.

This note provides an overview of the key data protection aspects that must be considered by LSPs based on Spice Route Legal’s experience as a reputed data privacy law firm.

LENDING SERVICE PROVIDERS AND DATA PROTECTION

DL Guidelines

The DL Guidelines prescribe various standards of data collection, usage, sharing, and storage of personal data, which the RE must ensure are complied with by their LSPs and the DLAs.

Under the DL Guidelines, any data collection must be need-based and with prior and explicit consent of the individuals. The DL Guidelines specifically call out the datasets to which a DLA must not have access (such as files and media, contact lists, mobile phone resources, and call logs). However, One-time access is permitted for camera, microphone, location, or any other facility necessary only for onboarding or KYC requirements. The DL Guidelines also prohibit the collection of biometric data unless it is allowed under existing law.

The DL Guidelines prescribe that the borrower’s explicit consent be taken before any disclosure of personal information to third parties. The only exception to this rule is where existing law already provides for such disclosures (for instance, sharing of information with government agencies). 

The LSPs and DLAs are required to disclose a comprehensive privacy policy, the details of the grievance redressal officers, a complaint lodging facility, and the security protocols employed by its RE (which include security breach protocols, retention of data, restriction on use of data, and data destruction protocols) on their website and the DLAs.

Under the DL Guidelines, storing borrowers’ personal information is barred (except for some minimal data such as name, address, contact, etc., required to carry out LSP operations). Moreover, responsibility regarding data privacy and security of the borrower’s personal information resides with the RE. LSPs must also comply with various technology standards and requirements on cybersecurity stipulated by the RBI and other agencies for undertaking digital lending.

SPDI Rules

The sole ground for the collection of “sensitive personal data or information” referred to as SPDI is the express consent of the information provider, under Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) issued under the Information Technology Act, 2000 (“IT Act”).  SPDI is a subcategory of personal data which includes passwords, financial information, health information, sexual orientation, and biometric information.

Under the SPDI Rules, companies (LSPs, for the present context) are required to (a) publish a privacy policy, (b) comply with certain principles of processing – lawfulness of processing, purpose limitation, and data minimisation, (c) implement security practices and procedures and have documented information security policies in place. ISO 27001 is a recommended but not mandatory standard, (d) designate a grievance redressal officer and publish their name and contact details, and (e) transfer personal data, including transfers outside of India, only if the recipient ensures the same level of data protection as provided under the SPDI Rules and the transferor.

The CERT-In Directions

In addition to the cybersecurity requirements stipulated by the RBI, the LSPs and DLAs are required to comply with the directions under sub-section (6) of section 70B of the IT Act relating to information security practices, procedures, prevention, response, and reporting of cyber incidents for safe and trusted internet (“CERT-In Directions”). These regulations require organisations to, inter alia, notify the Indian Computer Emergency Response Team (“CERT-In”) of certain cybersecurity incidents within 6 (Six) hours of their occurrence. Cybersecurity incidents include data breaches and data leaks. The CERT-In Directions do not recognise a controller and processor type distinction in a customer and service provider relationship. Each organisation is required to make the breach notification to CERT-In.

DPDPA

A “data processor” is any person who processes personal data on behalf of a data fiduciary, and a “data principal” is the individual to whom the personal data relates. The Digital Personal Data Protection Act primarily regulates “data fiduciaries” and “data principals”. The law also recognises “data processors” but does not regulate them directly. Under the new Indian data privacy law, a “data fiduciary” determines the purpose and means of processing personal data, either alone or in conjunction. 

Under the DPDPA, the lawful grounds for processing personal data are (a) consent, and (b) certain legitimate uses. The DPDPA requires consent to be freely given, specific, informed, limited, withdrawable, unconditional, unambiguous, and provided through a clear affirmative action, and that every consent request be accompanied or preceded by a notice.

Such notice must be made available for the data principal in English and 22 other official languages notified in the Eighth schedule under the constitution. The notice must consist of details describing the categories of personal data sought to be processed along with the purposes of processing such data. The notice must also state how data principals may exercise the right to withdraw consent, the right to grievance redressal, and how the data principal may raise complaints with the Data Protection Board, which will be established under DPDPA.

KEY CONSIDERATIONS FOR LSPs UNDER THE DPDPA

Data Fiduciary or Data Processor

LSPs might find it of relevance to figure out whether they would qualify as “data fiduciaries” or “data processors” under the DPDPA.

Indeed, identification as a “data fiduciary” is dependent on whether the entity is determining the purpose and means of processing personal data. To this extent, the DPDPA offers no guidance on the determination of an entity as a “data fiduciary” or as a “data processor”. From a global perspective, the determination of the purpose and means of processing depends on several factors: 

• data collection practices of the entity;
• the entity determining
  • essential means and non-essential means in relation to the processing of personal data; and 
  • decisions (in respect of data processing) that are reserved for the “data fiduciary” and which can be left to the discretion of the processor, among others.

Identifying Obligations

The data protection law provides that in case of a conflict between the DPDPA and any other law, the DPDPA will generally prevail to the extent of such conflict. The sole exception to this rule is in relation to cross-border data transfers, wherein, if any other law provides for a higher degree of protection for or restriction on the transfer of personal data outside India, such law will prevail over the DPDPA.

Entities in the digital lending space ought to identify conflicts in obligations under the DPDPA and the DL Guidelines and resolve them in accordance with the provisions of the DPDPA. One such conflict is the obligations relating to cross-border transfers of data under the laws. The DL Guidelines require organisations to store personal data within India. In contrast, under the DPDPA, cross-border data transfers are generally permitted, except to jurisdictions mentioned in a “negative list” notified by the Indian government.

Therefore, REs and LSPs ought to carefully identify the legal framework applicable to their applications and determine compliance obligations accordingly.

CONCLUSION

Businesses in the digital lending space can kickstart their compliance with the Digital Personal Data Protection Act by undertaking the following steps:

• A data mapping exercise to identify the personal data points collected and processed by the organization;
• Identifying sectoral data protection and cybersecurity obligations that may conflict with the DPDPA;
• Identifying actor characteristics for each processing activity. Since “data processors” do not have any direct obligations under the law, characterisation as a “data processor” significantly reduces compliance obligations;
• identifying appropriate legal bases for processing each category of personal data; and
• identifying the cross-border data flows and preparing server maps.