THE IMPACT OF DATA PROTECTION LAW IN INDIA ON BFSI AND HEALTHCARE

In an era dominated by technological advancements, the impact of data protection laws in India on the banking, financial Services, and insurance (“BFSI”) sector and the healthcare industry has become increasingly significant.

Over the years, India has developed a comprehensive regulatory environment for these sectors. That said, both sectors have seen a rise in cyberattacks. News outlets report a 50% increase in data leaks in the banking and financial sector, and reveal that the healthcare industry faced the largest number of attacks amongst all sectors within India in 2022. 

Businesses in the BFSI and healthcare space deal with particularly sensitive financial and health data. A breach or unauthorized access to such data may severely compromise individual interests and confidentiality. The increase in cyberattacks is reflective of the need for a comprehensive data protection law governing data use and protection in India. In August 2023, the Indian government enacted the Digital Personal Data Protection Act, 2023 (“DPDPA”) into law.

This note, authored by a leading Indian data protection law firm, closely examines the impact of the DPDPA on the BFSI and healthcare sectors and provides practical recommendations on approaching compliance with the new law for businesses.

    1. EXISTING INDIAN LEGAL FRAMEWORK

Financial services are regulated by four main regulators – the Reserve Bank of India (“RBI”) whose supervisory role covers commercial banks, urban cooperative banks, some financial institutions and non-banking finance companies; the Securities and Exchange Board of India (“SEBI”) that regulates capital markets, mutual funds, and other intermediaries, the Insurance Regulatory and Development Authority of India (“IRDAI”) which regulates the insurance sector, and the Pension Funds Regulatory and Development Authority (“PFRDA”) which regulates pensions.

As a part of their supervisory role, the sectoral regulators have defined obligations relating to data protection and cybersecurity for entities regulated by them – this extends to setting out data security measures, data sharing, storage, and confidentiality requirements, among others.

In addition to the sector-specific regulations issued in the BFSI and healthcare space, data protection law in India comprises of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, issued under the Information Technology Act, 2000 (“SPDI Rules”). The SPDI Rules impose enhanced obligations on the collection and processing of “sensitive personal data or information,” which include data relating to the physical, physiological, and mental health condition of individuals, or their medical records and history, as well as financial data such as bank account, credit card, debit card, or other payment instrument details.

Entities are also required to comply with the “Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for safe and trusted internet” (“CERT-In Directions”) which require organizations to, notify the Indian Computer Emergency Response Team (“CERT-In”) of certain cybersecurity incidents (such as data breaches and data leaks) within 6 (Six) hours of their occurrence.

Indian financial sector regulators have also prescribed detailed cybersecurity frameworks for REs, such as the RBI’s Cyber Security Framework in Banks. Regulators have imposed incident reporting obligations on REs, and breach notification obligations under the CERT-In Directions will continue to apply. Organizations triggering these notification obligations must revisit their cyber incident management plans to account for the new requirements under the DPDPA.

The DPDPA establishes the Data Protection Board of India (“Board”) as the nodal authority responsible for overseeing the implementation of the DPDPA. The DPDPA mandates businesses to implement security safeguards to protect personal data. A failure to implement security safeguards is punishable with fines of up to INR 2,500,000,000, and a failure to report incidents with fines of up to INR 2,000,000,000; both of which are among the highest penalties proposed under this law.

  1. UPCOMING FRAMEWORK FOR DATA PROTECTION IN INDIA

The DPDPA intends to regulate the processing of “personal data” – that is, any data about an individual who is identifiable by or in relation to such data. Interestingly, the DPDPA does not regulate any “sensitive” or “special” categories of personal data, unlike its predecessors or international counterparts. Therefore, under the DPDPA regime, businesses will not attract higher compliance obligations merely because they collect and process financial or health data (the processing of which under most other laws, including the SPDI Rules, are subject to higher compliance obligations).

The DPDPA primarily regulates “data fiduciaries” and recognizes “data processors”. It defines a data fiduciary as a person who determines the purpose and means of processing personal data. On the other hand, a data processor is defined as any person who processes personal data on behalf of a data fiduciary. The DPDPA does not directly regulate data processors and imposes the overarching obligation of compliance with the law on data fiduciaries.

Given the volume and sensitivity of personal data processed by regulated entities (“REs”) in the BFSI sector, the importance of their functions for the nation, and their impact on the financial health of individuals, most REs are likely to be classified as “significant” data fiduciaries – a class of data fiduciaries to be separately notified by the central government. The DPDPA imposes additional obligations on significant data fiduciaries, such as appointing data protection officers and performing data audits and data protection impact assessments.

Personal data may only be processed for a lawful purpose, with the “consent” of the data principal (the individual to whom the personal data relates), or for certain “legitimate uses” prescribed under the DPDPA. Where consent is the basis of processing, the consent sought must be free, specific, informed, unconditional, and an unambiguous indication of the data principal’s wishes indicated through a clear affirmative action. 

Where legitimate uses are the basis of processing, data fiduciaries may process personal data:

  • in the event the data principal voluntarily provides their personal data to the data fiduciary for specified purposes;
  • for responding to medical emergencies;
  • for taking measures to provide medical treatment and health services during an epidemic, outbreak of disease, or during a threat to public health; and
  • for taking measures to ensure the safety of or provide assistance or services to any individual during any disaster or breakdown of public order.

We expect that businesses in the health space will largely be able to rely on the grounds of legitimate uses for their business purposes. For instance, individuals seeking medical services in hospitals may be deemed to have “voluntarily provided” their personal data for this purpose.

REs in the BFSI sector ought to carefully analyze their personal data processing activities to determine their status under the DPDPA for each processing activity. REs often outsource certain aspects of their business and operations to third-party service providers. In a customer-service provider relationship, REs are likely to constitute data fiduciaries for the purposes of the DPDPA. In certain circumstances, service providers, too, might be considered data fiduciaries under the DPDPA. For instance, if a lender outsources their lending activities to another lending service provider with a proprietary algorithm to determine eligible borrowers, given that both the lender and the service provider play a part in determining the purposes and means of processing, they are likely to constitute data fiduciaries for their respective processing activities.

  1. PRACTICAL NEXT STEPS FOR BUSINESSES

We expect that compliance obligations under the DPDPA are likely to be triggered in a phased manner. Accordingly, we are optimistic that businesses will not be expected to achieve compliance immediately. As such, there are preparatory steps that entities may take at this stage:

  • Undertaking a data mapping exercise to identify the personal data points collected and processed by the entity. Entities must identify all data points they collect along with the purposes of their collection. Additionally, this inventory must provide other relevant details against each data point identified, including the jurisdiction where such data is stored, the grounds or bases of processing (for instance, consent or legitimate uses), and the processors or third parties with whom such data is shared.
  • Identifying sectoral data protection and cybersecurity obligations that may conflict with the DPDPA and balance compliances based on the DPDPA’s provisions on conflict; and
  • Identifying actor characterizations for each processing activity (that is, whether the business would be a data fiduciary or a data processor). Since data processors do not have any direct obligations under the law, characterization as a data processor significantly reduces compliance obligations. It must be noted that actor characterizations may vary depending on the processing activity an entity engages.
  1. CONCLUSION

The DPDPA leaves certain aspects open for further legislation through the issuance of rules by the central government in the upcoming months. The expectation is that these forthcoming rules will provide additional clarity on compliance obligations for businesses. Businesses operating in the BFSI and healthcare sectors are advised to commence the process of laying down the groundwork for meaningful compliance with the DPDPA. 

By delineating specific compliance requirements and procedures, the upcoming rules will guide organizations in aligning their data processing practices with the provisions of the new data protection law in India. Legal professionals specialising in data protection can offer valuable insights and assistance in ensuring that businesses, especially those that have a global presence in multiple jurisdictions, effectively align their data privacy policies in India to meet the requirements set forth in the DPDPA, thereby fostering a culture of responsible and lawful data management practices in the Indian business environment. In navigating this evolving landscape, businesses are encouraged to seek guidance from data protection lawyers in India.