The Digital Personal Data Protection Act–Implications And Next Steps for the Financial Services Sector

Introduction

The financial services sector in India has witnessed a remarkable transformation over the past few decades, evolving into a dynamic and rapidly growing industry that plays a pivotal role in the country’s economic development. This sector encompasses a wide range of services, including banking, insurance, capital markets, and non-banking financial institutions, all of which contribute significantly to the nation’s economic growth and stability.

Over the years, India has developed a comprehensive regulatory environment for its financial services sector. These financial regulatory laws are designed to maintain customer confidentiality, financial stability, prevent fraud, and promote healthy competition. That said, the financial services sector has become a preferred target for cyber-attacks. Studies report a 50% increase in data leaks in the banking and financial sector. The increase in cyberattacks is reflective of the need for a comprehensive data protection law governing data use and protection in India. In August 2023, the Indian government enacted the Digital Personal Data Protection Act, 2023 (“DPDPA”) into law.

This note closely examines the impact of the DPDP Act 2023 on the financial services sector and provides practical recommendations on approaching compliance with the new law for businesses in the space.

Regulation of Financial Services in India

Financial services in India are regulated by four main regulators – the Reserve Bank of India (“RBI”) whose supervisory role covers commercial banks, urban cooperative banks, financial institutions and non-banking finance companies; the Securities and Exchange Board of India (“SEBI”) that regulates capital markets, mutual funds, and other intermediaries, the Insurance Regulatory and Development Authority of India (“IRDAI”) which regulates the insurance sector, and the Pension Funds Regulatory and Development Authority (“PFRDA”) which regulates the pension sector in India.

As a part of their supervisory role, the sectoral regulators have defined obligations relating to data protection and cybersecurity for entities regulated by them – this extends to setting out data security measures, data sharing, storage, and confidentiality requirements, among others.

In addition to the sector specific regulations issued by these regulators, India’s general data protection law comprises of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 issued under the Information Technology Act, 2000 (“SPDI Rules”). The SPDI Rules impose enhanced obligations on the collection and processing of “sensitive personal data or information” which include data relating to the financial information such as bank account, credit card, debit card, or other payment instrument details.

Entities are also required to comply with the “Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for safe and trusted internet” (“CERT-In Directions”) which require organisations to, inter alia, notify the Indian Computer Emergency Response Team (“CERT-In”) of certain cybersecurity incidents (which include data breaches and data leaks) within 6 (Six) hours of their occurrence.

While the DPDPA 2023 has been enacted, it is yet to be enforced. Upon enforcement, which is expected to happen around May 2024. The DPDPA will form India’s first comprehensive law on data protection, applicable to organisations across sectors and sizes. Entities ought to take preparatory steps to attain compliance with the DPDPA – identifying what personal data they process, their roles and obligations under the DPDPA, and identifying other sectoral data protection requirements that they must balance against the new Indian data protection law compliances.

Characterization as a Data Fiduciary or a Data Processor Under the DPDPA 2023

The DPDPA primarily regulates “data fiduciaries” and recognises “data processors”. It defines a data fiduciary as a person who determines the purpose and means of processing of digital personal data. On the other hand, a data processor is defined as any person who processes personal data on behalf of a data fiduciary. The DPDPA does not directly regulate data processors and imposes the overarching obligation of compliance with the law on data fiduciaries. Therefore, data fiduciaries ought to pass on obligations under the DPDPA to the data processors through contracts.

Additionally, the DPDPA also imposes enhanced obligations on a subcategory of data fiduciaries, called “significant data fiduciaries”, which are data fiduciaries especially notified by the Indian government based on factors such as the volume and sensitivity of personal data processed, risk to the rights of data principal (the individual to whom the personal data relates), potential impact on the sovereignty and integrity of India, risk to electoral democracy, security of the State, and public order.

Entities ought to carefully analyse their personal data processing activities to determine their status under the DPDPA for each processing activity. A data processor determination will aid in significantly reducing compliance obligations under the bill. At this stage, the DPDPA offers no guidance on the determination of an entity as a data fiduciary or as a data processor. From a global perspective, the determination of the purpose and means of processing depends on several factors – data collection practices of the entity, the entity determining the essential means and non-essential means in relation to the processing of personal data, and the entity making the decisions (in respect of data processing) that are reserved for the data fiduciary and those which may be left to the discretion of the processor, among others.

In the financial sector, regulated entities under sectoral laws (“REs”) often outsource certain aspects of their business and operations to third party service providers. In such a customer and service provider relationship, REs are likely to be considered as data fiduciaries under the DPDPA. In certain and not insignificant circumstances, service providers too might be considered data fiduciaries under the DPDPA. For instance: if a lender outsources their lending activities to another lending service provider with a proprietary algorithm to determine eligible borrowers, given that both the lender and the service provider play a part in determining the purposes and means of processing, they are likely to constitute data fiduciaries for their respective processing activities. Therefore, actor characterisations under the DPDPA require deeper investigations into the RE-service provider relationships and their functions and activities.

Given the volume and sensitivity of personal data processed by REs, the importance of their functions for the nation, and their impact on the financial health of individuals, most REs are likely to be classified as significant data fiduciaries. Significant data fiduciaries are subject to additional obligations such as appointing data protection officers and performing data audits and data protection impact assessments.

Protected Categories of Data Under the DPDPA

The DPDPA intends to regulate the processing of “personal data” – that is any data about an individual who is identifiable by or in relation to such data. Interestingly, the DPDPA does not regulate any “sensitive” or “special” categories of personal data, unlike its predecessors or international counterparts.

Therefore, under the DPDPA regime, entities will not attract higher compliance obligations merely because they collect and process financial data (the processing of which under most other laws, including sectoral regulators’ laws, the SPDI Rules, are subject to higher compliance obligations).

Grounds for Processing Under the DPDPA

The DPDPA provides that the personal data of a data principal may only be processed for a lawful purpose with “consent” of the data principal, or for certain “legitimate uses” prescribed under the DPDPA. The DPDPA prescribes high standards for seeking consent, which must be free, specific, informed, unconditional, and an unambiguous indication of the individual’s wishes, indicated through a clear affirmative action. Additionally, requests for consent must be accompanied or preceded by a notice detailing, among other things, the datasets collected and the purposes for their collection. Both the consent request and the notice must be provided in English and one of the 22 languages listed within the Eighth schedule of the Indian Constitution. The legitimate uses of personal data include:

• the purposes for which an individual voluntarily provides their personal data and does not indicate to the data fiduciary that they do not consent to the processing; and

• employment related purposes and those to safeguard employers from liability.

Depending on the specific processing activities, businesses in the financial space ought to analyse each processing activity to determine the most appropriate ground for processing. The DPDPA does not provide for more flexible grounds to enable processing by businesses such as the businesses’ legitimate interests, the performance of contracts, or compliance with legal obligations. For instance, under the present construct of the DPDPA, even where entities are required to collect and process personal data under a law such as KYC data under the Prevention of Money Laundering Act, 2002, they might have to rely on the consent of individual. This might not always be practicable. Considering industry feedback, we expect the Indian government to issue rules and introduce more practical grounds of processing.

Data Processing Obligations under The DPDP Act 2023

The DPDPA imposes certain obligations on data fiduciaries, such as:

• Data fiduciaries have the overarching obligation of compliance with DPDPA, including for processing activities undertaken by their processors and have the obligation to implement technical and organisational measures for this purpose. Additionally, data fiduciaries may only engage data processors under the terms of valid contract.

• Data fiduciaries have the obligation to ensure the completeness, accuracy, and consistency of personal data, when their processing will be used to make a decision about the data principal or will be disclosed to another data fiduciary.

Processing activities in the financial sector often involve data sharing between entities. Separately, businesses end up making several decisions about their customers (such as an individual’s eligibility for a loan or evaluating an insurance claim). Entities in the financial space must evaluate the latest technologies and measures available in the market to ensure compliance with this obligation, such as access control measures and performing regular audits to ensure data hygiene.

• Data fiduciaries are obliged to implement security safeguards to prevent personal data breaches. They must further notify the Board and affected data subjects of personal data breaches. The DPDPA does not prescribe specific security standards. A failure to implement security safeguards is punishable with fines of up to INR 2,500,000,000, and a failure to report incidents with fines of up to INR 2,000,000,000; both of which are among the highest penalties proposed under this law.

Entities will have to determine and implement measures appropriate to the risks posed by their personal data processing activities. Indian financial sector regulators have prescribed detailed cybersecurity frameworks for REs, such as the RBI’s Cyber Security Framework in Banks. These security frameworks may be used as benchmarks in identifying security safeguards for the purposes of the DPDPA.

In addition to breach notification obligations under the DPDPA, regulators such as the RBI, SEBI, PFRDA, and IRDAI too impose incident reporting obligations on REs, and breach notification obligations under the CERT-In Directions will continue to apply. Organisations triggering these notification obligations must revisit their cyber incident management plans to account for the new requirements under the DPDPA.

• Data fiduciaries are required to erase personal data as soon the purpose for which it was collected has been completed, or earlier if the data principal has withdrawn their consent to its processing, unless retention is required under applicable law.

• Data fiduciaries are required to establish effective grievance redressal mechanisms.

• Data fiduciaries are required to institute mechanisms and processes to enable data principal rights, including the rights to access, correction, and erasure of their personal data. Data principals also have the rights to grievance redressal, and the right to nominate individuals who may exercise their data principal rights in the event of their deaths or incapacity.

The text of the DPDPA leaves several aspects open to be legislated upon under rules issued by the government under the DPDPA. We expect such rules to further clarify the compliance obligations.

Exemptions Under the DPDPA

The DPDPA exempts organisations from certain compliance obligations for specific processing activities. The exempted obligations include general data fiduciary obligations (except for the overarching obligation to comply with the DPDPA and to protect personal data by implementing security safeguards), and the provisions relating to enabling data principal rights and cross border personal data transfers. These obligations do not apply for certain processing activities, including:

• processing necessary for enforcing any legal right or claim;

• processing in the interest of prevention, detection, investigation, or prosecution of any offence or contravention of any law; and

• processing for debt recovery purposes.

A range of processing activities undertaken by REs are likely to fall under these exemptions and significantly reduce compliance obligations. For instance, debt recovery efforts by lenders will benefit from this exemption.

Interaction With Sectoral Laws

In terms of its consistency with other laws, the DPDPA provides that the provisions of the DPDPA would be in addition to any other law for the time being in force. Additionally, in the event of a conflict between the DPDPA and other laws, the provisions of the DPDPA will prevail to the extent of such conflict. The only exception to this rule seems to be for conflicts in laws relevant to personal data transfers outside of India.

Under the DPDPA, the government intends to notify a “negative list” of countries and transfers of personal data to countries outside India will be permitted except to countries listed within this negative list. However, where another law provides for a higher degree of protection for or restriction on the transfer of personal data by a data fiduciary outside India, that law shall be applicable instead of the DPDPA. This is especially relevant in the financial services sector where sectoral regulators mandate the localisation of data in India. Therefore, for data transfers, the specific sectoral regulations governing data storage will continue to be in force.

Next Steps

We expect that compliance obligations under the DPDPA are likely to be triggered in a phased manner. Accordingly, we are optimistic that businesses will not be expected to achieve compliance immediately. As such, there are preparatory steps that entities may take at this stage:

• undertaking a data mapping exercise to identify the personal data points collected and processed by the entity. Entities must identify all data points they collect along with the purposes of their collection. Additionally, this inventory must provide for other relevant details against each data point identified, including, the jurisdiction where such data is stored, the grounds or bases of processing (for instance: consent or legitimate uses), and the processors or third parties with whom such data is shared.

• identifying sectoral data protection and cybersecurity obligations that may conflict with the DPDPA and balance compliances based on the DPDPA’s provisions on conflict; and

• identifying actor characterisations for each processing activity (that is: whether the business would be a data fiduciary or a data processor). Since data processors do not have any direct obligations under the law, a characterisation as a data processor significantly reduces compliance obligations. It must be noted that actor characterisations may vary depending on the processing activity an entity engages.

These initial steps will aid businesses in the financial space in establishing a foundation to undertake meaningful compliance with the DPDPA.