Fintech relies heavily on data. Its ability to effectively analyse non-traditional data sources and deliver customized financial products has been vital to the industry. Any law that regulates the manner in which data is collected, processed and stored will necessarily impact the way fintech does business. The Personal Data Protection Bill, 2019 (PDPB), tabled in Parliament in December 2019, recognizes the privacy rights of an individual in their data and creates a framework for the processing and storage of data.
The data protection bill applies to all data that relates to an identifiable natural person. The bill seeks to regulate (i) the processing of personal data collected in India; (ii) the processing of personal data by persons outside India if such processing relates to the delivery of goods and services to those in India or in connection with the profiling of data of people in India.
The bill introduces key principles that any fintech platform has to understand and follow.
1) Consent for processing – Personal data may be processed only if consent has been given for processing and for the purpose for which the customer has consented or for any incidental or connected purpose. A payments platform onboarding a customer for a payment product, cannot then process such customer data to determine eligibility for a loan or credit product unless consent has been specifically obtained. Reasonable purpose exceptions in the bill allow personal data to be processed without consent. These include credit scoring, recovery of debt and processing of publicly available personal data.
2) Data collection – Personal data shall be collected only to the extent necessary for the purpose of processing for which consent has been given.
3) Storage – Personal data cannot be stored beyond the period necessary to satisfy the purpose for which it has been collected and processed, and must be deleted at the end of such period. If a customer has consented to their data being processed for a loan, once such a loan has been fully repaid, the lender is not entitled to retain or process data for any other purpose and must promptly delete that data.
4) Terms and conditions – Many financial services entities have widely worded terms and conditions that allow them to collect multiple data sets, process such data for purposes linked to the services and for other purposes that may not be adequately disclosed, and store and transfer such data as the platform deems necessary. These conditions will not be compatible with the data protection bill, and fintech platforms should examine them to ensure compliance.
5) Click-wrap contracts – The bill clearly states that the provision of any services cannot be made conditional on consent to the processing of data not required for that purpose. Financial services providers will have to withdraw from click-wrap contract models commonly used in terms and conditions widely drawn consents that customers have no choice but to accept before they receive financial products.
Any customer sharing their data with a fintech platform has the right to know the categories of personal data being processed, the nature of processing being conducted, the entities with whom such personal data is being shared and most importantly, the right to have such data corrected, updated, and erased if no longer necessary for the original purpose for which such data was obtained. It is unclear whether entities will be able to retain and share data sets such as credit default histories for purposes other than mandatory reporting. There are clear benefits to the financial system as a whole by the processing and sharing of data linked to credit risk or default. It will be interesting to see how public good arguments hold up against the data rights of an individual in this context.
The value of data is acknowledged and a framework is urgently needed to protect the privacy and security of personal data. The bill addresses this necessity. Until now there has been no comprehensive framework for data protection, and the bill introduces rules and standards aligned with global practice. The fintech industry needs to examine its data policies, consent architecture and internal data handling systems and infrastructure to ensure it is data ready and able to comply with the bill. Penalties for non-compliance are as much as 4% of the total worldwide annual turnover of an entity. It is likely that the access to sensitive data such as eKYC and Aadhaar (each citizen’s unique identity number) that an entity will be allowed to have will depend on satisfying the regulator of its ability to securely handle and protect data.
This is intended for general information purposes only. The views and opinions expressed in this article are those of the author/authors and does not necessarily reflect the views of the firm.
The Bar Council of India does not permit solicitation of work and advertising by legal practitioners and advocates. By accessing the Shardul Amarchand Mangaldas & Co. website (our website), the user acknowledges that: