Challenges Faced By Fintech after the Data Protection Bill 2022

The new data protection bill is aimed at bringing more privacy to customers. It will also provide more ease for doing business, and the central government can frame rules on the specified act. Moreover, the new data protection bill will impact the fintech companies whose work is to process financial and personal data. The fintech companies will face difficulties as the new bill will impose restrictions on the fintech companies on storing the data abroad. This bill will impact all three people involved in the process of data processing, data principal, data fiduciary, and data processor. Furthermore, the data processor is the one who provides the personal data. Moving on, the data fiduciary is the one who clarifies the manner and purpose of data processing. At last, the data processor, as the name suggests, is the one who processes the data. In this blog, we will discuss the challenges faced by Fintech after the Data Protection Bill 2022.

Although the bill seems to be an improvement over the previous version, a comparison with the RBI’s guidance on Digital Lending 2022 reveals some challenges for fundamental issues, such as data localization, user permission, and the duration of data-keeping. Customers’ data privacy and client security frameworks have long been noticeably lacking due to a lack of data privacy laws and associated consumer literacy. The occurrence has increased due to the use of illegal app-based loans. In India, many debtors have reported experiencing severe abuse from online debt collectors, leading to deaths.

What Is The New Data Protection Bill 2022?

Any information that is used to determine or identify a person is known as personal information. Personal data is processed by both businesses and governmental organizations in order to supply products and services. Processing personal data enables comprehension of user tastes, which may be helpful for customization, focused advertising, and suggestion development. Law enforcement may benefit from the processing of confidential data. Unchecked processing may harm people’s privacy, which has been acknowledged as a fundamental right. Individuals may suffer injury from it, like money loss, reputational damage, and profiling.

• The Bill will apply to handling digital personal data processed within India, whether the data is obtained online or offline and then converted to digital form. If the processing is done to sell goods or services or create profiles of people in India, it will also pertain to processing done outside of India.
• Personal information may only be handled with a person’s permission and for legitimate purposes but in a few cases, you may assume that the person has consented to it.
• Data guardians must keep data accurate, private, and deleted once its function has been served.
• The Bill provides people with several rights, including the ability to request information, seek rectification and erasure, and file a claim.
• For specific reasons, such as state security, public order, or the prevention of crimes, the central government may exempt government organizations from Bill’s requirements.
• To enforce adherence to Bill’s terms, the federal government will create the Data Protection Commission of India.

Main Issues of Data Protection

• Data gathering, processing, and retention may go above and beyond what is required if the State is granted exemptions from handling data for reasons like national security. This fundamental compromise the basic right to privacy.
• The Bill treats private and public organizations differently regarding permission and storing limitations when they carry out the same business function, like offering banking or communication services. This might go against the private sector providers’ claim to equity.
• The federal government will regulate the composition, procedure, and tenure of nominations to the Data Protection Board of India. This calls into doubt the Board’s ability to operate independently.
• The Data Principal does not have the right to transfer data or be erased under the Bill.
• The Bill mandates that before handling a child’s personal information, data guardians must first acquire verified permission from the child’s legal caretaker. Every data custodian must confirm the age of each person registering for its services to abide by this requirement. There may be negative repercussions for online privacy as a result of this.

Obligations of Fintech

• The personal data that the fintech companies process belong to the people known as digital nagriks or data principals. As per the new data protection bill, the data principal must receive a notice in clear and simple language stating the details of the personal data that must be collected and the reason for collecting the data.
• Consent of the individuals whose data is collected by the company must be duly taken. 
• Before this Bill becomes law, permission must be freely provided, guided by nature, and unambiguous. It would also require re-consent as soon as it is practically possible.
• The Central Government is required to designate a class of Data Fiduciaries as Important Data Fiduciaries based on the number and sensitivity following the passage of this Bill into law. Several significant Fintech companies will probably be categorised as Important Data Fiduciaries based on their primary services. A data protection effect evaluation and the required appointment of a data protection officer are just a few of the extra compliances that would result from such mapping.
• Fintech would be required to reply to Data Nagarik’s if they inquire about the following:
  • Confirmation that their personal data is being handled;
  • Provision of a summary with information thereon;
  • Data correction upon notification; and
  • Data deletion upon request.

Provisions of the New Data Protection Bill

• Extraterritorial Application: This applies to any processing of “digital personal data” within India as well as outside of India if it is done in conjunction with the creation of customer profiles or the provision of products and services to data principals (India’s equivalent of data subjects).
• Consent Administrators – The Data Protection Board of India (the Board) has authorised consent administrators who will work on behalf of the data owners to assist them in granting, evaluating, and revoking permission. India already has some permission administrators through the Account Aggregators (for exchanging financial data between controlled organisations), which also handle data portability.
• Notification and Consent: Notice shall be in English, and other languages as the Indian Constitution may specify. Consent must be voluntarily given, precise, informed, and unambiguous, as required by data security laws, and it must be given in the form of a definite positive action. Data owners will be able to revoke their permission at any time.
• Data Principal Rights: While some rights (such as the right to be ignored) have been left out, others (such as the right to knowledge, correction, and dispute redressal) have been included.
• Cross-Border Data Transfer: A white-listing procedure has replaced the previous versions’ requirements for data duplication and localisation. The federal government will inform countries and regions outside of India that will receive data transfers.
• Non-Consent-Based Processing: The Digital Personal Data Protection Bill specifies exceptions to consent, or “deemed consent,” allowing non-consent-based processing in cases of voluntary submission of digital personal data to a data fiduciary for processing necessary to carry out a legal obligation to adhere to a court order or judgement, for employment and related purposes, in the public interest, such as fraud prevention or credit scoring or M&A, and for practical purposes that will be determined by the data fiduciary. Many companies will use these significant exceptions when handling data.
• Carry Out Duties – The central government will designate the Data Protection Board of India to carry out duties such as finding non-compliance, enforcing fines, or taking immediate action in the event of a violation, along with any other responsibilities on it by the central government. A judgement of the Commission may be appealed to the Supreme Court.
• Data Fiduciary Duties: Companies processing “digital personal data” are subject to primary data fiduciary duties, which include duties related to data quality, requirements for technical and organisational measures, notifications of data breaches, restrictions on data retention, and rules for transfers to data processors, and duties related to data breach notifications. Moreover, it is mandatory to hire a data protection officer. Significant data guardians will have increased responsibilities. The central government will notify them based on the volume and sensitivity of handled personal data and the danger of damage.
• Penalties: According to the Schedule, there are up to Rs 500 billion in fines for each incident of non-compliance. For instance, failure to implement adequate security measures can result in penalties of up to Rs 250 crore. In comparison, failure by a significant data fiduciary to comply can result in fines of up to Rs 150 crore.

Challenges Faced By Fintech Companies

Following are some challenges faced by Fintech Companies:

• Impact on Sectoral Laws

This is one of the main challenges faced by Fintech Companies. Fintech companies must comply with the IT SPDI regulations. In addition, there are numerous industry-specific privacy laws (such as telecom, financial, and health). The most current Digital Lending Rules, the Account Aggregator Framework, and the Digital Payment Security Controls are just a few examples in the fintech industry. There are also general confidentiality rules, such as RBI requirements, that demand banks to confirm that customers have given their permission before data is disclosed.

Fintech innovation requires teamwork and collaboration with other industries, such as telco (for OTT services, for instance, or Meity) and financial authorities (insurance, pension, securities, and banking). To guarantee regulation cooperation, the former Personal Data Protection Bill, 2019 permitted the Data Protection Authority of India to sign Memorandums of Understanding with other regulators/authorities. While an overarching regulation, the present Digital Personal Data Protection Bill creates a comparable clash with rules that apply to particular industries.

Clarification is provided in this regard by the Explanatory Note to the Digital Personal Data Protection Bill released by Meity, which states that this Bill will only apply to the degree of such a dispute and that the industry law will take precedence. Whatever the case, the ultimate data security law will require a sector-by-sector examination of its application, potential conflicts, and interpretation to permit financial organisations to comply. Although it will usually be the reverse, where the sectoral regulation mandates more stringent protections, a specific conflict can emerge when the sectoral law explicitly allows more lax privacy protections than the DPDP Bill.

• Impact On Increasing Mergers

This is also one of the main challenges faced by Fintech Companies. Various mergers, acquisitions, and consolidations are noteworthy financial development that will soon reach India. The coronavirus epidemic might also lead to some industry consolidation to help struggling businesses live. Data will be a significant factor in the choices made, both as a danger to be evaluated and as a commodity to be valued. 

Monitoring significant actions taken by the planned Data Protection Authority (“DPA”) and carrying out independent privacy assessments as part of the businesses’ own previous due diligence processes will become necessary. Due to the sizeable penalties under the Bill (2-4% of total global turnover), the seller will also be required to provide indemnities and guarantees, such as that there have been no data leaks and that all of its operations are in complete compliance with the law.

The main thing is ensuring data protection compliance throughout the M&A process (such as identifying a lawful basis for processing, providing notice to data principals, etc.). Notably, Section 14(2) of the Bill suggests M&As as a “reasonable purpose” for processing that is free from the permission requirement. Notably, the initial 2018 Bill did not permit the exclusion of sensitive personal data (“SPD”) for a justifiable purpose in light of categorising financial data as SPD. However, the 2019 Bill does not distinguish between the two. Therefore, SPD, including financial data, will also fall under the purview of the permit exemption for M&As unless further clarification is provided in the final document.

Why is a Task Force Required for Data Protection?

The Protection of Data Privacy bill is a significant problem because Data Protection Authorities are given much leeway. Thus, there currently needs to be more elements of compliance. Only after the Data Protection Act is established and releasing guidance papers, codes of practice, etc., will the full image of the fundamental obligations for a particular sector and the flexibility permitted become clear. To accomplish this efficiently,

• The discretionary authority should be curbed by adding more precise legal provisions to serve as guidance, such as specifying exemptions or defining reporting deadlines for data breaches.
• It will also be crucial to streamline industry-level standards. The Steering Group on Fintech-Related Issues suggested creating a Task Force to examine and harmonise existing financial legislation with the Personal Data Protection Bill, 2019^[1] as one way to achieve this. Another way to accomplish this is to permit industry-developed but DPAI-authorised codes of conduct. These will be crucial measures for the financial sector and other heavily controlled sectors like healthcare.
• For a more equitable distribution of authority and responsibility, the second Steering Committee recommendation – that some Data Protection Authorities’ duties be delegated to other industry regulators must also be put into practice.

Existence of Data Privacy and Protection Bill with Other Laws

• Where a rule is in effect, problems can still occur. For instance, the Personal Data Protection bill only acknowledges goals that are “necessary” by legislation. Think about the RBI’s Master Direction on KYC, which gives banks some latitude over disclosures and allows them to do so in cases where “the bank’s interest necessitates disclosure” “when it is the duty of companies to reveal the information to the public [Section 56(d)]. It is unclear whether different discretionary powers fall under the Personal Data Protection Bill’s definition of “necessity,” given that this is a prescribed law, or whether these will require a distinct Data Protection Authorities sanction.
• Similar to minimal retention periods, maximum retention periods must be specified in the Personal Data Protection bill. For example, the KYC guidance sets a maximum retention period of five years. Companies must decide when to delete data on their own if maximum times are not incorporated into the data security itself.

Conclusion

Only Indian rules are listed as an exception to assent in the Personal Data Protection Bill. This means that any requirements enforced by international law, a treaty, etc., will require agreement unless they are exempted as serving a useful purpose. For instance, card networks mandate Payment Card Industry Data Security Standard conformance as a worldwide compliance standard for card payments (i.e., not an Indian law). The banking industry will need to determine whether a law already exists, if an exemption applies (for Payment Card Industry Data Security Standard, for example, the sensible purpose exemption for fraud prevention/information security will apply), or if permission is required for each such duty.

Also Read:
What Website Policy Is All About?