close
close

The need to synchronize sector-specific regulations with data protection regulations

Posted on by darion

The need to synchronize sector-specific regulations with data protection regulations

Crossing sectors and borders, the Digital Personal Data Protection Act 2023 (DPDPA Or Work) modest, principled, horizontal legislation was passed in August 2023 (which has not yet entered into force). Given that the substantive procedural aspects of the Act are left to delegated legislation, it is expected that the first set of regulations will be submitted for public consultation within 100 (one hundred days) of the end of the ongoing general elections(1), if the incumbent government is re-elected.

Financial regulations for companies such as financial institutions, card issuers, digital lending apps, rating agencies, investment advisors, insurance companies already require compliance with respect to personal data, e.g. obtaining explicit customer consent before processing, data localization, reasonable safeguards. Some of these regulated entities in the financial sector are likely to be classified as significant data fiduciaries (SDF) under the DPDPA due to the volume and sensitivity of the personal data they process and involves additional compliance requirements and higher penalties for violation. This article aims to analyze the nexus of sectoral provisions with the Act, with particular reference to the Reserve Bank of India (R.B.I) regulations.

DPDPA applies to entities that determine the means and purposes of processing personal data, going beyond sector-specific regulations. In the event of a conflict between the DPDPA and any other law, including sector-specific legislation, the requirements under the DPDPA will prevail to the “extent of such conflict”.(2) For example, the Payment and Settlement Systems Act 2007 (3) and the RBI Guidelines KYC Master Directions, 2016(4) allow “implied consent” of the customer to disclose data in certain circumstances. The DPDPA does not mention “implied consent” or “deemed consent”, but it does allow the processing of personal data without express consent for certain “legitimate purposes” such as voluntary disclosure, medical emergency, compliance with an order, protection of your interests, trade secrets etc. This creates a conflicting position in the law and requires a subjective call on the part of the trader to determine what should apply, creating uncertainty for those expected to manage compliance with both laws. A compelling case must be made to the government and sector regulators calling on them to conduct a thorough assessment of the financial regulations governing personal data, bringing them seamlessly into line with the Act for industry-wide implementation. In the rulemaking process, it is imperative that the government navigates this complex landscape with attention to detail, providing clarity where there is confusion and ensuring a smooth transition for all parties involved.

Recent changes to the Credit and Debit Card Core Guidelines(5) place an obligation on the consumer to obtain “explicit consent” in light of purpose limitation under the DPDPA and require card issuers to ensure strict compliance with the applicable data protection legal framework. In the future, the regulator may closely integrate the data protection requirements under the Act with the financial sector regulations; however, clarity/amendments are still required in case of conflicting positions in existing regulations. Other financial sector regulators such as the Insurance Regulatory and Development Authority of India (IRDAI) have already begun to explicitly subject sector-specific provisions to the DPDPA. For example, the recently notified PPHI and Allied Orders, 2024(6) issued by IRDAI make it mandatory for insurers to comply with the Act for information collected during customer acquisition or subsequent stages.

With regard to cross-border data processing, it is a welcome move to change the government’s approach from a ‘whitelist’ as per the Bill to a ‘blacklist’ as per the Bill(7). However, the Act provides for a ‘notwithstanding’ clause which allows for the adoption of sector-specific rules restricting such transfers or any condition attached to data transfers which ensures a ‘higher level of protection’.(8) The term ‘higher level of protection’ is subjective and is not defined in the Act. However, this appears to be a novel approach, inspired by EU and Singapore data protection rules, and reflects the legislative intention to uphold the position of sectoral regulators, taking into account the sensitivity of data processed by financial sector entities. Therefore, data localization requirements set by the RBI (e.g. storage of payment system data(9), RBI Digital Lending Guidelines(10)) and other regulatory authorities will prevail over the DPDPA. Regardless of the change in approach under DPDPA, the RBI is unlikely to abolish data localization (at least in the short term), although it has been a key issue for entities regulated by the RBI.

The Act requires that, upon withdrawal of consent, data fiduciaries must cease(11) (and cause their processors to cease) processing such data within a “reasonable time” and delete(12) such data, unless the provisions of the Act or any provisions of other law (applicable on in India) requires the retention of such data. This is important because the Act recognizes that, although the right to erasure is provided for, in certain circumstances (e.g. prevention of crime and ongoing litigation) data must be retained under other provisions. Given that applicable law provides for different retention periods for certain data, the entity will need to carefully consider a request to delete or stop processing to ensure that retention of such data will not be required to ensure compliance with any other applicable law (e.g. the Act on anti-money laundering – 5 years(13); CERT-In Cybersecurity Guidelines – 5 years(14); RBI Guidelines on PPI – 10 years(15)).

To draw a further analogy, the Act gives data processors the ability to manage, review or withdraw consent through consent managers registered with the Data Protection Board. The concept of consent managers is similar to the account aggregator structure(16) implemented by the RBI, which primarily aims to facilitate the exchange of financial information between various regulated entities, relying heavily on consumer consent. However, there are some questions as to whether account aggregators will need to additionally register with the Data Protection Board, given that they effectively perform a function similar to that of consent managers, insofar as “financial information” includes personal data such as identity client. The Citizen’s Card, in line with the Account Aggregator’s guidelines, which clearly guarantees the protection of customer rights, should also ideally reflect the rights of the Principal under the Act after its entry into force. While central government still has the scope and time to refine the detailed process for consent managers, it may be appropriate to look to the account aggregator framework that has been in place for some time for inspiration. Creating some semblance of these two unique frameworks can help users deal with “consent fatigue” when it comes to personal data.

In addition, financial entities regularly engage with third-party service providers to outsource information technology and certain eligible financial services. Similar to the RBI regulations, which place primary liability on regulated entities that outsource their services, the DPDPA also makes the data fiduciary liable for any breaches committed by third parties engaged by it (data processor) (17). This increases the importance of compliance for regulated entities, in particular SDFs, which will now have to ensure that any outsourced activity that involves the processing of consumers’ personal data is carried out only on the basis of a valid contract that adequately takes into account the requirements arising from RBI regulations (such as data storage), as well as DPDPA (such as instructions for deletion, timely cessation of processing).

The Act provides for significant financial penalties(18) for infringement or non-compliance, in addition to other measures such as blocking of services(19) and any punitive measures that may be imposed under other sector-specific legislation. As a result, it will be prudent for businesses to urgently assess their data processing practices, including but not limited to the mapping of legacy data, how they collect and process data, and with whom they share it. It is time for companies to start streamlining their privacy policies and internal processes, deploying expert advisors, and sensitizing their employees and staff to understand the intricacies of this game-changing legislation. This is an opportune moment for entities to reflect on these issues, rather than simply waiting for the regulations to enter into force.

By omitting retrospective data processing, the Act takes a pragmatic approach, avoiding significant business shocks. This strategic forecasting highlights India’s trajectory as a growing global economic power. While, unlike its 2019 predecessor(20), it lacks provisions on inter-regulatory coordination(20), the Act encourages voluntary efforts towards collaborative dialogue between government authorities and sector regulators. Financial sector regulators should also actively consult with the industry to understand the challenges in implementing the Act, while upholding the mandate of sector regulation. A proactive approach to streamlining existing regulations with DPDPA can mitigate unintended conflicts and create an enabling business environment, while keeping data protection at the forefront. With the ongoing elections approaching, it is the responsibility of the incoming government to implement the law to ensure that the interests of stakeholders are protected and the broader objective of personal data protection is maintained in policy stability.

(1) https://www.business-standard.com/industry/news/dpdp-rules-it-rules-amendment-on-meity-s-100-day-agenda-after-elections-124042100232_1.html

(2) S.38, Act

(3) https://lddashboard.legislative.gov.in/sites/default/files/A2007-51_0.pdf

(4) https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=11566

(5) Reserve Bank of India – Key Guidelines (rbi.org.in)

(6) S.18, Document Details – IRDAI

(7) Ph.D. 16 section 1 of the Act

(8) Ph.D. 16 section 2 of the Act

(9) https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11244&Mode=0

(10) https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12382&Mode=0

(11) Ph.D. 6 section 6 of the Act

(12) Ph.D. 8 section 7 lit. a) the Act

(13)https://enforcementdirectorate.gov.in/sites/default/files/Act%26rules/THE%20PREVENTION%20OF%20MONEY%20LAUNDERING%20ACT%2C%202002.pdf

(14) https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf

(15) https://m.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=12156

(16) https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10598

(17) Ph.D. 8 section 1 of the Act

(18) S.33, Act

(19) S.37, Act

(20)https://prsindia.org/files/bills_acts/bills_parliament/2019/Personal%20Data%20Protection%20Bill,%202019.pdf