The Personal Data Protection Bill, 2019 was expected to be introduced for legislation in the Winter session of the Parliament. It has now been referred to a Joint Select Committee for further evaluation. Regardless of the results of such evaluation, the provisions sought to be introduced will overhaul India’s data protection regime and address the loopholes and inadequacies currently plaguing the country’s information ecosystem.
Fintech companies collect and process data of individuals (Data Principals) as part of their business operations. The Bill severely impacts the manner in which such data is handled, and it is therefore important for fintech players to understand the ramifications of the impending legislation.
An important provision of the Bill is the concept of ‘Significant Data Fiduciary’. According to the Bill, the data protection authority (DPA), based on factors such as the volume of personal data processed, sensitivity of personal data processed, turnover of the data collecting entity (Data Fiduciary), risk of harm resulting from any processing and use of new technologies, may notify certain Data Fiduciaries as ‘Significant Data Fiduciaries’. Considering, the volume of data and sensitivity of personal data handled by fintech companies, it is likely that the government may categorise fintech companies as ‘Significant Data Fiduciaries’. This would entail additional compliance obligations for fintech companies that are already struggling with the plethora of laws and regulations that need compliance. It would also add to the operational costs.
Some of the compliance obligations include conducting data protection impact assessments, appointing a data protection officer, record-keeping, and having their policies and processes audited yearly. Though the regulations detail the criteria to be classified as a Significant Data Fiduciary, fintech companies should start prepping for additional compliance obligations.
Restrictions on cross-border transfer of personal data
Adding to the burgeoning costs and compliances, the Bill has placed specific restrictions on cross-border transfer of sensitive personal data (SPD) and critical personal data. If an entity wants to transfer any SPD or critical personal data outside India, it can do so if explicit consent of the Data Principal has been obtained and if such transfer conforms with standard contractual clauses or intra-group schemes that comply with the requirements prescribed by the DPA. The Bill has not spelt out the details of the ‘standard contractual clauses’ or ‘intra-group schemes’. However, it is speculated that both these concepts would be on the lines of the ‘Standard Contractual Clauses’ and ‘Binding Corporate Rules’ enshrined in the GDPR. Implementation of ‘standard contractual clauses’ could be similar to the RBI’s requirement for banking entities to include certain standard clauses in their outsourcing contracts when activities are outsourced by them.
Though data localisation was under discussion for a while, the Bill now makes it mandatory. SPD includes, amongst other features, sensitive information such as financial data, health data, biometric data, and official identifiers. The Data Fiduciary must ensure that a copy of the SPD collected is stored or mirrored (in case it is to be transferred overseas) within the territory of India. While the government is yet to define ‘critical personal data’, it has explicitly mentioned that all critical personal data must be stored and processed only in India. In the event ‘critical personal data’ is collected by the fintech companies, then such a company would need to comply with this important provision of the Bill. The cost of mirroring data in India will be an additional burden on fintech companies.
Not limiting the exponential costs that fintech companies may have to bear for compliance obligations and data localisation, the Bill seeks to provide Data Principals with the right to erasure. This may pose a challenge in terms of compliance for fintech companies. The Bill allows Data Principals to ask for erasure of their data that is no longer necessary for processing. The Bill also allows Data Fiduciaries to reject such request by providing adequate justification in writing. However, there are ramifications in case the Data Principal is not satisfied with the justification.
Fintech companies function in an ecosystem where data interacts on the basis of multiple dependencies. Erasure of one data point or data-set that forms part of a larger chain of information constituting a financial transaction may be problematic. Fintech companies may need to factor in enhanced capabilities to cater to such demands. This would, of course, involve time and cost.
A notable provision in the Bill is the right of the government to access any anonymous personal data or other non-personal data from the Data Fiduciary or data processor. This provision has serious ramifications for the fintech industry. While the obvious inference is that the government can seek details of all encrypted personal data that is otherwise protected, there is a lurking danger as well. What is non-personal data? Proprietary information of a company? Intellectual property? The hallmark and essence of fintech companies is that they have innovations, technologies, and out-of-the-box ideas. If the government can access such data, then who will prevent misuse or leakage of such data?
In fact, Justice BN Srikrishna, who led the committee that drafted the Bill, said the Bill is dangerous and could turn India into an onerous state. This seems to be one amongst the concerns that led to the Bill being shelved for further evaluation.
Need to prepare for legislative overhaul
Adding to the cost and compliance issues, restrictions on biometric data would be another source of worry for fintech companies. According to the Bill, a Data Fiduciary cannot use such biometric data as notified by the government, unless such processing is permitted by law. Considering several fintech companies rely on the use of biometric data for various purposes (including for authentication), it may be a challenge if the use of certain biometric data is blacklisted by the government. At present, fintech companies can use biometric data after obtaining consent from Data Principals. However, with the restriction included in the Bill, fintech companies may have to rework their business model in terms of usage of biometric data. Further, the language is also unclear in respect of existing laws that permit the use of biometric data. Would it mean that if an existing law permits usage of certain biometric data it will supersede the government’s notification on the use of such blacklisted biometric data? It would be helpful if the government clarifies this provision under the Bill.
As potential Significant Data Fiduciaries, fintech companies need to prepare for the impending legislative overhaul. The Bill, whether in existing or revised form, could usher in a new era in India’s fintech story. It may transform the way fintech companies in India are viewed the world over. Indian practices could potentially be emulated elsewhere. It is hoped that the grey areas in the legislation get addressed in parliamentary debates, and the legislation that is passed adequately addresses them.
Probir Roy Chowdhury and Vishnu Nair are Partners and Kavya Katherine Thayil is Associate, at J Sagar Associates. The views are personal.