[Ganesh BL is an associate at a law firm in Mumbai]
The Indian Government has, after prolonged consideration, enacted the Digital Personal Data Protection Act, 2023 (‘DPDP Act’). The DPDP Act provides a comprehensive legal framework for the collection and use of digital personal data (‘DPD’). The DPDP Act identifies two parties involved in the collection of DPD, i.e., a data fiduciary and a data processor. The data fiduciary determines the purpose for the collection and the means of processing the DPD, whereas the data processor aids the data fiduciary in the collection and processing of DPD.
The introduction of the DPDP Act has profound implications on multiple sectors, including but not limited to the fintech sector, which was largely unregulated until the recent past. The DPDP Act seeks to strike a balance between protecting an individuals’ personal data while also fostering innovation in the fintech space. Although welcome, the DPDP Act provides for a scheme that is incongruent to the existing framework governing the fintech sector, i.e., the Guidelines on Digital Lending (‘GDL’) issued by the Reserve Bank of India (‘RBI’) in 2022. In this post, I argue that the DPDP Act has furthered the ambiguity surrounding the governance of the fintech sector and is contradictory to the scheme of the GDL.
A Shift in Business Model?
The quintessential structure of most fintech companies involves two entities, i.e., the regulated entity and the fintech operate. The regulated entity is typically a financial institution regulated by the RBI that provides the financing to customers. The fintech operate runs the digital platform through which customers avail financing.
Currently, the GDL places the onus of protecting a customer’s DPD on the regulated entity. Such an entity has the additional obligation of also ensuring that the fintech operate complies with and ensures the privacy and the protection of a customer’s DPD once collected. The fundamental challenge faced in the fintech space with the introduction of the DPDP Act is the inability to determine whether the regulated entity or the fintech operate is a data fiduciary and/or a data processor.
The broad manner in which a data fiduciary and a data processor have been defined under the DPDP Act, ensures that both regulated entity and fintech operates fall within the ambit of data fiduciaries and data processors as defined under the DPDP Act, respectively. Currently, both, regulated entities as well as fintech operates determine the purpose for the collection and the means of processing DPD and also collect and process DPD. Hence, fintech companies will now have to explicitly identify the exact nature of the relationship between the regulated entity and the fintech operate and their respective obligations prior to collecting the DPD of a customer. Be that as it may, given the ambiguity and the opacity in the DPDP Act, both the regulated entity and the fintech operate would still fall prey to the ambiguity of the extensive legislation. Furthermore, this position seemingly contradicts the GDL as regulated entities as well as fintech operates will be liable for any breach in the governance of DPD, whereas under the GDL only regulated entities were liable.
Extra-territoriality of the Legislation
Under the GDL the process for collecting DPD is distinct to the process under the DPDP Act. Under the GDL, for example, regulated entities are to ensure that data collected is stored in servers located within India, whereas the DPDP Act is silent with respect to data localization or storage requirements. Furthermore, expanding the scope of the GDL, the DPDP Act also has extra territorial application, as it applies to the collection of DPD whether collected in India or in an offshore jurisdiction. The rationale behind the silence in the DPDP Act seems to stem from the extra territoriality in the application of the legislation; however, the silence places fintech companies in a legally indeterminable position.
Storage Requirements in Conflict with RBI Mandates
Under the DPDP Act, data fiduciaries and data processors are required to delete any DPD that is collected once the intended use of such collection has been satisfied. However, this is in contradiction to the existing Know – your customer Directions (‘KYC Directions’) issued by the RBI. The KYC Directions mandate financial institutions including fintech entities to maintain records of transactions with their customers and the data of such customers for a minimum period of five years, which seemingly contradicts the position under the DPDP Act.
The fintech sector in India has grown exponentially in the recent past (for reference see here and here). While the regulation of the sector is pertinent, the growth of the same should not be restricted by ambiguous legislation. Non-compliance with the DPDP Act also has far reaching repercussions such as imprisonment and monetary penalties of up to INR 250 crore. The fintech sector, especially in India, is essential as it provides greater accessibility, better redressal mechanisms and safer alternatives to current avenues of procuring finance (for reference see here and here). While, the operation of the DPDP Act is yet to have affect, fintech entities ought to seek clarification from the RBI while striving to achieve compliance with the DPDP Act.
– Ganesh BL