The Digital Personal Data Protection Act 2023 (Act) places the primary obligation on ‘data fiduciaries’ to protect digital personal data of individuals and implement consent artifacts, including for any outsourcing arrangements for processing. Entities who merely process such data at the behest of another entity, called ‘data processors’ have been excluded from the statutory compliance obligations under the Act. The Act defines ‘data fiduciary’ as any entity determining the means and purpose of processing personal data. Entities handling data are required to undertake this classification exercise as the first step, i.e., whether they are merely data processors or can be classified as data fiduciaries.
Fintechs are broadly categorised as entities that provide financial services through digital means or facilitate financial services through digital means. Naturally, outsourcing arrangements of Fintechs is often the lens for assessing regulatory boundaries. With extensive outsourcing of services in Fintech ecosystem, it becomes imperative for Fintechs to assess who dons the hat of the data fiduciary or data processor under the Act. For instance, while a data analytics firm, which only provides data analysis or aggregation services to a financial institution might be classified as a data processor; a loan service provider, which maintains an independent customer interface and collects personal data of customers on behalf of the lending partner (but may use the same data for other purposes, such as targeted advertisements or cross-selling), may be classified as a data fiduciary. Therefore, assessment of capacity is the first step towards compliance, and ring fencing of statutory and contractual liabilities.
Data fiduciary or significant data fiduciary
The compliance obligations are further augmented for ‘significant data fiduciaries’ with requirements such as the appointment of a data protection officer and an independent data auditor, undertaking periodic data protection impact assessment and audit. Unlike its predecessors (the Data Protection Bill, 2019 and the rules framed under the Information Technology Act, 2005), the Act does not provide for gradation of data into sensitive or non-sensitive for higher compliances. While it is incumbent on the Central Government to notify which entities would qualify as significant data fiduciaries, one of the determining factors for such classification includes ‘sensitivity of personal data processed’. Since financial data is deemed sensitive personal data under the preceding legislations, there exists the possibility of categorising Fintechs as significant data fiduciaries under the Digital Personal Data Protection Act 2023. It may either be based on subjective assessment of quality of data being processed or license-based classification of entities i.e., entities having licenses from financial sector regulators.
Many hats, many masters
Fintechs are quite familiar with regulations governing the handling of personal data. For instance, the Reserve Bank of India (RBI) has been overseeing data management and prescribing norms, including data localisation norms, data collection and storage restrictions in digital lending, card data tokenisation, baseline data security standards etc. This ensured that Fintech were not caught off guard by the sophisticated consent mechanism introduced under the Act.
In anticipation of the compliance dilemma with the Act or sectoral norms, the Act clarifies that it should be read in addition to (and not derogating from) any other law, with the only caveat that the Act would prevail in case of any conflict between the Act and any other law. A harmonious interpretation would imply that stricter compliance under the Act takes precedence over data protection stipulations in sectoral regulations and vice versa. This means that merely adhering to the notice – consent mechanism as envisaged under the Act would not dilute the compliances under sectoral regulations.
Exemptions and relaxations
The Act outlines specific relaxations, including exemptions from consent requirements for voluntarily provided data, as well as for certain ‘legitimate purposes’. The ‘legitimate purposes’ includes prevention, detection, and investigation of offences – which includes financial frauds and processing financial information related to loan defaults. Payment gateways, when accessing financial data like bank account or card details temporarily, may leverage the exemption for voluntarily provided data, eliminating the need for specific consent. Fintechs, depending on their data processing classifications and purpose, might find it strategic to utilise these exemptions.
