Data privacy issues for banking and finance companies in India #IndiaFinance

Market players prefer relaxed or no regulations in the early stages of an industry. However, studies have shown that an industry booms with regulatory rollout, especially when it comes to data protection.

When the California Consumer Privacy Act (CCPA) was introduced, fintech was wary. But statistically, loan applications to fintech, as compared to traditional banks, jumped by 19% in the mortgage markets of the US. India is on the cusp of the rollout of its online data protection regime, the Digital Data Protection Act, 2023 (DPDP), with the industry having mixed feelings and regulations on a cliffhanger as this article is written.

In the author’s day-to-day contract negotiations in the banking and finance space, we see one party beseeching protection or indemnity on the basis of a proposed provision of the impending data privacy regime and the party with more leverage batting it off, stating that the regulations are not in force yet. But considering vendor and partnership contracts in banking, financial services and insurance (BFSI) are generally long term, it is advisable for the industry to start playing out negotiations as though the law is already in force.

This is because the DPDP proposes to shift the power dynamics of consumer data in India so subtly, the industry does not realise it yet. While consent is still necessary for any data collection, storage or processing, continued and changing terms of consent of the consumer shall govern all digital data transactions in India.

Between the data principal (party that has originally sought consent) and the data fiduciary (acting on behalf of the data principal to collect, store or process data), no one will have the upper hand. One shall require the other, and their systems are merged so symbiotically that the flutter of the wings of a butterfly at one end can cause a typhoon (or in this case a data breach, for example) for either of the parties (not just the data principal).

So, each party in the data system shall have to adequately, if not equally, protect each other’s systems and territories with mutual cybersecurity measures that flow down the value chain of data fiduciaries and consent managers.

It is also important to start thinking about reporting systems beyond incidence and audit. Reliance on certifications and independent audits needs to be increased; otherwise, the entire industry will be in a perpetual state of infosec audits – important, but not contributing any real revenue to the actual business of business.

For the first time in the world, India proposes to regulate consent managers. Consent managers shall manage the dynamic consent of a consumer volunteering his/her data for data principals and data fiduciaries. Although their primary agreement shall be with the data principal, the entire system of data use shall not be feasible without the consent manager sharing a technological interface with the data principal’s data fiduciaries.

In the case of the data principal and consent manager, both shall be equally regulated so one cannot cry wolf and seek additional contractual protections. It shall be the data fiduciary, primarily the fintech in India, that shall have to put their foot down for the protection of their technology and the splashback of regulatory penalties that can flow from the new DPDP regime.

Then there will be a contract between two data fiduciaries, which shall have to be negotiated only on the basis of what boundaries and damages have already been agreed with the data principal and consent managers.

Although one-sided onerous contracts may seem like risk hedging for regulated entities, they will impact growth in the long run. A word to the wise for the regulators – the inspection and audit mechanisms of the regulators in India also need to be sensitised to commercial contract negotiations.

The expectation of having the exact regulatory language dictated in circulars is wrong. It is important that the essence and intent are captured. But regulation should not come in the way of the freedom of commercial contracts. Instead of turning regulated entities in India into “big brothers”, it is important that regulation is uniform and universal, if necessary.

The banking, finance, insurance and fintech industries in India are on the cusp of change. Change is good – after all, as we say in India, change is the law of the universe.