The Bill intends to bring more ‘accountability and transparency’ into the country’s information ecosystem while addressing the loopholes and major data security concerns.
By Meghna Suryakumar
Union IT minister Ravi Shankar Prasad recently presented the draft Personal Data Protection Bill, 2019, in Parliament. The Bill provides a framework for protecting citizens’ privacy, barring technology companies from storing and processing ‘sensitive’ personal data without explicit consent from individuals. But it empowers the central government to “exempt any agency of government from the application of Act in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order.” It also provides exemptions for ‘reasonable purposes’, such as prevention and detection of any unlawful activity including fraud, whistle blowing, merger and acquisitions, network and information security, credit scoring, and recovery of debt, among others.
The Bill intends to bring more ‘accountability and transparency’ into the country’s information ecosystem while addressing the loopholes and major data security concerns. Once implemented, it is expected to create disruptions across industries and verticals. One such sector is fintech, which includes digital lending, mobile payment companies and investment platforms. RBI and SEBI are yet to release separate, comprehensive guidelines for the fintech sector. Hence, ambiguity over regulations continues to be a pain point for fintech participants in India. With standardised rules in place, even smaller companies will have to adhere to practices that are on par with global standards.
The Bill can pave way for a true consent-based data sharing in the financial services industry. Financial institutions often fail to accurately price risk, mainly because of lack of relevant data on each individual and, so, it is largely a game of averages applied over an aggregate. If enforced strategically, customers may be willing to disclose personal data as the chances of data misuse will go down. With more data available, fintech companies will be able to better customise their services and products.
At the same time, the Bill has sparked concerns within the industry as it necessitates fintech companies to prepare for additional compliance obligations. Fintech companies deal with large volumes of sensitive customer data—names, cellphones, address, bank account number, credit history, PAN, etc. The Bill classifies all forms of personal financial data as ‘sensitive personal data’. As such, most companies operating in the fintech space could be categorised as ‘Significant Data Fiduciaries’ by the data protection authority (DPA).
The Bill proposes restrictions on cross-border data transfer, and prohibits processing of sensitive personal data and critical personal data outside India. Another challenge is the provision of ‘right to be forgotten’, where organisations are not allowed to access customer data after the purpose of which it was shared is met, unless they have explicit consent from the customer. This can create new regulatory bottlenecks for fintech companies. But it is the large internet companies, both global and domestic, that will face severe consequences. Since they won’t be able to assume ownership of consumer data as their own, it will not only eliminate their dominance on consumer data, but also erode their competitive edge where data was their moat. In contrast, opportunities will open for new players like consent brokers who facilitate data sharing, storage and management of end-user data across multiple platforms on behalf of users.
Companies should start making investments in data systems to comply with the Bill; they would need to put the control of customer data back in the hands of their true owner, the customer. This is essential to obtain informed consent from the customer to use the data for specific purposes and share the same with other providers as well, if needed.
It might take a while for fintech companies to adapt to the new data protection guidelines. A quick makeover won’t suffice; they must make continued efforts to build a robust privacy system for storing and processing of personal data. Despite initial hiccups, however, the Personal Data Protection Bill can be a game-changer for fintech companies wherein they can derive immense value from free sharing of data between the customer and the service provider as a result of new-found end-user comfort.
The author is founder & CEO, Crediwatch