Personal Data Protection Bill, 2019: How will it impact Fintech Companies in India?

Ashish M. Shaji

12 Aug, 2020

The Union IT minister Ravi Shankar Prasad introduced the Personal Data Protection Bill (PDP), 2019, in parliament last year. It may pose a challenge to the financial sector in terms of streamlining their existing obligations and activities with the conditions of the PDP Bill, 2019.  In this article, we will have a close look at the bill and its impact on fintech in India.

What is the Personal Data Protection Bill (PDP), 2019?

The PDP Bill 2019 provides a framework for safeguarding the privacy of citizens, bars technological companies from storing and processing confidential personal data without the permission of individuals.

The bill seeks to bring more accountability and transparency to the country’s information ecosystem and, at the same time, addresses the loopholes and data security concerns.

Its implementation is expected to create disruptions in industries and various sectors. One such sector is the fintech sector, which involves digital lending, investment platforms, etc. 

What rights are set out in the bill for individuals?

The bill specifies certain rights for the individuals. The rights are as follows:

• Right to receive confirmation from the fiduciary regarding whether their personal data has been processed;
• Right to seek correction of personal data that is either inaccurate or incomplete or out of date;
• Right to transfer personal data to any other data fiduciary in some events; and
• And a right to restrict disclosure of their personal data by a fiduciary, in a case where it is not required or consent, is withdrawn.

What are the key highlights of the Personal Data Protection Bill (PDP), 2019?

The key highlights of the bill are as follows:

• The bill governs the processing of personal data by government, companies incorporated in India, and by foreign companies.
• The bill categorizes personal data as sensitive data.
•  The bill envisages certain obligations by data fiduciary such as implementing security measures and institution of grievance of redressal mechanism.
• The bill provides for certain conditions for the transfer of data outside India like such transfer may be allowed for processing if consented by the individual, and the data must be stored in India.
• The bill empowers the central government to exempt any agency from the application of the Act in the interest of sovereignty and integrity of India, the security of the state, etc.
• It provides for punishment on the commission of an offense, such as processing or transferring personal data in violation of the bill.

Impact of the bill on API based banking

A popular form of fintech service is API (Application Programming Interface) based banking. It permits third-party applications to access data from a bank and provide a service. The relevant data in the bank’s database is accessed with API that provides access only to the queried and permitted data.

Such an exchange of data is outside the scope of RBI’s account aggregator framework. This framework lays down detailed data protection requirements. In the case of fintech provided services, the complete process is governed contractually. The PDP Bill, 2019 will bring about such data protection requirements.

How will the Personal Data Protection Bill (PDP), 2019, affect fintech?

It is expected that once the bill is implemented, it would create many disruptions across industries such as fintech. RBI and the market regulator SEBI have not yet released separate guidelines for fintechs. Therefore there are certain ambiguities with respect to regulations for fintechs in India.

The bill can lead the way for consent-based data sharing in the financial service sector. Often times, financial institutions fail to price risk accurately due to a lack of data on every individual. If the bill is enforced well, then customers would feel free to disclose personal data, and with more data at the disposal of fintech companies, they will customize the products and services much better.

The bill seeks to impose restrictions on cross border data transfer and also prohibits the processing of sensitive personal data outside India. Apart from it, organizations are not allowed to access customer data once the purpose of it is served. It can only be accessed upon explicit permission from the customer. It creates a regulatory impediment for fintech companies. 

The bill also poses a challenge to fintech companies in terms that it requires the fintech companies to prepare for additional compliance obligations. These companies deal with large volumes of sensitive personal data. The bill provides all types of personal financial data as personal sensitive data.

It may be noted that social media companies have been included within data fiduciaries. As social media intermediaries, their users require agreeing for voluntary verification of their accounts. Many social media giants have ventured into Fintech.

The Personal Data Protection Bill, 2019, which highly favors Data Principal, confers several rights upon them and imposes restrictions on data fiduciary. The flow of information is essential for fintech companies. Impositions of localization and many other strict norms may bring fresh challenges for fintech platforms while providing customers.

Conclusion

Read our article:Growth Aspect of Fintech in India