Personal data is a valuable asset in today’s digital world, allowing businesses and governments to tailor services and products to individual preferences. However, the unchecked processing of personal data can compromise privacy and potentially lead to harm.
Businesses and government entities use this data to improve services, offer targeted advertisements, and enhance recommendations. Conversely, misusing personal data can lead to financial losses, damage to reputation, and profiling, which is why protecting personal information is seen as a fundamental right. The DPDP bill encompasses personal information using which an individual may be identified, including but not limited to physical condition(s), sexual orientation, medical records, biometrics, financial details, and other information that may be deemed private. It passed in both houses in early August 2023.
History of the Bill
India’s current data protection framework is governed by the Information Technology (IT) Act of 2000, which lacks a dedicated focus on data privacy. In response, the government formed a Committee of Experts on Data Protection in 2017 to examine this issue. The committee submitted its recommendations in 2018, leading to the introduction of the Personal Data Protection Bill in 2019. However, the process faced several delays and revisions before introducing the Digital Personal Data Protection Bill in 2023.
What is the bill all about?
The critical aspects of the new bill include:
1. Applicability- The bill covers the processing of digital personal data in India. This includes information collected online and offline, which is later digitized. The processing includes collection, storage, use, and sharing. It also extends to personal data processed outside India if the information is related to goods or services offered in India.
2. Consent- Individuals’ data can only be processed with their consent, which must be given after receiving a clear notice about the data to be collected and the purpose of processing. This consent can be withdrawn at any time.
3. Rights of data principals- Individuals whose data is being processed can access information about the processing and request corrections or deletions. They are also empowered to nominate someone to act on their behalf in case of incapacity and file grievances.
4. Obligations of data fiduciaries- Organizations processing data must ensure its accuracy, implement security measures to prevent breaches, report breaches to the authorities, and ensure the deletion of data when its purpose is fulfilled.
5. Transfer of data- The bill allows the transfer of personal data outside India, with restrictions on certain countries that the government will notify.
6. Exemptions- Some cases, such as crime prevention and enforcement of legal rights, are exempt from certain bill provisions.
7. Data Protection Board of India- A board will oversee compliance, impose penalties, and handle data breach incidents. It will also address grievances from affected individuals.
8. Penalties- Penalties for non-compliance, including failures in fulfilling obligations and security measures are outlined in the bill.
The Bill holds significant implications for various sectors, including fintech companies. Fintech and crypto enterprisesare speculated to be classified as data fiduciaries. Fintech, short for financial technology, refers to enterprisesthat leverage technology to provide innovative financial services. As these enterprisesheavily rely on handling sensitive financial and personal data, the new data protection bill will undoubtedly impact their operations and practices. Here’s how-
Enhanced data privacy measures- Fintech enterprisesoften deal with highly sensitive financial information of their users, including bank account details, transaction histories, and investment patterns. The bill’s emphasis on obtaining explicit consent, transparent data processing, and safeguarding personal data aligns with the core principles of fintech companies. Enterprises will need to ensure that their data collection and handling processes comply with the bill’s requirements. This could involve adjustments to their user consent mechanisms and data protection protocols.
Consent management- One of the bill’s key features is obtaining explicit consent from individuals before processing their data. Fintech enterprisesheavily rely on user data to offer personalized financial services. The new consent requirements might necessitate these enterprisesto review and revise their consent management strategies. This could include developing user-friendly interfaces that clearly explain how data will be used and seeking consent in a more granular manner for various data processing activities.
Data security and breach reporting- Fintech enterprises are entrusted with safeguarding users’ financial data from unauthorized access and breaches. The bill’s provision for mandatory reporting of data breaches to the Data Protection Board of India is particularly relevant for fintech companies. This may lead to enhanced data security measures, including more robust encryption techniques and stricter access controls. The board’s oversight could drive fintech enterprisesto invest further in cybersecurity to mitigate the risks of breaches.
Cross-border data transfers- Many fintech enterprisesoperate globally, necessitating cross-border data transfers. The bill allows such transfers but with restrictions on specific countries. Fintech firms engaging in international operations will need to closely monitor the countries listed as restricted and ensure their data transfer practices comply with the bill’s provisions. This might involve assessing data protection laws in target countries and implementing necessary safeguards.
Compliance costs and complexity- While the bill’s intentions to protect personal data are commendable, compliance might come with increased operational costs and complexity. Fintech companies, especially startups with limited resources, may need to allocate budgets for legal and technical consultations to ensure compliance. Adapting to the bill’s requirements might require adjustments to existing systems and processes, potentially impacting the speed of innovation and service delivery.
Innovation and customization- Fintech enterprisesthrive on innovation and customization of financial services based on user data insights. Striking a balance between data protection and innovation will be crucial. Fintech firms will need to explore ways to continue offering personalized services while adhering to the bill’s data privacy principles. Solutions involve advanced data anonymization techniques that protect users’ identities while enabling data analysis.
In conclusion, the Digital Personal Data Protection Bill of 2023 has the potential to reshape the landscape for fintech enterprisesin India. While the bill introduces rigorous data protection measures that align with the nature of fintech operations, it also presents challenges regarding compliance, security enhancement, and adaptation to new consent management strategies. Fintech enterprisesthat effectively navigate these changes stand to reinforce user trust, strengthen their cybersecurity measures, and align their operations with India’s evolving data protection framework.
The author Edul Patel is a Co-founder and CEO at Mudrex.