FIG Paper No. 30, Data Law Series 4: Implications Of Digital Personal Data Protection Act, 2023 For Foreign Banks In India.

Introduction: 

The Digital Personal Data Protection Act, 2023 (“DPDP Act”) is India’s foray into the global regulatory movement on personal data rights. In designing the DPDP Act, there has been a strong focus on simplicity, brevity, and standardisation. We note a marked effort to align with data regulation across the world, most significantly, the European Union’s General Data Protection Regulation (“GDPR”). While principally similar, the Indian regime has peculiarities for which financial services entities will have to prepare themselves.  

This paper highlights relevant considerations for foreign banks with Indian operations that are compliant internationally and under relevant regulations of the Reserve Bank of India but now will need to prepare for the DPDP Act. 

Relevant Considerations under the DPDP Act: 

1. Territoriality: The DPDP Act applies to processing of personal data within India as well as outside India if such processing is in connection with any activity that relates to the offering of goods or services in India to Data Principals. Foreign banks will have to be mindful that the DPDP Act has extra-territorial application and is equally applicable to Indians and foreign individuals, irrespective of location or residency status, as long as the processing of digital personal data is done in India or is in connection with offering goods or services in India. 

2. Representative Offices/Branch Operations: Several foreign banks operate in India not only through Indian subsidiaries but also through branches/representative offices with no separate legal entity registered in India. Even where the Data Fiduciary is a foreign entity, so long as personal data is being processed in India or the processing is connected to any activity related to Indian banking product/service offerings, the DPDP Act will apply and consequent compliance obligations will flow from it. 

3. Consent: The lawful basis for processing personal data hinges on free, specific, informed, unconditional, and unambiguous consent. In the absence of consent, personal data may be processed for certain narrowly defined legitimate uses such as personal data provided voluntarily for a specified purpose, for compliance with law, access to state subsidies, benefits and schemes, medical emergencies, and employment-related purposes. Consent for new and existing personal data is to be sought along with a notice that identifies: (i) the data being collected; (ii) the specified purposes for processing of such data; and (iii) the manner in which a Data Principal may exercise rights and raise complaints with the Data Protection Board. This will entail a data audit of legacy data sets that is personally identifiable and for which express or implied consent has been taken. Mechanisms will also have to be built in to allow Data Principals to give itemised consent for specified purposes that allows them to opt in and opt out as and when Data Principals so choose. The services of a Consent Manager may be employed in this regard. 

4. Data Retention and Erasure: Unless retention is necessary under existing law (such as RBI requirements under the extant KYC guidelines for record retention), a Data Fiduciary must erase personal data if the Data Principal withdraws consent or if it can be reasonably assumed that the specified purpose either has been served or is no longer being served (such as if the Data Principal does not engage with the Data Fiduciary or exercise rights under the DPDP Act), whichever is earlier.The Data Fiduciary must also ensure its Data Processor(s) erase(s) any personal data made available for processing. The retention of personal data under the DPDP Act presents a challenge. While the focus is on prompt data erasure, in cases where customers take time to approach the Data Fiduciary for complex cross-border banking/payment services, it is unclear if Data Fiduciaries can seek consent to retain data for longer periods or contractually determine the period of data retention with the Data Principal. Further, the data erasure obligation also does not envisage processing that does not involve the Data Principal reaching out but the other way round, i.e., in situations where the Data Fiduciary contacts the Data Principal for various services such as forex transactions or cross-selling. It is expected that the rules to be framed under the DPDP Act (“DPDP Rules”) will specify timelines, but Banks may need to vocalise such concerns to appropriate authorities to ensure clarity and flexibility is provided in the DPDP Rules. 

5. Data Processors: Data Fiduciaries are ultimately liable for the acts of Data Processors in respect of any personal data processing under the DPDP Act. Data Fiduciaries are required to monitor the types of processing, the technical and operational standards maintained, system resilience, and the periodic erasure of data by Data Processors. Foreign banks with outsourcing partners, agents, third-party service providers, and group-entities outside India that undertake any personal data processing will need to be identified since the DPDP Act compliances will apply to them. The DPDP Rules may also specify technical and organisational specifications for security measures that are to be observed by Data Processors. Even if situated outside India, compliances and existing agreements will need to be aligned. There is, however, an exemption for foreign group entities outsourcing foreign personal data processing activities to their Indian counterparts. Foreign banks undertaking such outsourcing through group entities will have to navigate this carefully because personal data of Data Principals outside India might fall within the net of the DPDP Act for certain types of India-specific processing. 

6. Cross-Border Data Transfer: There is limited permission for cross-border transmission of personal data. The Central Government may, by notification, restrict transfer of personal data by a Data Fiduciary to certain countries or territories outside India. Foreign banks will have to clean up their cross-border data flows and outsourcing arrangements to ensure that Data Processors or their sub-agents do not transmit personal data through restricted countries, as notified. Countries that share a land border with India are likely to fall under the restricted list. Banks ought to have standby arrangements in place as and when the Central Government notifies these countries. Foreign bank subsidiaries, branches, and representative offices in India looking to share Indian customer data with their head office or other regional offices offshore would need to ensure data is not shared to any restricted jurisdictions, as notified by the Central Government. Existing laws prescribing a higher degree of protection or restriction on transfer of personal data will also be applicable. For instance, RBI guidelines on Storage of Payment System Data and clarifications thereto (“Data Localisation Guidelines”) require banks acting as payment system operators to store data pertaining to payment systems only in India. For the foreign leg of transactions, a copy of the data may also be stored in the foreign country, if required. There is no bar under the DPDP Act on processing of payments-related personal data outside India so long as consent is sought for processing, i.e., data transfer. Foreign banks may establish remote connections from Indian data centres to their offshore offices for remote transaction processing. However, as per the Data Localisation Guidelines, the data shall be stored only in India after the processing and deleted from the systems abroad and brought back to India not later than 1 (one) business day or 24 (twenty four) hours from payment processing, whichever is earlier. Foreign banks may establish a remote connection from the data centre located in India to their head office or other regional offices offshore for remote transaction processing, basis the Data Principal’s consent, as described above. 

7. Notification of Personal Data Breaches: Data Fiduciaries (the equivalent being a ‘Data Controller’ under the GDPR) need not inform Data Principals about personal data breaches under the GDPR but must do so under the DPDP Act. It is expected that the DPDP Rules may specify the format and level of detail required to be shared. Notification mechanisms will have to be aligned accordingly. 

8. Significant Data Fiduciary (“SDF”): The Central Government classifies an SDF depending on the volume and sensitivity of the data, risk to rights of the Data Principal, and public interest considerations. Large entities holding significant volumes of data sets or processing sensitive data are likely to be classified as SDFs, and foreign banks with Indian operations are likely to be covered with onerous compliance burdens. If so notified, SDFs would be subject to higher compliances, including (i) appointing a Data Protection Officer based in India and an independent data auditor and  (ii) taking periodic Data Protection Impact Assessment, audits, and other measures that may be prescribed in the DPDP Rules. 

9. Personal Data of Children: In case of a child or person with disability, verifiable consent of the parent or lawful guardian is required for data processing. Certain types of data processing are prohibited in relation to children such as tracking, behavioural monitoring of children, targeted advertising directed at children, or any processing that is likely to cause detriment to a child’s wellbeing. Exceptions to these prohibitions for certain classes of Data Fiduciaries or such purposes may be prescribed. While GDPR standards provide a more self-regulated approach, foreign banks may take a cautious approach to banking products geared for children and stringent consent architecture for the purposes of verification. Even as the DPDP Rules are awaited, the DPDP Act empowers the Central Government to notify the age above which the prohibitions are exempt if certain Data Fiduciaries can demonstrate that the personal data of children is processed in a verifiably safe manner. 

10. Research & Analysis Exemption: The provisions of the DPDP Act do not apply to processing necessary for research, archiving, or statistical purposes. Foreign banks often use analytics and research from group entities to streamline banking services offered by their Indian operators. If these analytics are used solely for internal uses and not to offer services such as cross-selling to Data Principals, these activities may continue. If used for taking decisions specific to a Data Principal, banks will have to rethink how they can access and use such data. 

Conclusion: 

Despite its globalised approach, the DPDP Act is also very unique since mere alignment with global frameworks would not be adequate in the Indian context. Entities like foreign banks that operate in India have some degree of experience with the GDPR and its data minimisation grundnorm. However, the Indian regime is distinct and will require careful evaluation to assess gaps in privacy compliance and implementation.