The journey to a new general data protection law in India is more than a decade long and has seen several milestones ranging from the reports of Committees headed by Justice A.P. Shah, Justice B.N. Srikrishna, and a Joint Parliamentary Committee (“JPC”) to draft legislation in 2018, 2019 (“PDP Bill”) and 2021 (“DPB”).
While the recent withdrawal of the PDP Bill is seen as a sign of a long and twisted road ahead, regulators in sectors such as banking, financial services and insurance have not had the luxury of taking the scenic route.
The roadmap for privacy legislation in India was laid out in the Puttaswamy Cases, where the Supreme Court first upheld the existence of a fundamental right to informational privacy, and dealt with well-established and globally accepted data protection principles, such as informed consent, purpose limitation, storage limitation and transparency (collectively, “Principles”).
In this article, we discuss how the Principles are shaping India’s data protection practices in various sectors and how they have influenced law making, including particularly the recent Reserve Bank of India’s (“RBI”) implementation of Recommendations of the Working Group on Digital Lending (“Guidelines”).
Under most modern data protection regimes, private processing of personal data takes place largely on the basis of valid, informed, specific, clear and revocable consent. This focus on consent is rooted in it being a “normatively significant expression of autonomy”, on which all data processing activities in a digital economy must be founded.
This principle, fleshed out under the DPB, forms the basis on which, inter alia:
(a) authentication can be conducted using Aadhaar data under the Aadhaar Legislations;
(b) banks can share data of their customers holding debit and credit cards with third parties under the relevant RBI Master Directions;
(c) communication of commercial messages is dependent under the TCCCPR;
(d) interoperability basis sharing of patient information is proposed to be achieved pursuant to the NDHM Policy; and
(e) telemedicine consultations are enabled under the Telemedicine Guidelines.
This focus on informed consent is clearly articulated in the Guidelines, according to which Regulated Entities (“REs”) and their Digital Lending Apps (“DLAs”) can only collect personal data from borrowers, after obtaining purpose specific consent. Indeed, the Guidelines require that:
“purpose of obtaining borrowers’ consent needs to be disclosed at each stage of interface with the borrowers.”
This consent must be informed, and REs must:
(a) prominently display information relating to product features, loan limit and cost, etc.; and
(b) publish links to privacy policies.
The Guidelines signify a substantial step forward from the broad-based general purposes consents that are the current market standard in India.
A second core Principle, purpose limitation, requires that entities only collect such personal data as is necessary for the purpose of collection. Apart from the ‘Statement of Objects and Reasons’ of the PDP Bill, this has also found reflection in:
(a) the NDHM Policy, which restricts the collection of personal data only for health related purposes, specified by the NDHM and other incidental purposes, which the data subject can reasonably expect having regard to the purpose for which the personal data is being collected;
(b) the Aadhaar Act, which restricts Offline Verification Seeking Entities from collecting Aadhaar numbers, given that the same are not relevant for the purposes of verifying the identity of an individual using offline verification; and
The Guidelines articulate this Principle much more clearly and require REs and by extension Lending Service Providers (“LSPs”) to follow a need-based approach to the collection of data on defined grounds, with clear audit trails.
Further, the Guidelines have introduced a hard restriction on access to “mobile phone resources such as file and media, contact list, call logs, telephony functions, etc.”. Interestingly, such access is not even permissible after obtaining valid consent.
Further, LSPs are restricted from collecting personal information of borrowers, except for minimal contact information required to carry out their operations and DLAs from collecting biometric information unless required under any applicable law.
The storage limitation Principle requires entities to ensure that data is only retained till such time as is necessary to satisfy the purpose of collection and is deleted at the end of such period. This was the basis on which the Supreme Court in Puttaswamy II restricted the UIDAI from storing transactional authentication data, on grounds that this was not necessary for its purpose. The DPB, while incorporating this principle, provides explicit consent of the data principal or a requirement under any applicable law as exceptions based on which the data can be retained for a longer period.
Legislations that demonstrate the importance of this as a core data protection principle include:
(a) the NDHM Policy, which requires the deletion of all personal data beyond the period necessary to satisfy the purpose for which it is collected and specifies guidelines for its deletion, except where data is retained for a longer period, pursuant to the same exceptions as specified in the DPB;
(b) the Aadhaar Regulations, which restrict the storage of authentication logs by requesting entities to two years and their archival for five years; and
(c) the Aarogya Setu Protocol, which not only required that data only be retained for the period required for the purpose for which it was collected but even restricted the extension of the retention period beyond 180 days, pursuant to specific recommendations under the Aarogya Setu Protocol.
A practical implementation of this Principle was articulated in the RBI circulars on tokenisation, which restricts entities, except card networks and card issuers, from storing card details in “order to improve safety and security of card transactions” and reduce the footprint of card data, where not required.
Similarly, the Guidelines require DLAs to have and publish on their platforms a clear and easily accessible policy on data storage including specifying the length of time for which the data will be held and data destruction protocol that will be followed thereafter.
Transparency in processing of personal data enables data principals to understand the manner in which their data is being processed and the outcomes that result from it. While the PDP Bill already contained extensive measures requiring data fiduciaries to maintain such transparency, the JPC further proposed a requirement to disclose fairness of algorithms.
Other regulations that reflect this concept include:
(a) CICs and credit institutions are required to inform borrowers the specific reasons for rejection of their request, including providing the copy of credit report that was relied upon to make the decision and the name of the CIC which provided the report;
(b) entities undertaking authentication are required to intimate Aadhaar number holders the details of their authentication, including the entity that conducted it, the purpose behind it and the information that was shared pursuant to such authentication; and
(c) the Aarogya Setu Protocol also explicitly mandated NIC to process all data in a fair, transparent, and non-discriminatory manner.
Transparency is a theme that permeates across the Guidelines. Requirement of a granular Key Fact Statement (“KFS”) with details of LSPs, their processing activities and terms and conditions, and the requirement to institute a grievance redressal mechanism with details of the grievance officer notified on the website, are some steps toward providing borrowers a clear statement on upholding their rights and giving borrowers the ability to raise grievances directly.
Until recently, the manner in which REs and LSPs undertook economic profiling of individuals, which often became the basis of credit approval or denial, was opaque. While the RBI has not restricted this activity, the requirements to (a) make it auditable; and (b) report lending sourced through a DLA or LSP to CICs are crucial since it makes the resultant effect of economic profile visible to a borrower.
More significantly, Annexure II of the Guidelines, containing measures that are currently subject to additional deliberations by the RBI, requires REs to ensure that the algorithm for underwriting is extensive, accurate and diverse to rule out prejudices and subject to audit.
The Puttaswamy Cases placed principles of data protection center stage and made them integral to the fabric of data protection laws in India. While it is yet to find final form, the impact of the PDP Bill over legislations drafted over the last few years is evident and the Guidelines provide the clearest window into the future.
While we wait for the introduction of a Bill “that fits into the comprehensive legal framework”, both public and private entities would do well to design their data collection, processing, and protection activities around the core Principles.
A Free and Fair Digital Economy: Protecting Privacy and Empowering India, Report by the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, July 27, 2018 (“Srikrishna Committee Report”), available here.
The Data Protection Bill, 2021 as part of the Report of the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 presented in the Parliament on December 16, 2021 (“JPC Report”), available here.
 Justice K.S Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (“Puttaswamy I”) and Justice K.S Puttaswamy (Retd.) v. Union of India, (2019) 1 SCC 1 (“Puttaswamy II” and collectively with Puttaswamy I, “Puttaswamy Cases”).
Paragraph (B)(II), Chapter 3: Processing, Srikrishna Committee Report
Clause 11, DPB.
Section 8(2), The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act”) read with Regulation 6(1) of the Aadhaar (Authentication and Offline Verification) Regulations, 2021 (“Aadhaar Regulations” and collectively with the Aadhaar Act, the “Aadhaar Legislations”).
 18.104.22.168, Future Action paragraph (iii), Annex I, Guidelines.
 22.214.171.124, Future Action paragraph (ii), Annex I, Guidelines.
 126.96.36.199, Future Action paragraph (i), Annex I, Guidelines.
 Paragraph 188.8.131.52, JPC Report.
 Paragraph 9.3, NDHM Policy.
 Section 8A(4)(b), Aadhaar Act.
 National Informatics Centre (“NIC”).
 Paragraph 5a, Aarogya Setu Protocol, 2020.
 Paragraph 4b(i), Guidelines and 184.108.40.206, Future Action paragraph (ii), Annex I, Guidelines.
 220.127.116.11, Future Action paragraph (ii), Annex I, Guidelines.
 18.104.22.168, Future Action paragraph (ii), Annex I, Guidelines.
 22.214.171.124, Future Action paragraph (v), Annex I, Guidelines.
 Clause 9, DPB.
 Paragraph 26.6, NDHM Policy.
 Regulations 18(2) and (3), Aadhaar Regulations.
 Paragraph 5e, Aarogya Setu Protocol.
 126.96.36.199, Future Action paragraph (v), Annex I, Guidelines.
 Clause 23, PDP Bill.
 Clause 23(1)(h), DPB.
 Credit Information Companies (“CICs”) as recognized under the Credit Information Companies (Regulation) Act, 2005.
 Regulations 10(c), The Credit Information Companies Regulations, 2006.
 Regulation 10, Aadhaar Regulations.
 Paragraph 5c, Aarogya Setu Protocol.
 188.8.131.52/184.108.40.206, Future Action paragraph (i), Annex I, Guidelines.
 220.127.116.11., Future Action paragraph (i), Annex I, Guidelines.
 Paragraph 4c(ii), Guidelines and 18.104.22.168/22.214.171.124, Future Action paragraph (i), Annex I, Guidelines.
 126.96.36.199, paragraph (i), Annex II, Guidelines.