Conventus Law

Conventus Law

by

(Indian) Digital Personal Data Protection Act, 2023 (“DPDP Act”) received Presidential assent on August 11, 2023, and is awaiting notification by the Indian Government, which is expected soon. This FIG Paper examines: (i) the existing data protection/ privacy framework for the Indian financial services space; (ii) overlays DPDP Act considerations; and (iii) preferred approach to “gap” analysis, basis global learnings.

Current Regime & DPDP Act Implications:

FIG Paper (No. 24 – Series 1): New Data Law – Financial Services Implications

Financial Services Sector – Additional DPDP Act Considerations:

1. Data Fiduciary’s Obligations:

  • Notice – for every request; clear, plain language, description of data sought.
  • Data breach notice.
  • Safeguards – Data fiduciary to implement appropriate technical/ organisational measures; reasonable security standards/ practices/ safeguards to prevent breach.
  • Accuracy/ Integrity – ensure personal data processed is complete, accurate, consistent when processing used to make a decision affecting data principal or shared with another fiduciary – e.g. account opening/ client onboarding, KYC, AML, limit setting, outsourcing.
  • Children – exclusion from profiling/ marketing.
  • Consent withdrawal – data fiduciary/ processor to erase data when purpose is served.

2. Data Principal’s Rights:

  • Grievance redressal.
  • Nomination rights (upon death/ incapacity).
  • Access rights.
  • Right of correction, completion, updating and erasure.

3. Significant Data Fiduciary

  • (“SDF”) – large banks, AMCs, insurance companies, NBFCs, Fintechs/ PSOs likely to qualify as SDFs (requires resident DPO, data auditor, periodic audit, data protection impact assessment).

Global Learnings:

  1. Continued retention of personal data is disproportionate and not necessary. [R v Commissioner of Police of the Metropolis (EWHC)2528(Admin)]
  2. Exercise of discretion should not involve indefinite retention of data. [GC vs. The Commissioner of Police of the Metropolis [2011] UKSC 21]
  3. ‘Purpose limitation’ allows storage of personal data for testing and error correction, if such processing is compatible with initial data collection purposes. [Digi Távközlési és Szolgáltató Kft. v Nemzeti Adatvédelmi és Információszabadság Hatóság (2022), European Court of Justice (ECJ) Case C‑77/21]
  4. Right of access obliges controllers to give data subjects a faithful and intelligible reproduction of all relevant data. [RW vs. Österreichische Post AG, ECJ Case C‑154/21]
  5. Emotional distress is sufficient to constitute loss or damage required to found a private action claim. [Reed, Michael vs. Bellingham, Alex, Singapore Court of Appeal [2022] SGCA 60]
  6. Need for safeguards is greater when personal data is subjected to automatic processing and where there is a significant risk of unlawful access to data and derogations/ limitations to protection of personal data should apply only if strictly necessary. [Ligue des droits humains vs. Conseil des ministers, ECJ Case C-817/1921, June 2020]

“Gap” Ana lysis/ Suggestions:

  1. Consent Architecture – needs to be revisited, to include specific/ informed consent, purpose limitation, consent via “each notice” approach.
  2. Consent Notice – No common standard across RBI/ SEBI/ IRDAI; activity/ entity wise mapping required qua DPDP.
  3. FIG Sectoral Laws v. DPDP: Inconsistencies – (i) data retention – currently perpetual retention given law enforcement request risk, which conflicts with DPDP; and (ii) NBFC AA Framework inconsistent with DPDP.
  4. Financial Services “Super-Apps – Requires revisitation qua client on-boarding/ account opening, KYC, transaction data monitoring, cross-sell/ harvesting, intra-group lead sharing, analytics/ user profiling and marketing.
  5. Legacy Data Sets – requires fresh consent/ notice per DPDP.
  6. FIG “Significant Data Fiduciaries – Large FIG groups will be subject to higher DPDP thresholds.
  7. Compliance with Data Principal’s Rights – prescribed under DPDP, but not by RBI/ SEBI/ IRDAI data protection standards (grievance redressal, nomination, access rights, correction/ erasure request, consent withdrawal).
  8. New Systems/ Controls – while RBI/ SEBI laws prescribe cyber security/ resilience standards, DPDP requires broader technical/ organisation measures and security safeguards to prevent data breach.
  9. Requires “fire-walls” between personal data of children and adults.
  10. Customer rejection by SEBI/ RBI/ IRDAI licensed entities is now justiciable.

WRITTEN BY

For further information, please contact:

Anu Tiwari – Cyril Amarchand Mangaldas,
anu.tiwari@cyrilshroff.com

Anu has represented many Indian and multinational fintech, banking, broker-dealer, exchange, asset management, speciality finance and information/emerging technology companies on transactional, enforcement and regulatory matters

His transactional practice focus is on public & private M&A, capital raising, commercial agreements and activism matters.

Anu advises financial services clients on matters before the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Ministry of Finance, Enforcement Directorates, Serious Fraud Investigation Office (SFIO), appellate tribunals and Supreme Court of India.

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES