India – FIG Paper No. 28, Data Law Series 2: Implications Of Digital Personal Data Protection Act, 2023 On Indian Banks.

Introduction

In the current landscape, Indian banks are bound by data protection obligations under the provisions and rules of the Information Technology Act, 2000, the Prevention of Money Laundering Act, 2002 and relevant directives of the Reserve Bank of India (“RBI”). As we await the enforcement of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the publishing of its rules (“DPDP Rules”), there will be a paradigm shift in the data processing protocols of banks amongst other financial entities.

For a brief overview of how the DPDP Act applies to the financial services industry, please refer to our previous FIG paper here. This FIG Paper reflects on the industry pulse and identifies key issues that Indian banks will need to address as they prepare for the DPDP Act.

Implications for Indian Banks

The major implications for Indian banks on the applicability of these provisions will be as follows:

Consent for Data Processing:

• Notices – to be served on existing / new customers individually.
• Consent Trigger – In existing RBI regulation, the trigger for consent arises from account-based relationships but in the DPDP Act regime, it is the processing of data by which any individual is identifiable. Therefore, processing of visitor information, nominee details, risk management services, customer lifecycle management, product development and other services that use personal data will require consent.
• Data Sharing across Group – So long as consent is sought for specific purposes of data sharing with group entities and subsequent processing by these entities, personal data may be shared by a bank with its group.

Outsourcing to Data Processors:

• Principal Responsibility – Banks are responsible as Data Fiduciaries for personal data processing by intermediaries such as know-your-customer (“KYC”) verification agents, payment system operators (PSO), third-party application providers (TPAP), loan servicing agents, etc.
• Responsibility for Sub-agents – Under the RBI’s outsourcing norms, banks are responsible for the outsourced services of not only agents but sub-agents as well. This obligation may extend under the DPDP Act if the bank determines the purpose for which processing is undertaken by any sub-agent / sub-contractor. Currently there is no provision for joint and several liability under the DPDP Act. This might become an issue for regulated entities which take due care but can be held responsible for deficiencies or non-compliance on the part of Data Processors.
• Monitoring – Banks are required to monitor Data Processors for system resilience, seeking of consent for new personal data from existing customers and erasure of data from Data Processor systems if Data Principals withdraw consent.

Data Breach Reporting: In the events of personal data breach, intimation should immediately be provided to the customer and the Data Protection Board under the DPDP Act. The format for breach notices may be specified in the DPDP Rules. Since no materiality threshold has been notified yet, this breach notice is a mandatory requirement for all personal data breaches. Failure to comply attracts a penalty that may extend to INR 200 crore.

Internal Policies:

• Existing grievance redressal mechanisms should expressly address handling of Personal Data complaints and their resolution timelines.
• Special policies for products involving the personal data of children.
• Separate portal / mechanism to handle applications for correction and erasure of data.

Cross-Border Data Transfer: Transfer of transaction details or customer data outside India for any specified purpose will require consent. Existing outsourcing or data analytics arrangements should conform to the technical and operational specifications under the DPDP Act before commencing such transfer.

Co-Branding Arrangements: For current and future co-branding arrangements, Indian banks (being Regulated Entities) would be considered as Data Fiduciaries, while card issuers would be deemed Data Processors since the banks determine the purposes of processing while the card issuers provide the payment rails. Such arrangements, when dealing with personal data, would attract obligations under the DPDP Act as well as relevant RBI directions, and compliance cannot be mutually exclusive to either.

Use of AI: Indian banks have begun to introduce artificial intelligence (“AI”) including large language models (LLM) in their existing banking products. AI uses large data sets which may include personal data. Unless such personal data is available in the public domain or provided voluntarily for this purpose, using personal data without seeking consent would fall foul of the DPDP Act.

Next Steps and Preparedness

Indian banks preparing for the DPDP Act may get a move on their compliance obligations, and be conscious of the following aspects:

• Stock-take of Data: Conduct data inventory assessments for: (i) legacy datasets; and (ii) prospective datasets, and draft appropriate consent notice formats aligned with the DPDP Act in all the specified languages. A data segregation exercise may also be undertaken for existing practices such as web scraping by a bank’s generative AI, website cookie management, etc., that may fall within the ambit of the DPDP Act.

• Data Verification Infrastructure: Integrate systems for handling KYC information obtained for customer due diligence (CDD), maintenance of consent artefact records, and verifying consent for the personal data of children.
• Customer Contracts: Relook at customer agreements, especially for personal data usage, customer obligations for updating information, confidentiality, and associated personal data rights.
• Agreements: Review exercises for loan agreements, service agreements, and outsourcing agreements for compliance with the DPDP Act.
• Consent Manager Business Models: Once the DPDP Rules are published, determine how to interact with consent managers under different business models for managing consent of Data Principals.
• System Security: Given the resources of Indian banks and existing RBI compliance requirements, leverage state-of-the-art cybersecurity systems (compliant with ISO 270001) and encryption standards (such as AES) for secure transmission and storage of datasets along with periodic implementation of stress testing measures. The DPDP Rules, however, may prescribe the exact technology and security standards.
• Data Breach Management: Designate separate division within existing cybersecurity teams of banks for detecting, managing, and intimating personal data breaches, with a direct line of supervision by the designated Data Protection Officer of the bank.
• Data Processor Readiness: Stress-test and assess the preparedness of the systems of outsourcing partners that deal with personal data in the capacity of Data Processors; ensure that those systems are compliant.

• Awareness: Provide guidance to customers, employees, agents and intermediaries on managing personal data and DPDP Act compliance in the form of Frequently Asked Questions (‘FAQs’) on the bank website or physically.
• Product Design: Ensure DPDP Act compliance as integral to product design when employing new technologies – such as blockchain and AI – that may utilise personal data.

Conclusion

Banks are in a unique position in the financial services industry, given their resources and systemic importance, to determine best practices for personal data processing across sectors. As the DPDP Rules are being drafted, it would be prudent for Indian banks to get an early mover advantage by proactively future proofing contracts, revamping governance frameworks, and aligning policies and protocols with this new regulatory direction for data, privacy, and technology in India.