Data protection regulation should complement innovation. Data analytics by financial institutions, including fintech firms, can help Indian customers to more effectively and efficiently engage with financial markets and products, at the right time.
The Personal Data Protection Bill has suggested a host of recommendations to overhaul India’s current data protection regime. The bill covers both government and private entities. It extends not only to the processing of personal data by Indian entities but also covers foreign names that process personal data for offering goods or services or for profiling individuals within India. The bill excludes anonymised or non-personal data.
The Data Protection Bill envisages key concepts such as the right to be forgotten, right to rectification, data portability, the formation of an independent redressal mechanism in the form of Data Protection Authority (DPA), the appointment of a data protection officer, data audits and standards for anonymised data.
Check Out Great Offers On Credit Cards And Loans
What does it say?
The bill has highlighted two key stakeholders in the data ecosystem. A data subject who provides her data for any purpose is denoted as a “data principal”. An entity or an individual who determines the purpose and means of processing of personal data of the “data principal” is denoted as a “data fiduciary”. The bill has also introduced the concept of “significant data fiduciary”. This would be notified by the DPA after its constitution based on parameters such as sensitivity of personal data and the volume of personal data processed by the data fiduciary.
Certain exemptions such as processing for research, archiving or statistical, domestic or journalistic purposes to small entities, have been proposed.
Core to the data-privacy bill is consent and notice
Consent is now required to collect and process all personal data, not just the narrower category of “sensitive personal data” for which explicit consent is mandated. The definition of “personal data” is now predicated on just one criterion—whatever makes an individual identifiable. However, the definition of sensitive personal data has been expanded. While retaining existing categories, new categories such as genetic data and official identifiers (like Aadhaar number), transgender status, intersex status, caste or tribe, sexual orientation, sex life, and religious and political belief have been added. In any transaction, notice is going to play a vital role. It must be provided in form and content (regarding collection, purpose, processing of personal data, time of retention and cross-border transfer, and others), which is easily comprehensible by the data principal.
Double-edged sword
However, limiting the purpose and specific consent and notice for each transaction can be a double-edged sword. The bill advocates purpose limitation, explicit consent and notice, which is a welcome step. But these criteria should not end up in one-standard-fits-all models. Asking explicit consent from customers at every juncture will result in lengthier notices, disclaimers and formats for ticks or checks, leading to friction and drop-offs midway. In the bill when the interest of data principal is adequately protected, the right to revoke consent is available at any stage of the transaction. Therefore, single consent for multiple transactions or purposes should be allowed if it is explicitly obtained with due notice to the data principal. The bill must consider the anticipated innovations in the digital finance sector.
New age customers want the convenience of digital finance on smartphones. Policymakers are also working towards greater financial inclusion by encouraging a transparent digital ecosystem. However, restricting the use of financial data by financial institutions or fintech firms will impact financial inclusion and ability to provide life-stage based product mapping. Financial products are complex and awareness is low, life stage handholding is equally important and should not be scuffled under layers of consents and notices making the process inefficient.
Additional Reading: Fintech Could Give The World India’s First Tech Giant
Data protection regulation should complement innovation
Data analytics by financial institutions, including fintech firms, can help Indian customers to more effectively and efficiently engage with financial markets and products, at the right time. For example, a young prospective consumer who has just started his career will ideally look for a credit card, a consumer durable loan and maybe a vehicle loan. Purpose limitation would create friction and hinder financial institutions in their process to analyse and propose the right product at the right age.
Additional Reading: A Peep Into The Future Of Fintech
Only serious players will survive. The bill reflects upon accountability as the central principle for data protection and the proposed data protection norms and safeguards are certainly going to increase the accountability of companies and data processing/service companies. The implementation of the data protection framework will increase IT expenditure with a data protection framework to be established, maintained and effectively monitored. This is likely to weed out non-serious players, unscrupulous data compromisers and sellers who will be isolated due to the risk of penalties, cost and difficult standards.
As large-scale data breaches around Aadhaar and banking systems continue to dominate the headlines, we are nearly there with a legislation that will increase compliance standards for entities dealing with personal data and their exposure to penalties. All regulated entities should, therefore, adopt the recommendations early and prioritise compliance with security standards to minimise the risk of data breach without waiting for the data protection bill to translate into law (when enacted). The success is about self-regulation and industry-specific minimum standards that should become the new norm.
Disclaimer: The above article was first published in Livemint on 23rd August 2018.