Listen to this post
FIG Paper (No. 24 – Series 1): 
New Data Law – Financial Services Implications

(Indian) Digital Personal Data Protection Act, 2023 (“DPDP Act”) received Presidential assent on August 11, 2023, and is awaiting notification by the Indian Government, which is expected soon. This FIG Paper examines: (i) the existing data protection/ privacy framework for the Indian financial services space; (ii) overlays DPDP Act considerations; and (iii) preferred approach to “gap” analysis, basis global learnings.

Current Regime & DPDP Act Implications:

FIG Paper (No. 24 – Series 1): 
New Data Law – Financial Services Implications

Financial Services Sector – Additional DPDP Act Considerations:

1. Data Fiduciary’s Obligations:

  • Notice – for every request; clear, plain language, description of data sought.
  • Data breach notice.
  • Safeguards – Data fiduciary to implement appropriate technical/ organisational measures; reasonable security standards/ practices/ safeguards to prevent breach.
  • Accuracy/ Integrity – ensure personal data processed is complete, accurate, consistent when processing used to make a decision affecting data principal or shared with another fiduciary – e.g. account opening/ client onboarding, KYC, AML, limit setting, outsourcing.
  • Children – exclusion from profiling/ marketing.
  • Consent withdrawal – data fiduciary/ processor to erase data when purpose is served.

2. Data Principal’s Rights:

  • Grievance redressal.
  • Nomination rights (upon death/ incapacity).
  • Access rights.
  • Right of correction, completion, updating and erasure.

3. Significant Data Fiduciary

  • (“SDF”) – large banks, AMCs, insurance companies, NBFCs, Fintechs/ PSOs likely to qualify as SDFs (requires resident DPO, data auditor, periodic audit, data protection impact assessment).

Global Learnings:

  1. Continued retention of personal data is disproportionate and not necessary. [R v Commissioner of Police of the Metropolis (EWHC)2528(Admin)]
  2. Exercise of discretion should not involve indefinite retention of data. [GC vs. The Commissioner of Police of the Metropolis [2011] UKSC 21]
  3. ‘Purpose limitation’ allows storage of personal data for testing and error correction, if such processing is compatible with initial data collection purposes. [Digi Távközlési és Szolgáltató Kft. v Nemzeti Adatvédelmi és Információszabadság Hatóság (2022), European Court of Justice (ECJ) Case C‑77/21]
  4. Right of access obliges controllers to give data subjects a faithful and intelligible reproduction of all relevant data. [RW vs. Österreichische Post AG, ECJ Case C‑154/21]
  5. Emotional distress is sufficient to constitute loss or damage required to found a private action claim. [Reed, Michael vs. Bellingham, Alex, Singapore Court of Appeal [2022] SGCA 60]
  6. Need for safeguards is greater when personal data is subjected to automatic processing and where there is a significant risk of unlawful access to data and derogations/ limitations to protection of personal data should apply only if strictly necessary. [Ligue des droits humains vs. Conseil des ministers, ECJ Case C-817/1921, June 2020]

“Gap” Ana lysis/ Suggestions:

  1. Consent Architecture – needs to be revisited, to include specific/ informed consent, purpose limitation, consent via “each notice” approach.
  2. Consent Notice – No common standard across RBI/ SEBI/ IRDAI; activity/ entity wise mapping required qua DPDP.
  3. FIG Sectoral Laws v. DPDP: Inconsistencies – (i) data retention – currently perpetual retention given law enforcement request risk, which conflicts with DPDP; and (ii) NBFC AA Framework inconsistent with DPDP.
  4. Financial Services “Super-Apps – Requires revisitation qua client on-boarding/ account opening, KYC, transaction data monitoring, cross-sell/ harvesting, intra-group lead sharing, analytics/ user profiling and marketing.
  5. Legacy Data Sets – requires fresh consent/ notice per DPDP.
  6. FIG “Significant Data Fiduciaries – Large FIG groups will be subject to higher DPDP thresholds.
  7. Compliance with Data Principal’s Rights – prescribed under DPDP, but not by RBI/ SEBI/ IRDAI data protection standards (grievance redressal, nomination, access rights, correction/ erasure request, consent withdrawal).
  8. New Systems/ Controls – while RBI/ SEBI laws prescribe cyber security/ resilience standards, DPDP requires broader technical/ organisation measures and security safeguards to prevent data breach.
  9. Requires “fire-walls” between personal data of children and adults.
  10. Customer rejection by SEBI/ RBI/ IRDAI licensed entities is now justiciable.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Anu Tiwari Anu Tiwari

Partner (Head – Fintech and FSRP) at Cyril Amarchand Mangaldas. Anu represents Indian and multinational banking, broker-dealer, exchange, asset management, speciality finance, fintech and information/ emerging technology companies on transactional, enforcement and regulatory matters. His transactional practice focus is on public & private…

Partner (Head – Fintech and FSRP) at Cyril Amarchand Mangaldas. Anu represents Indian and multinational banking, broker-dealer, exchange, asset management, speciality finance, fintech and information/ emerging technology companies on transactional, enforcement and regulatory matters. His transactional practice focus is on public & private M&A, capital raising, commercial agreements and activism matters. Anu advises financial services clients on matters before the Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI), Ministry of Finance, Enforcement Directorate and appellate tribunals. He can be reached at anu.tiwari@cyrilshroff.com

Photo of Sara Sundaram Sara Sundaram

Partner in the Disputes and White Collar Crime Practice at the Mumbai office of Cyril Amarchand Mangaldas. Sara specializes in the areas of internal investigations and compliance training, white-collar crimes, corporate and financial investigations, fin tech and financial matters and international sanctions. She…

Partner in the Disputes and White Collar Crime Practice at the Mumbai office of Cyril Amarchand Mangaldas. Sara specializes in the areas of internal investigations and compliance training, white-collar crimes, corporate and financial investigations, fin tech and financial matters and international sanctions. She has assisted and advised several foreign investors, corporates and financial institutions on anti-corruption, anti-bribery issues, anti-money laundering, sanctions violations, and serious fraud investigations.

She also advises several foreign and domestic Clients on on AML/ABAC compliance, regulatory compliance and trade sanctions, and has handled internal investigations into compliance violations and whistle-blower complaints for corporations and financial institutions. She has considerable expertise in corporate governance, international sanctions, and international fraud related issues and regulatory compliance issues and financial crimes and Fintech.  She can be reached at sara.sundaram@cyrilshroff.com

Photo of Utkarsh Bhatnagar Utkarsh Bhatnagar

Principal Associate in the corporate and financial regulatory practice at the Mumbai office of Cyril Amarchand Mangaldas. Utkarsh has represented various Indian and multinational fintech, information/ emerging technology companies, and also pharmaceutical, and healthcare companies on transactional, enforcement and regulatory matters. His transactional…

Principal Associate in the corporate and financial regulatory practice at the Mumbai office of Cyril Amarchand Mangaldas. Utkarsh has represented various Indian and multinational fintech, information/ emerging technology companies, and also pharmaceutical, and healthcare companies on transactional, enforcement and regulatory matters. His transactional practice focus is on public & private M&A, commercial agreements and regulatory matters. He can be reached at utkarsh.bhatnagar@cyrilshroff.com

Photo of Naman Lodha Naman Lodha

Associate in the Financial Services Regulatory Practice at the Mumbai office of Cyril Amarchand Mangaldas. Naman advises clients on regulatory matters with respect to financial services. He can be reached at naman.lodha@cyrilshroff.com

Photo of Anushri Mandal Anushri Mandal

Associate in the Financial Service Regulatory practice at the Mumbai office of Cyril Amarchand Mangaldas. Anushri has worked on various transactional and advisory matters. Her focus has been on M&A and FinTech matters. She can be reached at anushri.mandal@cyrilshroff.com