Listen to this post
Need for Syncing Sectoral Regulations with Data Protection Law

Cutting across sectors and borders, the Digital Personal Data Protection Act, 2023 (DPDPA or Act), a lean, principles-based, horizontal legislation was enacted in August 2023 (yet to come into effect). Given the substantive procedural aspects under the Act being left for delegated legislation, the first set of rules is expected to be released for public consultation within 100 (hundred days) of the end of the ongoing General Elections,[1] if the incumbent government is re-elected.

Financial regulations for businesses like financial institutions, card issuers, digital lending apps, credit-rating agencies, investment advisors, insurance companies already require compliance in relation to personal data such as seeking explicit consent from the customer before processing, data localisation, reasonable security safeguards. Some of these regulated entities in the financial sector are likely to be classified as Significant Data Fiduciary (SDF) under the DPDPA, because of the volume and sensitivity of personal data processed by them and entails additional compliance requirements as well as higher penalties for breach. This piece aims to analyse the interplay of sectoral regulations with the Act, focusing particularly on the Reserve Bank of India (RBI) regulations.

The DPDPA is applicable to entities that determine the means and purpose of processing personal data, over and above the sectoral regulations. In case of a conflict between DPDPA and any other law, including sectoral regulations, the requirement under the DPDPA will prevail to the ‘extent of such conflict’.[2] For instance, the Payment and Settlement Systems Act, 2007,[3] and the RBI KYC Master Directions, 2016,[4] allow for the customer’s ‘implied consent’ for the disclosure of data in certain circumstances. The DPDPA makes no mention of ‘implied consent’ or ‘deemed consent’, but it does permit the processing of personal data without explicit consent for certain ‘legitimate uses’ such as voluntary disclosure, medical emergency, compliance with a judgment, protection of state interests, trade secrets etc. This creates conflicting position under the laws and requires a subjective call to be taken by the business to determine what should prevail, creating uncertainty for entities which are expected to manage compliance of both laws. A compelling case must be made to the government and sectoral regulators, urging them to conduct a thorough evaluation of financial regulations governing personal data, aligning them seamlessly with the Act for industry-wide implementation. During the rule-making process, it is imperative for the government to navigate this complex landscape with attention to detail, offering clarity where ambiguity exists, ensuring a smooth transition for all stakeholders involved.

The recent amendments to Master Directions on Credit – Debit Cards[5] mandate the consumer’s ‘explicit consent’ in light of the purpose limitation under DPDPA and impose obligation on the card issuers to ensure strict compliance with the extant legal framework on data protection. Going forward, the regulator may closely integrate the data protection requirements under the Act in financial sector regulations; however, clarity/amendments are still required for conflicting positions in existing regulations.

In relation to cross-border data processing, the government’s change in approach from ‘whitelisting’ under the draft law to ‘blacklisting’ under the Act[7] is a welcome move. However, the Act provides for a ‘notwithstanding’ clause that allows for sectoral laws restricting such transfer or any condition in relation to data transfer, which provides a ‘higher degree of protection’ to prevail.[8] The term ‘higher degree of protection’ is subjective and not defined in the Act. However, this seems like a novel approach, inspired from the EU and Singapore’s data protection laws, and reflects the legislative intent to uphold the sectoral regulators’ stance, given the sensitivity around data processed by financial sector entities. Accordingly, the data localisation requirement that the RBI (e.g., Storage of Payment System Data,[9] RBI Guidelines on Digital Lending[10]) and other regulators have stipulated will prevail over DPDPA. Notwithstanding, the change in approach under the DPDPA, the RBI is unlikely to do away with data localisation (at-least in the short term), although it has been a key issue for RBI-regulated entities.  

The Act requires that upon withdrawal of consent, the data fiduciaries cease[11] (and cause their processors to cease) processing of such data in a ‘reasonable time’ and erase[12] such data, unless the provisions of the Act or any other law (in force in India for the time being) requires retention of such data. This is relevant as the Act acknowledges that despite providing the right to erasure, certain circumstances (e.g., prevention of crime and ongoing litigations) merit retention of data under other laws. Given that existing laws specify different time periods for retaining certain data, an entity will have to carefully analyse a request for erasure or to cease processing to ensure that such data is not required to be retained for compliance with any other law in force (e.g., Prevention of Money Laundering Act –5 years[13]; CERT-In Cybersecurity Directions – 5 years[14]; RBI Master Directions on PPI – 10 years[15]).

To draw another parallel, the Act provides an option to Data Principals to manage, review, or withdraw consent through Consent Managers, who are registered with the Data Protection Board. The concept of Consent Managers is akin to the Account Aggregator framework[16] implemented by the RBI, which primarily aims to facilitate ease of sharing financial information among various regulated entities, relying heavily on consumer consent. However, certain questions arise on whether the Account Aggregators will have to additionally register with the Data Protection Board, considering they are, in effect, performing a function similar to that of Consent Managers, in so far as ‘financial information’ includes personal data like identity of the customer. The Citizen’s Charter under the Account Aggregator directions, which explicitly guarantees customer rights protection, should also ideally mirror the rights provided to the Data Principal under the Act, once it is in force. Although the Central Government still has scope and time to flesh out the detailed procedure for Consent Managers, it might be relevant to seek inspiration from the Account Aggregator framework, which has been in effect for a while. Bringing about some semblance in these two unique frameworks can help users deal with ‘consent fatigue’ in relation to personal data.

Additionally, financial entities regularly engage with third-party service providers for outsourcing their information technology and certain eligible financial services. Similar to the RBI regulations that place the primary responsibility on regulated entities outsourcing their services, the DPDPA also makes the Data Fiduciary responsible for any breach by the third parties (Data Processor)[17] engaged by it. This increases the stake for compliance by the regulated entities, particularly SDFs who will now need to ensure that any outsourced activity that involves processing of personal data of consumers is done only by way of a valid contract, which adequately covers the requirements under RBI regulations (such as data storage) as well as DPDPA (such as instructions to erase, cease processing in a time bound manner).       

The Act prescribes significant monetary penalties[18] for breach or non-compliance of the provisions besides other measures such as blocking of services[19] and any penal measures that may be imposed under other sectoral laws. Hence, it will be prudent for businesses to urgently evaluate their practices in relation to data processing, including mapping of legacy data, how do they collect and process data, and who do they share it with, among other things. It is time for businesses to start streamlining their privacy policies and internal processes, onboarding expert advisors, and sensitising their employees and staff to understand the intricacies of this game-changing legislation. This is an opportune moment for entities to reflect on these issues, instead of simply waiting for the rules to come in.

By sidestepping retrospective data processing in its scope, the Act showcases a pragmatic approach, steering clear of significant business upheaval. This strategic foresight underscores India’s trajectory as a burgeoning global economic force. Though lacking provisions for inter-regulatory coordination, unlike its 2019 precursor,[20] the Act prompts a voluntary effort for collaborative dialogue among governmental bodies and sectoral regulators. Financial sector regulators should also actively consult the industry to understand their challenges in implementing the Act, while upholding the mandate of sector-specific regulations. A proactive approach to streamline existing laws with the DPDPA can mitigate inadvertent conflicts and foster a conducive business environment, while keeping data protection at the centre of it. With the ongoing elections nearing their conclusion, the forthcoming government shoulders the responsibility of implementing the Act to ensure that the interests of stakeholders are safeguarded, and that the broader objective of personal data protection is upheld, in the realm of policy stability.


[1] https://www.business-standard.com/industry/news/dpdp-rules-it-rules-amendment-on-meity-s-100-day-agenda-after-elections-124042100232_1.html

[2] S.38, the Act

[3] https://lddashboard.legislative.gov.in/sites/default/files/A2007-51_0.pdf

[4] https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=11566

[5] Reserve Bank of India – Master Directions (rbi.org.in)

[7] S. 16(1), the Act

[8] S. 16(2), the Act

[9] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11244&Mode=0

[10] https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12382&Mode=0

[11] S. 6(6), the Act

[12] S. 8(7)(a), the Act

[13]https://enforcementdirectorate.gov.in/sites/default/files/Act%26rules/THE%20PREVENTION%20OF%20MONEY%20LAUNDERING%20ACT%2C%202002.pdf

[14] https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf

[15] https://m.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=12156

[16] https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10598

[17] S. 8(1), the Act

[18] S.33, the Act

[19] S.37, the Act

[20]https://prsindia.org/files/bills_acts/bills_parliament/2019/Personal%20Data%20Protection%20Bill,%202019.pdf