Indian Data Protection Regime & the Future of Fintechs in India

(Kritika Krishnamurthy, Director, Bridge Policy Think Tank and Aashrit Verma, Consultant, Bridge Policy Think Tank)

The FinTech industry has grown out of strengthening of linkages between the financial services sector and the technology sector. With a surge of accessibility due to technological support, there is a considerable leap in progress in the financial market. At the same time, India is one of the biggest potential financial services market of the world. To make the most of this large economy, financial data mining is more profitable than gold.

In November 2019, Bridge Policy Think Tank hosted a conference, ‘NBFCs and FinTechs: The road Travelled and Way Forward’. This article is an analysis basis the industry panel discussion on Potential of FinTechs as a New Age Financial Institution. On the basis of the industry deliberations and our research, we believe there are underlying aspects that have the potential to affect the future of the FinTech space and we highlight three such important issues that the market players and investors should carefully consider in this piece.

The analysis of data protection law in China, United States and Europe show that they all have different approaches. The law in Europe, namely the General Data Protection Regulations (GDPR) are a more progressive and integrative set of regulations. The United States, on the other hand, takes a more market-focus approach in their regulations which results a sector-specific regulation on data protection. Legislations such as the California Consumer Privacy Act, New York State Department of Financial Services Cyber Security Regulation and Health Insurance Portability and Accountability Actare examples of sector specific legislations. China takes a more general approach, without highlighting regulations for sectors. The Chinese data privacy regulations function in the general cybersecurity context only.

For India, there are 3 characteristics of data protection that are critical to the amalgamation of financial services and technology. They are:

Data Localization and Cross border data transfers– Data localization has been an issue of debate when it comes to the new Personal Data Protection Bill, 2019 (PDPB) in India. GDPR unlike the new bill does not impose restrictions on the cross-border data transfers but are subjected to some limitations. In the case of FinTechs, localization would hinder various global FinTech organizations to function in the country due to the hindrance of the free flow of information and also forcing such companies to incur heavy costs by setting up data centres locally. According to a 2016 study by the European Centre for International Political Economy, the EU’s GDP would gain 8 Billion Euros, which is the same amount as all EU free trade agreements, by abolishing data localization measures.[1] On the other hand, with data localization measures as strict as those proposed in India, the EU would lose over 50 Billion Euros annually or 0.5% of its entire GDP. If we assume similar effects, India could lose near $8.4 Billion (over INR 62,000 Cr) annually.[2]At the same time there is a thin line of difference between optimum data utilization and abuse of data privacy. There is a need to create a balance to allow fintechs leg space to experiment with commercially feasible business models but at the same time promote the protection of Indian financial data.

Consent – Consent remains a lawful basis to transfer personal data under the GDPR. Consent is of two types when it comes to data protection models globally. They are opt-in and opt-out. GDPR regulation, in accordance with their progressive nature, favours an opt-in model where the data of persons can be used by the controller who have opted-in for giving consent to use their data. While the other people who have not given their expressed consent are to be kept out of their systems. On the other hand, opt-out consent covers a wider range of population where the controllers or processors can use the data for specific purposes until the data subject opts out of it. India in its Bill has taken the opt-in consent approach which is capable of being withdrawn. Both the approaches should not be treated as separate but complementary to each other. Opt-in approach can be useful in processing sensitive data while for other data an opt-out approach can be taken. The opt-in process under Indian law is a laudable measure considering the Indian diaspora is not as aware as the international markets in relation to abuse of personal data.

Pseudonymization or Anonymization – The European Union favours pseudonymization over anonymization. The primary difference between them is re-identification, which is possible with pseudonymization. Anonymization process will erase the link between the data and the subject permanently and make sure that no one can be traced by their data. However, anonymization may hinder research, archiving and statistical purposes. Re-identification is important as the information regarding certain persons may be required for processing. India, on the similar lines, has supported Pseudonymization and de-identification. Encryption of data is an important aspect of data protection and the process of re-identification or decoding should be done only for necessary processes. The chances of misusing this are very high and therefore ought to be scrutinized strictly.

The Way forward

India is awaiting the new Personal Data Protection Bill, 2019 which encompasses the above-mentioned elements. It is essential to deliberate on whether the implementation of the above elements will either deter the growth of technological advancements or regulate it. With the quantum of personal information being shared online or offline, it is essential to ensure that the citizens of the country have autonomy in the digital economy while ensuring all data processors and controllers are regulated.

India needs to ensure there is a thorough impact assessment before introducing localization and pseudonymization. Several companies and institutions that are functional in India are involved in the data processing activities and the introduction of such regulations may hamper their growth and may eventually deter companies from investing in India. The recent example is that of Aadhaar- its successful introduction as a unified identification tool and then the sudden clamp down on its usage which the market is yet to get completely healed from.

At the same time, we have witnessed various data breaches including the recent breach of Facebook’s data that affected millions of Indians. The potential regulations (PDPB) hold companies accountable of such kind of data breaches and puts a higher degree of pressure to ensure such companies to develop tighter security measures. Therefore, the new regulations have the task of a fine balancing act ahead- higher accountability with commercial feasibility. A failure of the law can come in the way of the financial inclusion goals of the economy which may hamper its growth.