Hello everyone, 

Welcome to the 71st edition of The Pattern - a weekly where I unpack the latest rumblings from the world of technology, finance and economy for you. 

On Thursday, the government tabled the latest draft of the Digital Personal Data Protection Bill in Lok Sabha. The bill, a successor of many failed starts, is a watershed moment in the Indian data economy. It’s the first of its kind law - if it comes into effect - will govern data storage, use, and processing by all entities* and provide legal recourse to data breaches and unauthorized use of Indian citizens’ data in any form or manner. 

The fact that such a bill has made it to the Parliament in itself is a great feat that must be celebrated. The bill has made several important leaps that will go far and wide to curb the misuse of citizen data and provide for severe damages and liabilities for the perpetrators. 

Key highlights of the bill: 

1. The bill covers all data collected within India across online and offline mediums 

2. The bill makes data fiduciaries - entities for which the data is collected - to be responsible for its fair usage, consent, processing, and timely erasure 

3. The bill lays out liabilities ranging from Rs 50 crore to upwards of Rs 250 crore for erring entities/individuals found guilty of misappropriate data collection, usage, dissemination, etc. 

4. Grants rights to individuals to seek correction or erasure of their personal data 

5. Provides for a Data Protection Board of India that will adjudicate all the issues of non-compliance with the provisions laid down in the bill

This is just the tip of the iceberg. The provisions in the bill are far-reaching and wider - necessitating careful reading by the organizations and a more concerted deliberation in the public sphere before it gets written into the law.  

However, a careful reading of the draft provisions raises more questions than it answers. Criticism has come from various quarters including public policy watchers, senior lawyers, the industry as well as serving and retired bureaucrats. 

In a nutshell, the bill has been criticized for: 

1. The exemption provided to the government and its arms from following any/certain components of the privacy bill on wide-ranging grounds

2. Lack of actual recourse to citizens who might become victims of data breaches, unauthorized data use, or any other kind of data crimes 

3. Lack of right to data portability for citizens 

4. Lack of right to being completely forgotten by the citizens 

5. The Data Protection Board will be nominated by the government and hence, there are concerns regarding its impartiality and independence; among other issues

How will this impact FinTech? 

Now, let’s address the billion-dollar question - this bill is set to become the cornerstone of data privacy regulation in India and FinTechs might find themselves in a bit of a soup if they’re to comply with these provisions (as they stand today) apart from complying with the already stern Digital Lending Guidelines by the RBI as well as other regulatory norms (including Google - the kingmaker of the fintech lending world).

To discern the impact of these provisions on FinTechs, we spoke to Mr. Pavan Duggal, Advocate, Supreme Court of India, and an expert in cybersecurity laws and regulation.

According to Mr. Duggal, the Data Protection Bill is set to, “make FinTechs completely liable for any and all non-compliance with the provisions of the bill when it comes to collecting, processing, using or disseminating consumer data.” The bill clearly lays out the roles of data fiduciaries, data processors, and consent managers and it’ll be the data fiduciaries who will be the first to face the heat in case something goes wrong, Duggal said. 

In a candid chat, he walked us through the various provisions of the bill and how they are likely to impact the FinTech players. Let’s go through the major implications: 

1. Data fiduciary vs data processor: The bill clearly suggests that any entity that is using or determining data collection for any purpose will be termed data fiduciary. Meanwhile, the data processors will be entities that process data on behalf of the data fiduciaries. Impact: In the fintech world, most fintechs will be automatically recognized under the bill as either data fiduciaries or data processors (or both!). This means that the liability for ensuring consent, fair and safe use, processing, and dissemination of data lies on FinTechs as well as banks.  Example: If an RBI-licensed lending NBFC partners with a FinTech to onboard new customers and partners with yet another entity to process that data, the liability first will lie upon the data fiduciary - the NBFC and then data processors - the onboarding and underwriting FinTechs both will be termed data processors here. 

2. Privacy policy won’t do, fresh mandate must: For FinTechs, a big blow is likely to come from the new provision that suggests that every single customer’s consent to collect, store, process, and use their data must be fetched through a ‘notice’. A notice is a detailed list of data being sought from the customer and the purpose for which it is being collected. Only when this notice has been delivered can an entity collect consent from the customer to use their data.

   The consent, too, must be explicit, use-limited, and extremely clear in terms of its applicability and validity - to both the customer as well as the Data Fiduciaries. 

   Impact: According to Mr Duggal, FinTechs will not only now need to follow this two-step process of notice + consent while onboarding customers but existing customers must be given notices for their data collection and they must re-affirm their consent too.   Example: If lending co. X already has 10 lakh active borrowers and it onboards 500 new borrowers a day, the company X must now - 

   A. Ensure that all new customers are given separate notices and consent mandates to collect and use their data

   B. Serve fresh notices and consent requests to all their existing 10 lakh customers to ensure their consent is recorded under the provisions of the new law

   Note: The pro-forma privacy policies and data disclosures currently in place on the websites of lenders, fintechs, and other participants won’t be compliant under the new provisions unless every single customer is served a personalized consent form. 

   
   

3. Differential treatment abounds: There are certain exemptions in the bill that might come to the rescue for financial services firms and at the same time, dent individuals’ right to privacy. For instance, the current draft provides for the exemption of consent and notices for the purpose of debt recollection or credit scoring.

   At the same time, government and its arms can avail exemption from complying with the provisions of the law on very wide grounds.

   Impact: While further clarity is awaited, it is likely to become a confusing affair for financial services players to manage consent, use, and processing of data - if the same data is being used for various efforts.  For eg: a customer’s consent is necessary to onboard them but it might not be necessary to collect consent for recollection of debt. At the same time, government-backed programs might now be on a preferential footing as compared to private firms when it comes to complying with the laws. 

   
   

There are many more potential areas in which FinTechs might be affected (Account Aggregator, cross-border transfers, data fiduciary partnerships to name a few) but the exact implications depend on the impending legislation and directions that are likely to follow. 

All in all, the times are about to get tough for financial services players. And ecosystem participants would do well to spend a considerable amount of time to start preparing their processes, products, and people for the upcoming demands of the new data protection regime. 

We’ll keep tracking this space and come back with more. 

Reading List

1. FAQ on the Data Protection Bill from the Economic Times 

2. Bank RoA at peak, need investment in tech, talent says McKinsey

3. How FinBox’s BRE Sentinel solves lenders’ scalability problems 

4. Rating firms flag concerns over surge in unsecured loans

5. A digital lender’s guide to KYC

6. A little-known agreement called ITA-1 killed India’s IT manufacturing. Now, ITA-2 is in the works

Between the digits 

Rs 10 lakh crore: India’s commercial banks have recovered about Rs 10 lakh crore from non-performing assets in the last 9 financial years, according to government data. 

$123 million: Revenues from subscription-based audiobooks in India - a quiet audio revolution in the making ?

935,000 - Axis Bank reported a 3x spike in customer complaints but it insists that all is well. Read the analysis here . 

This is all I have for today. Have a good weekend. 

Cheers,  Mayank