Earlier this week, the Secretary for the Ministry of Electronics and Information Technology (MeitY) confirmed that MeitY is set to review the legal framework for digital payments and cybersecurity. This is an important move, and one that needs to take note of important blind spots in a key legislation that governs the handling of personal financial information – the Information and Technology Act, 2000 (IT Act). This post draws from our work as part of the Future of Finance Initiative and flags some blind spots in the IT Act that must be addressed in an environment where retail finance is seeing increasing digitisation.
Looking back at 2016, the push towards the digitisation of financial services has been one of defining themes of the year. As more and more Indians make digital payments, we are creating digital footprints of our financial behaviour on a scale the country has never seen before. Meanwhile, India remains one of the world’s largest economies without a law on privacy rights of citizens. This has prompted the Supreme Court to consider – in the context of making Aadhar mandatory for availing governmental benefits – if our Constitution provides for a fundamental right to privacy, although there is no express mention in this regard. As it currently stands, we have retrofitted the Information Technology Act, 2000 (IT Act), originally enacted to give legal sanctity to electronic governance, to provide minimum safeguards in this regard.
This begs the question: who collects the data from this trail, and what are the general obligations that bind them to keep this confidential?
Part of the answer to this question lies in the IT Act – the overarching law governing the collection and use of personal information in electronic form.
The IT Act applies to these types of entities set-up in India and engaging in commercial/ professional activities (Body Corporates):
(c) sole proprietorship, or
(d) other association of individuals.
A Body Corporate which either collects, processes, stores, transfers or accesses any sensitive personal data or information (Sensitive Data) in a computer resource has certain compliance requirements. Financial information, defined as “bank account or credit card or debit card or other payment instrument details”, is classified as Sensitive Data.
(a) the fact that Sensitive Data is being collected,
(b) the purpose for which Sensitive Data is collected,
(c) the intended recipients of Sensitive Data,
(d) the name and address of the entity collecting Sensitive Data, and
(e) the entity retaining Sensitive Data.
The Body Corporate must also:
- provide options to the data subject to decline providing Sensitive Data for availing a service and to withdraw consent which has been given already,
- allow data subjects to review their Sensitive Data and modify/ update/ correct it (if found outdated/ incorrect), and
- ensure that Sensitive Data is used as per specified purpose and not retained for a period longer than required for its lawful use (or as required by any other law).
2. What are the blind-spots?
Transaction records: For starters, it remains unclear if ‘financial information’ includes transaction records of the individuals as well, such as say credit card spending patterns or utility bill payments.
Newer forms of data: Newer forms of personal data that may be of a sensitive nature, such as browsing history, call records, social media behaviour, and so on, that are recently finding use in underwriting in financial services, do not have protections that sensitive personal data or information has.
Data retention and collection: Moreover, while a Body Corporate cannot hold Sensitive Data beyond the purpose for which the information was collected, there are no bright-line rules (such as purging the information within 30 days of purpose expiry). Market practice has also evolved in the direction of taking all-encompassing consents, making purpose limitation difficult to enforce.
Foreign banks, government departments and non-Body Corporates: The IT Act will likely not apply to foreign banks branches operating in India (of which there were 325 as of 31 December 2015 ) where they have not set-up Indian subsidiaries. The IT Act will also not apply to non-profit organisations, banking business correspondents, individual chartered accountants/ mutual fund distributors/ investment advisors/ insurance brokers etc. Significantly, there is no right to privacy under the IT Act for data collected by a government department, authority, commission or board as these will not be regarded as Body Corporates.
3. What happens if the IT Act is violated?
In India, we lack a dedicated data protection authority to supervise breaches of the IT Act, which are generally dealt with by the Secretary of Department of Information Technology at the state-level, who can impose up to 3 years of imprisonment or fine up to Rs. 500,000. Appeals from such decisions are heard by the country’s only Cyber Appellate Tribunal in New Delhi, which has decided a total of 17 matters since inception and had 66 appeals pending as of March 2016 (due to the continuing absence of a Chairperson since mid-2011). There has also been a long-standing proposal to have a bench of the Cyber Appellate Tribunal in Bengaluru.
In theory, an individual whose data has been mishandled under the IT Act can get up to Rs. 5 crore as compensation for negligent handling of his Sensitive Data by a Body Corporate, if he suffers a wrongful loss or a third party makes a wrongful gain.
4. Way Forward
While India deserves a stand-alone privacy statute, the IT Act framework can be extended to all non-public personal information handled by a financial service provider in the interim.
To strengthen the current regime, financial service providers could be required to have nodal privacy officers for overseeing compliance with privacy requirements and to act as single point of contact for addressing customer complaints. Filings with financial regulators could also include a section on the status of such compliances with built-in consequences for violation.
Overall, electronic financial data protection in India is based on rudimentary regulations with limited enforcement and lack of distinct treatment by financial sector regulators. It is essential to make major upgrades to the data protection regime given the size, scale and detail of electronic data collection in the financial space.
About the Future of Finance Initiative:
The Future of Finance Initiative (FFI) is housed within IFMR Finance Foundation and aims to promote policy and regulatory strategies that protect citizens accessing finance given the sweeping changes that are reshaping retail financial services in India – including those driven by Indiastack, Payments Banks, mobile usage and the growing P2P market.
1 – See: http://www.thehindu.com/business/Economy/Reviewing-legal-framework-for-securing-digital-payments/article16896971.ece and http://www.livemint.com/Industry/VcLcVc6huMHGloWSSfe2EK/Govt-plans-tighter-privacy-rules-for-electronic-payments.html. Note that the The Information Technology Act, 2000 is administered by MeitY.
2 – In the matter of Justice K.S. Puttaswamy v. Union of India, order dated 11 August 2015.
3 – While we focus on the IT Act, we do note that codes of conduct have been developed by sector-specific regulators which impose an obligation of customer data confidentiality. However there is currently no clear mechanism for tracking/ reporting of privacy violations (under say Reserve Bank of India’s banking ombudsman scheme or Securities and Exchange Board of India’s SCORES system) and also no specific penalty implications for such conduct.
4 – There is a safe harbour provision for Body Corporates handling customer data under outsourcing contracts and not dealing directly with data subjects.
5 – See: https://www.rbi.org.in/commonman/upload/english/content/pdfs/71207.pdf.
6 – See: http://www.thehindu.com/news/cities/bangalore/Proposal-to-set-up-Bangalore-bench-of-Cyber-Appellate-Tribunal/article14948497.ece.
7 – The IT Act defines ‘personal information’ as “any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.”