1.

INTRODUCTION

The Digital Personal Data Protection Act, 2023 ("Act") was notified in the official gazette in August, 2023. The Act, once effective, will serve as the new law for digital data protection in India and affects all businesses, including Digital Lending Entities (as defined below) who collect, store and process data. In September, 2022 the Reserve Bank of India ("RBI") had introduced the Digital Lending Guidelines ("DLG") for data management by Digital Lending Entities, given the crucial role that data plays in digital lending inter-alia for underwriting and risk management. Through DLG, the RBI aims to regulate such data collected by fintech entities by adopting privacy principles like transparency, consent, accountability, etc. In this article we aim to unravel the overlap, differences, and the relationship between the DLG and the Act, as far as it pertains to the treatment of personal data by digital lending platforms in India.

2.

OVERVIEW OF KEY DATA RELATED OBLIGATIONS UNDER THE DATA ACT AND DLG

2.1

The Act defines "personal data" as "any data about an individual who is identifiable by or in relation to such data."1 The Act applies to processing of online or digital personal data. The Act does not extend to offline collection/ processing of personal data, unless such data is digitized. The Act identifies and defines three entities, depending on their function, namely:

  • "Data Principal" - the individual to whom the personal data relates and where such an individual is a child, it includes the parents or lawful guardian of such a child.2
  • "Data Fiduciary"- any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data.3
  • "Data Processor" - any person who processes personal data on behalf of a data fiduciary.4

Detailed obligations under the Act are captured in our article here. We have highlighted some key obligations below:

  1. Consent requirements - The Data Fiduciary is required to obtain consent from the Data Principal and such consent should be free, unambiguous, specific and informed.5 The Data Fiduciary must specify the purpose of collection of data in a notice to the Data Principal and the Data Principal has the option to withdraw the consent through a consent manager.6 However, one of the key introductions in the Act is "legitimate use".7 Data fiduciaries can also process data as a legitimate use, without consent, when the Data Principal voluntarily provides their data and does not indicate unwillingness to consent to its use.8
  2. Duty of the Data Fiduciary - In general, the Act has laid down certain key compliances for Data Fiduciaries such as making reasonable efforts to ensure that personal data processed by them is accurate and complete, informing the Data Principal and the Data Protection Board- of any data breaches, give notice to the Data Principal describing the personal data sought to be collected as well as the purpose of processing such data, share data only under a contract and store it for a period as required under law or contract, among others.9
  3. Duty of the Data Processor - Most obligations in the Act extend to Data Fiduciaries, however Data Processors can undertake data processing activities only through a valid contract with the Data Fiduciary.10
  4. Data Retention - Once processing of data is no longer necessary for the purpose for which it was collected, a Data Fiduciary must delete it, unless retention is required under Law.11

2.2

The DLG defines each of the "Digital Lending Entities" that fall within its scope as:

  • Regulated Entities ("RE") – includes commercial banks, Non-Banking Financial Companies and other regulated entities in the lending business.12
  • Digital Lending Application ("DLA") – entities operating mobile and web-based applications with user interface which facilitate digital lending services.13
  • Lending Service Provider ("LSP") – an agent of a Regulated Entity who carries out one or more of the lender's functions or part thereof.14

Our article on the DLG is available here. We have highlighted some key obligations below:

  1. Consent requirements - REs must ensure that any collection of data by their LSPs and DLAs is only on a need-basis and with prior and explicit consent of the borrower. Consent is to be availed at each stage of data collection, and borrowers have the right to withhold consent or revoke consent that has already been granted.15
  2. Data related requirements - The DLG requires the entities to disclose the procedures for the storage of customer data, period of data retention, data destruction practices and standards for handling security breaches. Only minimal data of the customers is allowed to be stored and must be stored in servers within India.16
  3. Third-party data sharing - This is permitted only with explicit consent of the borrower, except where such data is required to be shared as per any legal requirement.17

3.

COMPARISON OF OBLIGATIONS UNDER THE DATA ACT AND THE DLG

3.1

Legitimate Use v Explicit Consent: As discussed above, under the DLG, REs are required to ensure that DLAs and LSPs seek explicit consent from their borrowers for collection of any type of data. They are also required to ask for explicit consent from the borrowers prior to disclosure of their Personal Data to any third party.18 REs also have to ensure that DLAs do not access borrower's files and media on their phones, except a one-time access for camera, microphone, and location services for know your customer ("KYC")/onboarding requirements.19 The DLG has specific requirements and requires RE's to ensure that LSPs and DLAs publish a comprehensive privacy policy setting out the details of third parties allowed to collect personal information, as opposed to the Act.20 Additionally, the DLG also does not recognise the principle of legitimate use, however, the Act states that processing of personal data maybe done for a lawful purpose, subject to (a) consent of Data Principal; or (b) for certain legitimate uses (i.e., without explicit consent of the Data Principal). Section 7 provides certain legitimate uses such as:

  • Where the Data Principal voluntarily provides personal data to the Data Fiduciary without indicating that she does not consent to the use of her personal data; or
  • For the purpose of employment, etc.

3.2

Cross border sharing of data: As per the data localization requirements laid down under the DLG, REs are required to store data in India and also ensure that LSPs and DLAs engaged by them store data in India.21 On the contrary, as a departure from some of the earlier drafts of the data bill22, the Act has eliminated the data localization requirements and has allowed cross border transfer of data except for countries notified by the Central Government (i.e., a negative list) to which personal data of a Data Principal may not be transferred.23

3.3

Data Retention: Under the DLG, the data retention requirements are strict, and Data Principals have the option to deny consent for retention of data, as well as request deletion of their data. However, the DLG has not made any exceptions to allow retention of such data after the request for deletion of data has been raised.24 Under the Act, Data Fiduciary is allowed to retain the data if it is required for legal or business purposes, but it must delete the data as soon as the purpose for which such personal data was collected is no longer present and if such retention is no longer necessary for legal or business purposes.25

3.4

Grievance redressal and Data Protection Board: The Act has proposed the establishment of a Data Protection Board with several adjudicatory powers and functions. This means that REs along with DLAs and LSPs which are engaged in digital lending will also fall within the purview of the Data Protection Board of India. Additionally, a borrower will now have dual recourse and may approach either the RBI Ombudsman or the Data Protection Board while filing a grievance. This gives rise to the question – will establishment of the Data Protection Board result in overlapping jurisdiction of the RBI and the Data Protection Board in respect of data protection compliances by the REs?

3.5

 Other requirements: Unlike DLG, the processing of publicly available data is outside the scope of the Act. Further, the Act requires that before seeking consent for the processing of the Personal Data of a Data Principal, the Data Fiduciary gives a notice in clear and plain language containing a description of personal data sought to be collected; purpose of processing of such personal data; details of the way Data Principals may exercise their rights to withdraw consent and grievance redressal; and details on how Data Principals may file a complaint.26 The DLG also has a similar requirement for seeking consent from the borrower and requires that the purpose of obtaining borrower's consent is disclosed at each stage.27 The Digital Lending Entities may therefore be required to reissue notices at every stage. Additionally, under the DLG, the REs shall be responsible for the compliance and will be held liable in the event of any misuse of data by the LSPs. However, in the event such LSP is a Data Fiduciary under the Act, the LSP would be directly liable. The question then arises – will the borrower or Data Principals have the right to proceed against two entities (i.e., the RE and the LSP) in the event of a single breach?

4.

BUILDING COMPLIANCE FOR THE ACT

4.1

Identify your role: It is important for REs, LSPs and DLAs to identify their role under the Act to build their compliance with the Act. An entity may be a Data Processor for undertaking certain activities but a Data Fiduciary for another. For example: a LSP may be engaged as a service provider by the RE and will be a Data Processor under the Act. However, the LSP may also require its customers (i.e., borrowers and potential borrowers) to have an account-based relationship with the LSP and collect their personal data in the capacity of a Data Fiduciary.

4.2

Identify the nature of data handled: Digital Lending Entities must be aware of the kind of data they handle i.e., personal data, transaction data, data required for regulatory checks, KYC or data collected to better its Artificial Intelligence models etc. Entities must also know why data is collected, how long this is required to be retained inter-alia, and after careful consideration of the above, models for data management must be built. For example: Certain kinds of data needs to be retained as per timelines under the Act (as will be specified in the rules); Prevention of Money Laundering Act, 2002 and the KYC Master Directions, such as transaction data (for 5 years) and KYC data (for 10 years). Accordingly, these call outs must be built into the customer terms of use or the privacy policy.

4.3

Building data compliance framework: The DLG places the responsibility on the REs to include adequate data protections in their outsourcing/ service agreements with the LSPs, and the kind of protections which needs to be incorporated. However, the Act merely states that the Data Fiduciary must have a contract with the Data Processor, without going into the contents of such contract. Therefore, the LSPs must be aware of the requirements passed on from the RE, why certain data needs to be processed, whether RE has taken customer consent etc., and REs must build in the required consent mechanism and compliance related obligations in their contract with the LSPs.

5.

CONCLUSION

With the introduction of the Act, Digital Lending Entities will now have to comply with both the Act and the DLG. This imposes additional obligations on Digital Lending Entities as they are now subject to multiple regulators. Accordingly, they will now have to identify their roles, responsibilities and their corresponding compliances under the Act as well as the DLG, as may be applicable to them.

It is important to note that while there are no overt conflicts in terms of core data principles between the Act and DLG, it is the mode of operation that varies; for example: cross-border data transfer restrictions under the DLG versus the ability to freely transfer data under the Act, except to countries covered under the negative list. These variations and overlaps have resulted in uncertainty for entities subjected to these legislations and while they can take certain measures to avoid scrutiny from the regulators, only time will completely address the quandary surrounding such data requirements.


Footnotes

1. Section 2(t) of the Act.

2. Section 2(j) of the Act.

3. Section 2(i) of the Act.

4. Section 2(k) of the Act.

5. Section 6(1) of the Act.

6. Section 2 (g) of the Act defines Consent Manager as a person who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.

7. Section 7 of the Act.

8. Section 7(a) of the Act.

9. Section 8 of the Act.

10. Section 8 of the Act.

11. Section 8 of the Act.

12. Section 2.6 of the DLG.

13. Section 2.4 of the DLG.

14. Section 2.5 of the DLG.

15. Section 10 of the DLG.

16. Section 11.2 of the DLG.

17. Section 10.4 of the DLG.

18. Section 10.4 of the DLG.

19. Section 10.1 of the DLG.

20. Section 12 of the DLG.

21. Section 11.4 of the DLG.

22. The earlier draft of the bill includes the Personal Data Protection Bill, 2019 and the Data Protection Bill, 2021.

23. Section 16 (1) of the Act.

24. Section 10.2 of the DLG.

25. Section 8 of the Act.

26. Section 5 of the Act.

27. Section 10.3 of the DLG.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.