[Vaibhav and Manit are students at Gujarat National Law University.]
In the intricate tapestry of India’s digital finance transformation, digital public infrastructure (DPI) stands out as a monumental game-changer. DPI includes digital platforms and the associated institutional and legal frameworks, all working together to facilitate the efficient delivery of essential services and functions to society at large. DPI in India includes Aadhaar, Unified Payment Interface, and CoWin, among others. Recently, the G20 New Delhi Leaders’ Declaration also recognised DPI as an essential element for a safe digital economy.
The popular India Stack has been the backbone of a robust DPI in India, and it has reshaped the very essence of financial accessibility in the country. Just a decade ago, the struggle was to ensure that every individual had a basic bank account. Before the advent of India Stack, the odds were staggering – only one out of 3 people in India had one. However, as of the latest available data from 2021, this situation has seen a remarkable improvement, with 77.3% of the total population now having access to a bank account. Today, the discourse has transcended mere account access, shifting towards the creation of innovative digital finance products for even the lowest-income strata of society.
At its core, the DPI-driven digital finance transformation thrives on the enormous digital data flowing through India’s financial system. A financial system based on digital data brings in the paramount importance of the Digital Personal Data Protection Act 2023 (DPDPA). In this light, the author delves deeper into India’s digital finance transformation and how DPDPA could play a significant role in pioneering the future of India’s financial services.
Digital Finance Transformation in India
In India, the traditional banks have made a swift migration to the new technology tools available to them. The Indian banking industry recognised the need to use computerization to enhance customer service, bookkeeping, and MIS as early as the late 1980s. The Reserve Bank of India (RBI) appointed Dr. C. Rangarajan to lead the Committee on Computerization in Banks in 1988. Due to the RBI’s proactive approach, traditional banks could smoothly incorporate distributed systems and servers to digitize financial services in India. Adding to this swift migration, DPI has significantly enhanced the pace of the digital finance transformation in India.
The Key Role of DPI in India’s Banking Sector
Considering the rapid pace of digital finance transformation in India, traditional banks have proactively forged valuable partnerships with fintech companies. This synergy has been so fruitful that India currently boasts the world’s highest fintech adoption rate. This collaboration entails the fintech firms contributing their expertise in crafting exceptional user interfaces while the traditional banks leverage their expansive databases and in-depth understanding of regulatory frameworks. This symbiotic partnership, drawing from their respective strengths, creates innovative financial products that benefit customers and financial services as a whole.
In the absence of digital data provided by DPI, financial institutions faced challenges in verifying customers and onboarding them by complying with know-your-customer regulations; the same is evident from the fact that in 2008, only 1 in 25 people possessed formal identification. However, with the emergence of credit bureaus like Credit Information Bureau (India) Limited and several other credit rating agencies, coupled with the vast amount of digital data available today through initiatives like the DPI, there has been a transformative shift. With the customer’s consent, this data is now harnessed to create innovative financial products.
Today, it is no longer a distant dream but a reality. Financial institutions can proactively evaluate individuals, pre-screen them, and offer loans precisely at the moment when they are contemplating a purchase, whether it is on popular e-commerce platforms like Amazon or Flipkart or during any other online transaction. The credit scoring of these individuals has already been accomplished, streamlining the process. This development is one of many examples of how the digital data provided by DPI has fostered a myriad of opportunities to deepen the penetration of financial services in India.
It is abundantly clear that digital finance transformation is intrinsically linked to the management of digital data available due to the advent of DPI. As the financial system processes vast amounts of personal data to deliver innovative financial products, ensuring customers’ trust in safeguarding their personal data becomes paramount for a secure financial system in India. This is precisely where the significance of DPDPA comes into play.
Digital Personal Protection Act: Foundation of Trust in Financial Services
India had a longstanding need for a data protection law. Data breaches in pioneering DPI projects like Aadhaar and, most recently, CoWin underscored the critical gap in data protection laws in the country. The incidents of data breaches also extend to financial institutions processing customers' personal data. In 2019, the State Bank of India’s inability to protect a password resulted in the breach of a startling 422 million clients’ personal information. Further, in March 2023, a substantial volume of customer data belonging to HDB Financial Services, the non-banking lending division of HDFC Bank, was exposed and made available on a hacker portal.
In the absence of a data protection law, financial institutions were not legally bound to build a conducive environment to protect their customers’ personal data. In cases of such data breaches, financial institutions often escape the responsibility of ensuring the security and well-being of the data by preventing unauthorised access, misuse, or any form of harm.
Amidst these concerns, DPDPA is poised to hold immense significance. Moving forward, it can stand as the bedrock upon which a secure financial services industry is built, safeguarding against the nightmare scenario of customers’ personal data falling into the wrong hands and leading the entire financial services industry to disrepute. The regime establishes comprehensive provisions to safeguard the personal data of individuals. Section 6 focuses on obtaining consent from data principals, emphasizing that such consent must be free, specific, informed, unconditional, and affirmative. This ensures that individuals willingly agree to the processing of their personal data for a specific purpose. Section 8 outlines the general obligations of data fiduciaries, encompassing crucial aspects such as data usage limitations, collection restrictions, data quality assurance, retention limits, accountability, and transparency in data processing. Additionally, data fiduciaries bear responsibility for the actions of associated data processors. Sections 11 and 12 grant data principals the right to inquire about the usage of their information and request corrections when necessary. Section 13 introduces a right to grievance redressal, allowing data principals access to a mechanism provided by data fiduciaries or consent managers, complete with a prescribed response timeframe before involving the data protection board. Finally, Section 18 establishes the Data Protection Board, tasked with ensuring the effective implementation and enforcement of the law, thus ensuring a robust framework for safeguarding personal data in accordance with the DPDPA.
Financial institutions processing vast amounts of data derived from DPI can find themselves obligated to adhere to the data protection regime in their role as data fiduciaries. These obligations are directed towards safeguarding the personal data of their customers, which are classified as data principles. Furthermore, in collaborative efforts between traditional financial institutions and fintech companies, the personal data of customers is often processed by fintech companies to offer innovative financial products. In this context, fintech companies can be classified as data processors. Consequently, financial institutions also bear the responsibility of ensuring that the associated fintech companies, while processing customers’ data, adhere to the data protection regime outlined in the DPDPA. When financial institutions discharge their statutory compliances in the capacity of data fiduciary coupled with the responsibility to ensure secure data processing by associated fintech companies, the safety of customers’ personal data is ensured at three levels:
First, before processing personal data, financial institutions require the express consent of their customers; further, the processing of personal data must be limited to the specified purpose of the consent.
Second, once consent is given, the financial institution has to ensure compliance with the general obligations of the data fiduciary; the institution must adhere to strict data handling standards, ensuring unauthorised access, accurate information, and responsible processing. Additionally, data principals have the right to transparency and corrections, empowering them to exercise control over their personal data and ensuring the use of data only for the consented purpose.
Third, in case of a breach of personal data in processing, the customer has access to the grievance redressal mechanism of the financial institution’s consent managers at the base level and with the oversight of a Data Protection Board.
Therefore, the DPDPA stands as the foundation of trust in a financial system based on digital data in India. While it may take a few years to gauge its impact on financial institutions fully, it marks a significant milestone in safeguarding the personal data of consumers of financial services. With over a billion daily transactions in India’s financial ecosystem, the sheer volume of data underscores the critical need for legislative protection. The DPDPA has instilled a sense of public consciousness regarding data privacy, providing the foundation of trust to flourish in India’s financial services.
The Way Forward
Adapting to this new data protection paradigm is essential to India’s continuous digital finance transformation, driven by traditional banks, fintech pioneers, and various service providers. DPI has conferred a significant advantage upon India, particularly in the development of cutting-edge technology essential for financial services. Furthermore, with the establishment of a comprehensive data privacy regime, the canvas of India’s financial services landscape is becoming complete, ensuring the security and integrity of consumers' personal data in India’s financial services.
Comments