INTRODUCTION
The Indian banking sector has experienced a swift and essential revolution, shifting from conventional practices to the comprehensive adoption of digital technologies. By the late 1980s, the industry acknowledged the necessity for computerization to enhance customer service, accounting, and management information systems. In 1988, the Reserve Bank of India (‘RBI’) formed the Committee on Computerization in Banks, chaired by Dr. C. Rangarajan, to supervise this transition. This proactive strategy enabled traditional banks to effectively incorporate dispersed systems and servers, establishing the groundwork for the digitization of financial services in India.
The foundation of this digital transformation is India’s strong Digital Public Infrastructure (‘DPI’), which includes vital digital platforms like Aadhaar, the Unified Payment Interface (‘UPI’), and CoWin. DPI expedited India’s swift embrace of digital money and achieved global acknowledgement. The G20 New Delhi Leaders’ Declaration recently emphasized Digital Public Infrastructure (DPI) as a vital component for establishing a secure and inclusive digital economy, underscoring its increasing significance in improving financial services.
PROVISIONS OF DPDPA APPLICABLE TO THE BANKING SECTOR
Financial institutions, by handling large volumes of data via DPI systems, are obligated to adhere to the DPDPA’s stringent data protection standards. When collaborating with fintech companies, these institutions must also ensure that the client-sensitive information handled by finance partners as Data Processors complies with the DPDPA framework.
DATA FIDUCIARIES AND DATA PRINCIPALS
Under DPDPA two primary roles—’ Data Fiduciaries’ and ‘Data Principals’—govern the relationship between financial institutions and their customers. In the banking and financial services industry, Data Fiduciaries are financial organizations responsible for collecting and processing customer data, while the individuals whose data is being handled are known as Data Principals. Banks serve as guardians of this personal data, ensuring privacy is upheld while maintaining operational efficiency. Additionally, those who process data on behalf of fiduciaries are referred to as Data Processors. Due to the large volume and sensitive nature of the personal data they handle, financial institutions such as banks may also be classified as Significant Data Fiduciaries. This classification is contingent upon elements such as the influence of information on national security, the sovereignty of the state, and the potential risks to consumers. Thus, while banks control how personal data is processed, data processors operate as intermediaries between Data Fiduciaries (banks) and Data Principals (customers).
PROVISIONS SAFEGUARDING PERSONAL DATA
The DPDPA establishes comprehensive safeguards for protecting individuals’ data. Section 4 of the Act stipulates Individual information must be treated solely for legitimate and defined objectives. Section 5 requires data fiduciaries to send a notice to customers seeking their approval before processing data, and Section 6 emphasizes the need for obtaining free, specific, and informed consent from Data Principals. This guarantees that people consent to data processing for a specific purpose with full awareness and willingness.
If consent is later withdrawn, the fiduciary must stop processing the data and ensure its erasure, unless other laws require retention. For example, the Prevention of Money Laundering Act and CERT-In Cybersecurity Directions specify retention periods of five years, while RBI’s Master Directions on Prepaid Payment Instruments require a ten-year retention. The DPDPA thus acknowledges the complexities of balancing the right to data erasure with statutory obligations to retain data for compliance with other laws.
PROCESSING WITHOUT CONSENT AND LEGITIMATE USES
Unlike some previous regulations, the DPDPA does not recognize the concept of “implied consent.” However, Section 7 allows personal data to be processed without explicit consent for legitimate purposes, including voluntary disclosure, state benefits, medical emergencies, legal obligations, and protection of state interests. These exceptions ensure flexibility in data processing where it is necessary to protect public interests or ensure compliance with legal requirements.
DATA FIDUCIARIES’ OBLIGATIONS AND RIGHTS OF DATA PRINCIPALS
Section 8 delineates the essential obligations of Data Fiduciaries, highlighting the importance of restrictions on information usage, retention limitations, transparency, and accountability. Banks must ensure that data is treated responsibly and transparently, and they are liable for the actions of their linked Data Processors. Moreover, Sections 11 and 12 grant Data Principals the right to be informed about the use of their data and to request corrections where necessary. This allows clients to maintain control over their data, thus enhancing transparency and trust.
Section 13 necessitates the creation of a grievance redressal process, allowing Data Principals to express concerns to Data Fiduciaries. Should these issues remain unaddressed within the designated deadline, they may refer the situation to the Data Protection Board, which supervises privacy violations and ensures legal compliance.
EXEMPTIONS AND ENFORCEMENT
Banks may be excluded from complying with specific requirements of the Act in cases involving legal claims, fraud investigations, or financial recovery. However, these exemptions highlight the need for financial firms must establish thorough information governance & security frameworks to maintain compliance while ensuring operational efficiency. Section 18 introduces the Data Protection Board, charged with implementing the stipulations of the DPDPA and addressing privacy-related grievances. Non-compliance or data breaches could lead to significant penalties, with fines as high as Rs. 250 crore, and blocking of services, in addition to other legal and sectoral penalties. In case of a conflict between the DPDPA and any other law, including sectoral regulations, the requirement under the DPDPA will prevail to the ‘extent of such conflict’.
CROSS-BORDER DATA TRANSFERS AND LOCALISATION REQUIREMENTS
The DPDPA also addresses cross-border data transfers, allowing for restrictions on the export of personal data outside India based on government directives. Banks outsourcing data processing to foreign entities must comply with these restrictions. Notably, the DPDPA has shifted from a “whitelisting” to a “blacklisting” approach, where specific countries may be restricted from handling Indian data. However, this does not affect other laws that impose stricter data localisation requirements, such as RBI’s Storage of Payment System Data guidelines and Guidelines on Digital Lending. This reflects a move towards aligning India’s safeguarding data legislation with worldwide norms while maintaining strict protections for financial data.
RISK CONTROL
Financial institutions must designate a standalone data protection officer who will provide oversight to the board of directors and oversee the administration of risks related to digitized data. The risk management system must establish a structure for the periodic evaluation, monitoring, and disclosure of irregularities observed from a data perspective. Key Risk Indicators must be established to guarantee that any possible non-compliance with the act’s provisions is routinely identified and reported preventing breaches that could result in monetary fines.
IT INFRASTRUCTURE
The banking sector must recognize that robust data protection is not only a matter of regulatory compliance but an imperative to preserve the tenets established in the DPDPA. A security incident not only endangers data but also undermines faith. This will involve formulating and implementing sophisticated safety measures, integrating state-of-the-art cybersecurity methods, and acquiring skilled professionals for identifying threats, forecasting, and automation reactions to security breaches. To preemptively recognize and tackle these obstacles, such organisations must implement a structure for Regular Information Safeguarding Effect Evaluations, Access Reviews, and other Information Technology Safety Audits measure and alleviate risks to confidentiality linked to handling of information as mandated by the DPDPA.
CONCLUSION
The DPDP Act brings revolutionary changes to the way consumer data is managed in India’s BFSI industry. However, guaranteeing that their customers’ data privacy is respected and maintained, also presents a chance for these businesses to promote more trust and transparency with their clients. A major concern arises with the provision of Section 7 of the DPDPA where processing of personal data is allowed without consent and where it is for ‘legitimate uses’ such as voluntary disclosure or other legal compliance among others. A compelling case has to be made before the government and the sector regulators that such financial legislation is required to be reviewed concerning personal data and they need to be brought in compliance with the Act for a level playing field in the industry. The major factor of discussion is in transfer of data across borders. The requirement of DPDPA on foreign data transfer can likely present challenges for companies that function across the globe, especially business that falls under the sections of industries such as banking and finance, where data transfer across borders is frequent. These regulations can harm international business and cooperation, as the companies may face difficulty in navigating the rather complex rules regarding the transfer of personal data across the Indian border.
India could also introduce effective measures in providing cross-border data transfer like the Standard Contractual Clauses of the European Union. Such contractual provisions would help the organisations exchange international data as per the strict norms set under the DPDPA. Further, India may negotiate with the major trading partners to adopt data protection rules and regulations suited to both parties through Bilateral and Multilateral agreements. This strategy would improve the international exchange of data and cooperation and stimulate global connections and economic interdependence.
The RBI has stressed better diligence and stricter implementation and put more stress on the rules and regulations inside the financial empire. To support this, awareness raising of the DPDPA should be targeted towards the financial institutions to have the greatest coverage and awareness of its guidelines. This awareness is important when implementing the new regulations as they will know why the new regulations have been implemented and therefore embrace them.
Author(s) Name: Niharika Singh (National Law University, Odisha)
