The Corporate & Commercial Law Society Blog, HNLU

Tag: cybersecurity

  • Aligning RBI Directives with DPDP Act in the Banking Sector

    Aligning RBI Directives with DPDP Act in the Banking Sector

    BY VISHWAROOP CHATTERJEE AND NACHIKETA NARAIN, SECOND-YEAR STUDENTS AT RGNUL, PATIALA.

    Introduction 

    The intersection of banking and data protection is perhaps the next big leap for both the sectors. The banking sector is one of the most prone and vulnerable spaces for massive data breaches that can have severe financial and legal consequences. The lack of an effective cybersecurity infrastructure will lead to an onslaught of cyber-crimes such as fraudulent financial activities, phishing, data selling, ransomware, etc. The Government has introduced the  Digital Personal Data Protection Act (‘DPDP Act’) and the proposed Digital India Act which sheds positive light on the government’s intention for data protection. However, the mere introduction of legal provisions is not the solution, corporations have been notorious for acting as data brokers which results in data leaks. As a result, the financial data has always been prone to data breaches. 

    In this article, the authors shall deal with the analysis of the current laws that govern data protection with an understanding of the DPDP Act and its emphasis on the role of RBI as the watchdog of data privacy in the banking sector. 

    Failure To Comply with Data Protection Protocols: The Kotak Mahindra Bank Incident

    Digital banking is the new norm and yet, banks have been failing to be well equipped with a robust digital infrastructure for the protection of their consumer’s data. The recent actions against Kotak Mahindra Bank by the apex financial institution (‘RBI’) under Section 35A of the Banking Regulation Act, 1949 is an example of failure of banks to equip themselves with robust digital infrastructure for the protection of consumer data. RBI has barred the mentioned bank from onboarding customers through its online service platforms and issuing new credit cards. According to the RBI, Kotak Mahindra Bank failed to comply with various data protection protocols, and deficiencies were identified in IT inventory management, risk vendor management, data security and data leak prevention strategy, etc. RBI had notified the mentioned bank in 2022 and 2023 about the security lapses and provided them with a corrective action plan which Kotak Mahindra failed to comply with. A well-established Indian Bank failing to meet RBI’s data protection protocols is a worrisome event as other banks might follow if these lapses are left unchecked. 

    Data Privacy in Banking Sector

    In the case of  HDFC Bank Limited v. Jesna Jose,   it was held that with the advent of the digital age, the bank must be held liable for any unauthorised transaction or fraudulent activity from an act arising out of the bank’s negligence. This was done to keep a watch on the banks’ data privacy systems and to ensure that they minimise any unauthorised or fraudulent activity. The judgement relied upon the precedent set by the Chairman, Punjab National Bank v. Leader Valves Ltd which held that if the bank manages the account, it is incumbent upon the bank to ensure the safety and security of the account. The section 43(a) of the Information Technology Act, 2000 deals with the liability of a corporate body to compensate in instances of failure to protect sensitive data. Most importantly, the master direction issued by RBI on IT outsourcing services serves as a cornerstone to keep third-party data processors in the financial ecosystem in check.  

    One question that may arise here is, does RBI have the legal jurisdiction to enforce banks with data privacy compliances? In the case of Internet & Mobile Assn. of India v. RBI, (2020) one of the issues was the jurisdiction of RBI in matters not directly linked with traditional monetary policies. The judgement held that when RBI is not any other statutory body but a creature on its own that can exercise its power in its capacity for policymaking, operational risks or  regulation for enforcement and such directions would become supplementary to the Reserve Bank Of India Act, 1934 itself. Hence, it becomes a duty for the banks to comply with the data privacy directives of RBI.

    Analysis and Suggestions to the DPDP Act

    In the digital economy, consumers utilise the financial services offered to them by giving their personal data. This trade of confidential data for financial services is a highly sensitive aspect that must be backed by sturdy mechanisms protecting the confidentiality of sensitive data from misuse. 

    The most prominent issue that arises with the DPDP Act is that it has failed to differentiate between personal data and sensitive personal data. Under Section 2(h) of the Act, it defines data as the representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means. This classification may perhaps be too vague in the realm of the banking sector since it deals with highly sensitive consumer data that needs greater protection than other personal data since it contains sensitive financial information besides personal information. 

    The first suggestion is to classify the various types of data that need regulation. The vague definition is restrictive for the efficient regulation of different data sets. Therefore, there should be categorisation of data sets. The EU GDPR, UK GDPR, and US state laws like the California Consumer Privacy Act categorise certain types of data as ‘sensitive’ and deserving of extra protection. The DPDP Act can take a similar approach. This will provide clarification to data fiduciaries in the banking sector to regulate sensitive financial data with a well-defined approach.

    Moreover, the DPDP Act has misaligned accountability with respect to data fiduciaries and data processors. It defines data fiduciaries essentially as corporations who possess customer data and determine how the data will be processed. Whereas, a data processor is an entity that processes the data on behalf of the fiduciary.  The DPDP Act focuses on the guidelines for the data fiduciary and leaves the data processors with minimal regulation. The only significant element for data processors is subsection (9) of section 9 which states that a data fiduciary must have a contract with the data processor. 

    The DPDP Act falls short of providing the necessary clarity for processors on how to handle such data. Firstly, it fails to specify the security controls that processors are expected to implement. Secondly, the Act is deficient in outlining clear protocols for processors to follow in the event of security lapses. Lastly, the Act neglects to establish clear guidelines for handling requests for data from government authorities, resulting in ambiguity and potential liability issues. 

    This essentially makes it clear that there are hardly any guidelines or standards that ensure that these data processors undertake their responsibilities in a safe and secure manner so as to protect the sensitive data they handle; these data processors can ultimately emerge as the ‘unruly horse’ in the digital realm. This necessitates the framing of certain standards which the data processors comply with. Chapter 5 of the Master Direction by the RBI can be referred that clearly outlines the rules of the agreement pertaining to the data processors. 

    Hence, the second suggestion is to properly define the roles of the data processors in the DPDP Act like the RBI has done for its regulated entities by clearly laying out a roadmap that gives directions to data processors on data breaches, storage of data, risk management and etc. The relationship between data fiduciaries and data processors cannot be sufficed by a mere contractual agreement. 

    Some of the directions for data processors can be referred from the RBI Master Directions. As per this, the service providers (similar to data processors) are required to define the services they will deliver and the standards they will adhere to in order to meet in terms of quality and quantity. Moreover, the service provider is responsible for maintaining confidentiality and security of the data with ‘Regulated Entity’ (similar to data fiduciaries) pertaining to the customers or its own data. The agreement should define as to which data can the service provider share with other entities.

    Conclusion 

    The world of technology is adapting and the Banking and Finance world cannot be left behind. The RBI must act as the custodian of Data Privacy in the realm of Banking and Finance. The current DPDP Act needs revision and needs to be harmonised with the RBI directives to provide better clarity for the data protection of the finance world. 

    Moreover, it would be essential for the DPDP Act to categorise the various Data types as they may be susceptible to varying levels of risk. The Act must also adapt or incorporate RBI’s master directions on IT outsourcing to clearly establish the roles of Data Fiduciary and Data Processors. The legal ambiguity with the data processors is a regulatory gap that must be dealt with to create an efficient digital banking sector. India’s digital economy generating about $200 billion of economic value besides also being the second-fastest digitizing economy. Therefore, it is necessary for India to advance these data protocols. A secure digital infrastructure provides consumer trust and safety which paves the way for a resilient and sustainable banking sector.