Fintech Market Overview

This article does not constitute legal advice.

Data protection in India


Financial institutions are typically bound by the existing laws pertaining to I.T., cybersecurity and data privacy, including provisions for outsourcing. In this regard, the Reserve Bank of India has specifically stated that credit information of customers should not be shared with non-regulated parties (such as unregulated fintech organizations) without explicit consent from them. Additionally, the Information Technology Act and the ensuing rules necessitate obtaining prior authorization when collecting and disclosing sensitive personal data of individuals.1

Indian authorities obligate institutions to share customer information only when mandated by the court or a governmental entity as outlined in law. To balance data privacy worries with the industry's need for available data sharing, the Reserve Bank of India (RBI) formulated a new type of Non-Banking Financial Companies (NBFCs): 'Account Aggregators' (AAs). They act as regulated intermediaries, who facilitate controlled and approved sharing of financial info through compatible IT systems with organisations providing financial services.1

According to the IT Act, 'sensitive personal information' which includes passwords and financial details, must be safeguarded. The entity receiving or collecting these details must produce a privacy policy, and obtain consent from the affected user or data subject before disclosing any such information. This consent can be withdrawn at any time after it has been granted. If the info is required to be transferred both within India or abroad, conditions requested by this act must be adhered to.1

An entity may conduct digital profiling in accordance with the current data protection and privacy framework if it obtains the active consent of the user before collecting or using data. In order to bring India's data protection regime in line with more robust international standards, such as those set out by the European Union General Data Protection Regulation, the government is working to enact a comprehensive data privacy law. The Joint Parliamentary Committee recently unveiled the Data Protection Bill 2021 (DPB), formerly known as the PDP Bill, broadening its scope to cover non-personal data. There have been some other notable modifications to the DPB too, such as excluding non-digitised information from its purview and adding stricter limitations on movement of data by a fiduciary. When the legislation (subject to additional changes) eventually comes into effect, it is conceivable that Indian fintech firms may need to put aside extra assets and time in order to be compliant with it.1

Cross-border payments in India

Fintech in India

Fintech in other countries

Let's introduce you

Indian Fintech Lawyers

Kristina Berkes

Kristina Berkes

Participation as a lawyer at investment venture funds, leading venture M&A deals in IT, supporting iGaming and business assets

Denis Polyakov

Denis Polyakov

Comprehensive legal services for businesses on corporate, tax law, cryptocurrency legislation, investment activities

  1. https://thelawreviews.co.uk/title/the-financial-technology-law-review/india