Fintech Market Overview

This article does not constitute legal advice.

Data protection in India

Fintech Software

Financial institutions are generally required to adhere to the extant legal framework on information technology, cybersecurity and data confidentiality, including in outsourcing arrangements. To this extent, the RBI has issued specific restrictions with respect to sharing credit information of customers by banks and non-banking lenders to non-regulated entities (such as unregulated fintech companies), without seeking the explicit consent of customers. Under the Information Technology Act (the IT Act) and the rules issued according to this, there is also a general requirement to seek the consent of data subjects prior to collection and disclosure of their sensitive personal data.1

With respect to mandatory data sharing, institutions in India are only obliged to share customer information where the disclosure is required pursuant to an order of the court, or a government body as prescribed under law. However, to balance data privacy concerns with the industry's increasing need for open data sharing, the RBI has recently operationalised a new category of NBFCs called 'account aggregators' (AAs). AAs are regulated data-access intermediaries that facilitate secure and consent-based sharing of financial data through an interoperable and technology-agnostic framework with entities providing financial services.1

The IT Act governs data protection and security practices in India, according to which 'sensitive personal information' is characterised as personal information relating to passwords, financial information and so on. Entities that collect, receive, possess or handle this sensitive personal information are required to provide a privacy policy, and while collecting or disclosing the information, consent will have to be obtained from the relevant user or data subject, which can be later withdrawn. Transferring this information to an entity or person within or outside India is allowed, subject to certain conditions.1

Under the extant data protection and privacy framework, an entity is only required to obtain the active consent of a user in relation to the collection or usage of data, pursuant to which the entity may carry out digital profiling. However, the government has been working towards introducing a comprehensive data privacy legislation, to bring the data protection regime in India in line with more robust international standards, such as the European Union's General Data Protection Regulation. Recently, the Joint Parliamentary Committee released a report on proposed changes to the PDP Bill and has renamed it the Data Protection Bill 2021 (DPB), wherein the scope of the proposed legislation has been expanded to include non-personal data. A few other key changes to the DPB include the exclusion of non-digitised data from its scope and introducing greater restrictions on transfer of data by a data fiduciary. Once the DPB (subject to further changes) is finally enacted, fintech companies in India may be required to invest additional resources and time to be compliant with the new regime.1

Cross-border payments in India

Fintech in India

Fintech in other countries

Let's introduce you

Indian Fintech Lawyers

Ilya Druzhinin

Ilya Druzhinin

I have over 22 years of experience in legal practice, most of which is accompanied by e-com and fintech projects

Languages: RU EN

  1. https://thelawreviews.co.uk/title/the-financial-technology-law-review/india
Offer for startups

Fast start for $5K

You can launch your platform by paying $5000 initially and the rest after 6-12 months if your business grows