The Reserve Bank of India has sought exemption from the country’s proposed Personal Data Protection Law for its regulatory, policy, and supervisory functions, and does not want financial data of individuals to be classified as sensitive personal data, according to people familiar with the matter who spoke on condition of anonymity because the law is yet to be finalised.
“We would request that the monetary, regulatory and supervisory functions of the RBI as well as its role as the operator of payment systems may be exempt from the purview of the Bill,” the central bank said in a note, the contents of which have been reviewed by media.
And treading financial data as sensitive personal data may may have a “dampening effect” on India’s efforts at financial inclusion, it added.
Both are in keeping with international norms. For instance, the UK and Europe’s data protection laws exempt central banks from their purview, and do not classify financial data as sensitive personal data; only biometric and health data, and such things as sexual orientation, religious beliefs, union membership and political opinion are classified as sensitive personal data in these countries. The latter require special and extra security while processing.
Indeed, in its note, RBI has cited the exemption provided to the Bank of England from the UK’s personal data protection act and a similar exemption to the central bank in Malaysia: “We would request that the monetary, regulatory and supervisory functions of RBI as well as its role as the operator of payment systems may be exempt from the purview of the Bill.”
A banker said that RBI routinely deals with lots of data on banks and financial institutions in its role as a regulator and supervisor. It has data on senior bank employees; it has data on the clients of banks; and much of this is needed to ensure compliance, prevent frauds, and ensure the smooth running of the system, this person added, asking not to be named.
The banking regulator has gone a step further and suggested that instead of the Central government, “sectoral regulators be given the power to classify personal data as critical.” Any critical data, according to the proposed act, can be processed only in India.
Objecting to classification of financial data as sensitive personal data , RBI’s note maintained that this would lead to higher compliance and explicit consent, which “would translate to increase in costs for providing services to customers. Financial inclusion efforts rely on lower service charges for offering basic banking services. The increase in costs would compel banks to increase the charges associated with offering banking services.”
RBI’s note also pointed out that countries such as the UK, France, Germany and Italy do not make such a classification.
Privacy experts said the RBI cannot legally claim an exemption from the obligations that stem from the 2017 Supreme Court ruling as the Puttuswamy judgment, which upheld privacy as a fundamental right for Indian citizens. “What the bill does is flesh out that right in terms of the actual actions that need to be done. Even if the PDP bill does not apply to them, they can still be held liable under the Puttuswamy judgment,” said Rahul Matthan, partner-lawyer at the law firm Trilegal and author of Privacy 3.0.
“Provisions of the PDP bill are clarificatory in nature to explain principles of minimisations and proportionality,” he added.
The Personal Data Protection bill, introduced in Indian Parliament in 2019, aims to create the first legal framework to protect privacy of the country’s citizens after it was held as a fundamental right by the Supreme Court in 2017. In the digital landscape where data is the key asset, the bill lays down the obligations of entities or data fiduciaries handling personal data and the rights that the owners of the data (termed as data principals).
In the bill, financial data, in addition to biometrics and information about health, gender, genetics etc, is defined as sensitive personal data on which certain strict rules on consent, processing and storage apply. For instance, any entity dealing with sensitive personal data has the onus to prove that consent was obtained in an informed manner and that it will have the legal obligation in case the consent is withdrawn by the data principal.
The banking regulator underlined that the data retention period mandated by the bill is not in alignment with the RBI circulars on data storage. These mandate that if processing is done abroad, payment data should be deleted from the systems abroad and brought back to India within 24 hours.
“For cross-border transactions, RBI has allowed storage of copy of payment data abroad. In case of banks, especially foreign banks, RBI has allowed storage of banking data abroad. But the provisions of the bill do not enable such storage,” the note said.
Pointing out that Clause 33(2) empowers the Centre to classify personal data as critical and mandate its processing exclusively within India, RBI argued, “This will take away Reserve Bank’s power to say what data can be stored and processed in India.”
Seeking exemptions for its functions from the proposed legislation, RBI pointed out that it works towards the grater objectives of ensuring monetary and financial stability, strengthening banking and non-banking system and regulating payment process. “The personal data collected by RBI is incidental to the functions and not for deriving any commercial gain,” it said.
It said that data is collected by regulated entities and not directly by RBI and as “data fiduciaries, the entities themselves would have met the obligations towards data principals.”
It further stated that as the owner and operator of RTGS and NEFT, India’s key payment routes, “it would not be practical for RBI to give notice, obtain consent etc, in carrying out the payment system actively.”
RBI has suggested that clauses may be amended to exclude regulatory statues such as RBI Act, the Banking Regulation Act, Payment and Settlement System Act from the overriding reach of the data protection law.
The bill does have exemptions that allow personal data to be processed for protecting national security, pursing investigations and complying with court orders, and for journalistic purposes.