1. Governing Texts

1.1. Legislation

In August 2023, the Parliament of India enacted the Digital Personal Data Protection Act, 2023 (the Act), India's first comprehensive data protection legislation. However, provisions of the Act have not yet been brought into effect. Once implemented, the Act will, inter alia, prescribe the standards for data privacy to be maintained by individuals and entities. Till such time, the maintenance of privacy of certain sensitive data and personal information will continue to be regulated by the Information Technology Act, 2000 (the IT Act) and the rules made thereunder.

General applicability

Current law:

Data privacy in India is currently governed by the IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the SPDI Rules). The SPDI Rules prescribe various obligations to be implemented by corporate bodies (referred to as the data collector) that collect and process the personal information or sensitive personal data or information (SPDI) of a natural individual who is a provider of the said information (referred to as the data subject).

For the purposes of the SPDI Rules, personal information means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a data collector, is capable of identifying such person. In addition, the SPDI includes:

• passwords;
• financial information such as bank accounts, credit cards, debit cards, or other payment instrument details;
• physical, physiological, and mental health conditions;
• sexual orientation;
• medical records and history; and/or
• biometric information.

In this regard, Section 43-A of the IT Act holds data collectors receiving and handling sensitive personal data or information accountable for negligence in implementing and maintaining reasonable security practices and procedures in relation to sensitive personal data or information. Where negligence results in wrongful loss or wrongful gain to any person, the negligent data collector may be held liable to pay damages to the person(s) affected (particularly, the relevant data subject). Section 72-A of the IT Act deals with personal information and provides punishment for disclosure of information in breach of a lawful contract or without the data subject's consent.

New data protection legislation:

Once provisions of the Act are brought into force, the Act will repeal the SPDI Rules and will serve as a comprehensive legislation covering data protection and privacy in India. The Act will regulate the collection and processing of all personal data that is either collected in digital form or collected in non-digital form and subsequently digitized. Provisions of the Act have both territorial (collection and processing of personal data within the territory of India) as well as extraterritorial (collection and processing of personal data outside India, where such processing relates to the offering of goods and services to data subjects in India) applications. Under the Act, a person who alone or in conjunction with other persons determines the purpose and means of processing of personal data is referred to as a 'data fiduciary.'  

The Act is modeled after the General Data Protection Regulation (GDPR) and provides a robust framework to protect the autonomy of individuals in relation to their personal data. It specifies the circumstances in which the flow and usage of personal data are appropriate and confers elaborate rights on individual data subjects with respect to their data.

Sector-specific regulation

In addition to the IT Act, certain banking secrecy laws and other regulatory laws in India also set out the obligations to maintain secrecy and confidentiality of data. Once the Act comes into effect, particularly the data transfers provisions, which clarifies that while data may be transferred to foreign countries that are not blacklisted by the Central Government of India, where a sectoral regulation (or any other law in force) imposes a higher degree of protection for or restriction on transfer of personal data outside India, the restriction under such law will apply. Sectoral regulations cover the following aspects:

RBI directions

Data collectors shall always adhere to guidelines issued by the Reserve Bank of India (RBI) from time to time in relation to data privacy. The RBI has issued directions that require all banks and payment system providers to localize payment transaction data in India and restrict the storage of such data outside of India. The RBI has also issued directions in relation to safeguards for customer information and the arrangements that banks and non-banking financial companies (NBFCs) may have with third parties.

The Public Financial Institutions Act

The Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act, 1983 prevents public financial institutions from divulging any information relating to the affairs of their clients.

The Banking Regulation Act

The Banking Regulation Act, 1949 (the Banking Regulation Act) and its associated regulations and norms also contain privacy principles in relation to regulating the collection, retention, and security of customer data.

The Credit Information Act

The Credit Information Companies (Regulation) Act, 2005 (the Credit Information Act) regulates the manner in which credit information companies handle data. The legislation sets out the obligations of credit information companies in relation to access to data, fidelity, and secrecy of the data, data collection and purpose limitation, disclosure norms, obligation to maintain confidentiality, and accuracy. In addition, the regulatory authority is empowered under the Credit Information Act to set out standards in relation to data retention from time to time.

The Bankers' Book Evidence Act

The Bankers' Book Evidence Act, 1891 prohibits officers of banks from making disclosures of bank records to any person other than if it is so ordered by a court of law for a specific reason.

The IRDAI Act

The Insurance Regulatory and Development Authority of India Act, 1999 (the IRDAI Act) obligates insurance providers to maintain the confidentiality of policy-holder information, including by having adequate security measures in place. Insurance providers must also ensure that any data disclosures made to third parties for services outsourced to such third parties would also be subject to such data privacy standards and the policies of such insurance providers. Insurance providers may only make legally compelled disclosures to statutory authorities under the IRDAI Act.

The AML Act

The Prevention of Money Laundering Act, 2002 (the AML Act) enables regulatory and investigating authorities to seek the disclosure of certain data. However, such disclosures must be subject to the provisions of the IT Act and the SPDI Rules.

The Income Tax Act

The Income Tax Act, 1961 sets out data protection requirements pertaining to bookkeeping and maintenance of information in relation to transactions. Income tax authorities are also entitled to seek the disclosure of certain personal information and/or SPDI, which shall be disclosed subject to the provisions of the IT Act and the SPDI Rules.

1.2. Supervisory authorities

The Ministry of Electronics and Information Technology (MeitY) is the regulatory authority for the purposes of the IT Act and the rules enacted under the IT Act.

The Act provides for the constitution of the Data Protection Board of India (the Board). Therefore, once the Act comes into force, the Board will serve as the supervisory authority under it and will be responsible for enforcing the provisions of the Act.

The RBI is the regulatory authority for all matters in relation to banking and financial services, including the enforcement of the data privacy requirements under the Banking Regulation Act, the Credit Information Act, and general directions released by the RBI from time to time.

The provisions of the IRDAI Act are enforceable by the Insurance Regulatory and Development Authority of India (the IRDAI). In addition, the Securities Exchange Board of India (SEBI), which regulates entities listed on stock markets in India, also governs data protection in listed companies under the Securities Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015 (the SEBI Disclosure Regulations).

The Banking Codes and Standards Board of India is an autonomous body that sets forth rules and codes of conduct for banking operations in India. These codes set out rules in relation to the privacy and confidentiality of customers' information. For instance, the codes specify that confidentiality of customer data must be maintained even after a customer has severed relations with the bank except when:

• information is required by law or is required by the banking regulator;
• public interest;
• the bank's interests require them to give the information (for example, to prevent fraud), but not for marketing purposes (unless specifically authorized by the customer); or
• the bank has the customer's authorization to reveal the information or to give a banker's reference about the customer.

Limitation of supervisory powers

While various legislations enable regulatory authorities to seek disclosures from data collectors, such disclosures shall be subject to the applicable data protection laws (particularly the SPDI Rules governing the disclosure of SPDI).

Article 21 of the Constitution of India (the Constitution) provides a right to privacy, as established in the landmark case of Justice KS Puttaswamy and Anr. v. Union of India and Ors. [Writ Petition (Civil) No. 494 of 2012] (Puttaswamy). The Supreme Court of India (the Supreme Court) referred to India's obligations under international law in this case and held that the right to privacy is an inalienable fundamental right that flows from the right to life guaranteed under the Constitution. The Supreme Court also held that any law that encroaches upon the right to privacy of a person is subject to a three-fold requirement, where such encroachment must be:

• legal, which means it must be supported or permitted by law;
• necessary, which would be defined in terms of a legitimate State aim; and
• proportionate, which means that there should be a rational nexus between the State's objects and the means adopted to achieve them.

Consequently, the data protection laws in India, as limited as they may be in scope and detail at this time, are subject to the key principles laid down in KS Puttaswamy. Any data disclosure demands from statutory or regulatory authorities will be subject to the same principles.

2. Personal and financial data management

As explained above, the personal information and SPDI of individuals in India are currently protected by the provisions of the SPDI Rules. The management of such personal data or information across various industries and sectors differs. However, the principles adopted by companies are similar and subject to the SPDI Rules.

2.1. Legal basis for processing

Current law:

Under the IT Act and the SPDI Rules, a data collector is required to obtain prior written/electronic consent of such data subject for the collection of SPDI from a data subject. Furthermore, as per the SPDI Rules, a data collector may only collect personal information after providing the following information to a data subject:

• the fact that information is being collected;
• the purpose for which the personal information is being collected;
• intended recipients of the personal information; and
• the name and address of the agency that is collecting and retaining the information.

Data collectors must enable data subjects to withhold SPDI or withdraw consent to the disclosure or retention of SPDI by the data collectors at any time, in writing.

New data protection legislation:

Under the Act, a data controller (i.e., a data fiduciary) may collect and process data with the consent of the data subject or for certain legitimate uses (as specified in the enactment). Notably, the scope of 'legitimate uses' under the Act is much narrower than the scope of the term 'legitimate purposes' under the GDPR. Some legitimate uses include:

• employment purposes;
• compliance with obligations imposed by law; and
• circumstances where the data subject voluntarily provides their personal data for a specified purpose and does not state that they do not consent to the processing of their data for such specified purpose.

Where the purpose for collection and processing falls within the ambit of legitimate use, the data controller does not need to seek consent from the data subject prior to the collection and/or processing of such data.

2.2. Privacy notices and policies

Current law:

While it is not a sector-specific requirement, the SPDI Rules do require data collectors across industries to adopt and provide a detailed privacy policy for their data subjects. Banks, financial institutions, and any other entity in the financial sector acting as a data collector shall publish their privacy policies on their website, which policy must specify the following:

• clear and easily accessible statements of its practices and policies;
• type of personal information or SPDI collected;
• purpose of collection and usage of such information;
• disclosure of information, including SPDI as provided in Rule 6 of the SPDI Rules; and
• reasonable security practices and procedures as provided under Rule 8 of the SPDI Rules.

New data protection legislation:

While the Act does not specifically regulate privacy policies, it does prescribe the requirements for valid privacy notices/consent notices. Where consent forms the basis for collection and/or processing personal data, the Act prescribes that a data controller must issue a notice to the data subject prior to or at the time of collection of data. This notice must include the following information:

• type of personal data collected/processed;
• purposes for which such personal data is being collected/processed;
• manner in which the data subject may exercise their rights under the Act; and
• manner in which the data subject may make a complaint to the Board for any grievance with respect to their personal data being processed.

Further, the data controller must provide the option to data subjects to view the notice in English or any of the 22 languages specified in the Eight Schedule of the Constitution of India.

2.3. Data security and risk management

The IT Act and the SPDI Rules

The treatment of personal information and SPDI, including the data collectors' handling and storage of, and access to, such information, is heavily regulated in contrast to any other data or information. The reasonable security practices and procedures specified in Rule 8 of the SPDI Rules apply to such data collection, handling, transfer, and storage.

Such reasonable security practices and procedures include having a documented and comprehensive information security program and information security policies that contain managerial, technical, operational, and physical security control measures that are commensurate with the information assets being protected and the nature of business. A data collector must be able to demonstrate if so required by a regulatory authority, that they have implemented such security control measures in accordance with such data collector's information security program and policies. The SPDI Rules recommend adherence to the  International Organization for Standardization IS/ISO/IEC 27001. An audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertakes significant upgradation of its process and computer resources.

Data collectors must also appoint a grievance officer in case of unauthorized or illegal disclosure of personal information or SPDI. Such grievance officers must address grievances of data subjects within one month from the date of receipt of the notice of grievance.

The Act

Unlike the IT Act and the SPDI Rules, the Act regulates the collection and processing of all personal data in the same manner. The Act requires data controllers to implement appropriate technical and organizational measures to ensure that the provisions of the Act are effectively observed. We expect the rules for implementation of the Act to clarify the precise measures that data fiduciaries may be required to take. Data controllers are also mandated to take reasonable security safeguards to prevent personal data breaches. Notably, the Act does not directly impose obligations on data processors engaged by data controllers. Data controllers will be liable for their own actions as well as the actions of the processors engaged by them.  

Separately, data controllers are mandated to designate a data protection officer (DPO) (in case the data controller is categorized as a significant data fiduciary by the Central Government) or appoint any other officer who will be responsible for responding to communications from data subjects regarding the exercise of their rights and/or grievances raised by them.

RBI issuances

The RBI has been active in addressing the Basel norms issued and updated by the Basel Committee on Banking Supervision from time to time. India introduced the Basel III norms in 2013 and announced that implementation would be carried out in a phased manner. The RBI issued the Master Circular on Basel III Capital Regulations, 2015 (the Master Circular on Basel III Norms) setting out the applicability of the norms in India. The Master Circular on Basel III Norms sets out various provisions in relation to data adequacy and quality in relation to the collection of information for internal assessment and risk management. Paragraph 14.7 of the Master Circular on Basel III Norms requires banks to maintain a formal disclosure policy to determine the type of disclosures they may make based on their internal controls. Banks must also have a procedure in place to assess the accuracy of disclosures, including validation and frequency.

The RBI also requires banks to comply with the Cyber Security Framework in Banks, 2016 (the Cybersecurity Framework). The purpose of this framework is to enhance the resilience of the Indian banking system by improving the defenses adopted by banks in addressing and managing cyber risks. The Cybersecurity Framework requires banks to adopt incident response management and recovery frameworks to deal with adverse incidents/disruptions when they occur. It also mandates a board-approved cybersecurity policy, continuous surveillance, incident reporting, and compliance with baseline technology requirements.

Similarly, the RBI requires NBFCs to comply with its Master Direction on Information Technology Framework for the NBFC Sector, 2017 (the NBFC Framework). The purpose of the NBFC Framework is to ensure that the NBFC industry's IT framework, business continuity planning, disaster recovery management, IT audit, etc. are benchmarked to best practices. The NBFC Framework focuses on IT governance, IT policy, information and cybersecurity, IT operations, information security audits, business continuity planning, and IT services outsourcing.

RBI has also introduced the draft Master Directions on Cyber Resilience and Digital Payment Security Controls for Payment System Operators which is a draft framework of security controls to be implemented by payment system operators, covering robust governance mechanisms for identification, assessment, monitoring, and management of cybersecurity rights by payment system operators.  

2.4. Data retention/record keeping

Data storage and maintenance of records by data collectors are currently governed by the SPDI Rules. The SPDI Rules specify the distinction in the level of protection for general data, personal information, and SPDI.

'Data' or general data is defined under the IT Act as a representation of information, knowledge, facts, concepts, or instructions which are being prepared or have been prepared in a formalized manner and are intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts, magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer. This type of data is not expressly protected by the SPDI Rules, and there are no guidelines regulating the retention of such data.

The IT Act and the SPDI Rules require data collectors to preserve the information collected for such a period of time as notified by the Government of India from time to time. However, at present, there is no time period prescribed for which such information is to be preserved. The SPDI Rules specify that any SPDI collected by data collectors can only be retained for the period within which SPDI is required for lawful use as indicated to the data subject at the time of collection of SPDI. Data collectors must not retain SPDI for a period longer than required for such purpose.

Likewise, under the Act, a data controller is only permitted to retain a data subject's personal data as long as the data subjects do not withdraw their consent for the processing of data or the specified purpose for which the data was collected continues to be served, unless the retention is required under any law in force.

In the financial and banking sector, banking companies and financial institutions are required to maintain records of all transactions and store sensitive information of their customers. In order to update and maintain valid information, the RBI requires banks and financial institutions to collect, update, and maintain customer records to enable the identification of any fraud or suspicious activity. These entities may be asked to release certain information under extant laws such as the AML Act, subject to the SPDI Rules. The RBI requires these entities to maintain records of all transactions for a minimum period of five years from the date of the transactions. The identification records of clients must be maintained for a period of five years after the termination of such a business relationship.

Banks are also required to maintain certain registers including ledgers pertaining to loans, remittances, overdrafts, etc., and other documentation (pay-in slips, vouchers, paid cheques, etc.) for a period of eight years under the Banking Companies (Period of Preservation of Records) Rules, 1985.

Listed companies have separate time frames for data retention. However, this does not apply to personal data or SPDI, which is governed by applicable data protection legislation (i.e., the SPDI Rules and subsequently, the Act). The SEBI Disclosure Regulations obligate listed companies in India to frame a policy for the preservation of records and documents of the company. The SEBI Disclosure Regulations distinguish between the maintenance of electronic records with respect to documents that are to be preserved permanently and documents to be preserved for eight years or more after completion of the relevant transactions. Listed entities are required to disclose all such events or information that have been disclosed to stock exchange(s) under the SEBI Disclosure Regulations on the entity's website for a minimum period of five years. Once the five-year period expires, such data can be retained as per the archival policy of the listed entity.

3. Financial reporting and money laundering

The AML Act defines 'reporting entities' as entities required to maintain and comply with AML measures pursuant to the provisions of the AML Act and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 (the AML Rules). Reporting entities include the following:

• banking companies, as defined under the Banking Regulation Act;
• financial institutions, as defined under the Reserve Bank of India Act, 1934, including NBFCs, insurance companies, etc.;
• Intermediaries (which is a wide-ranging term extending to various players in the financial market such as stockbrokers, sub-brokers, share transfer agents, bankers, trustees to trust deed, registrars, merchant bankers, underwriters, portfolio managers, investment advisers, depositories and depository participants, custodian of securities, foreign institutional investors, credit rating agencies, venture capital funds, etc.); and
• persons carrying on designated business or profession.

Reporting entities are obligated to adhere to a fixed customer identification procedure while undertaking a transaction. The RBI issued Master Directions on Know-Your-Customer (KYC) Direction, 2016 (the KYC Direction) regarding KYC compliance of customers of certain reporting entities. Customer due diligence means identifying and verifying the customer and the beneficial owner using 'officially valid documents' as proof of identity and proof of address.

By way of setting out processes to identify the data required by the statutory authorities and the collection of such data by the reporting entities, the Central Registry of Securitisation Asset Reconstruction and Security Interest of India (the KYC Registry) currently maintains a centralized KYC records registry for the four main regulators of the financial sector in India, being the RBI, the SEBI, the IRDAI, and the Pension Fund Regulatory and Development Authority (PFRDA). Reporting entities are required to file each customer's KYC record with the KYC Registry at the time of collection of the KYC data.

The AML Act obligates every reporting entity to maintain records of all transactions, submit periodic reports, and notify and furnish information regarding any suspicious transactions to the Director of the Financial Intelligence Unit-India (the FIU-India) in accordance with the AML Rules.

4. Banking secrecy and confidentiality

India imposes secrecy and confidentiality obligations on banks. The scope of banking secrecy law in India has generally followed common law principles based on implied contracts. The RBI is India's central bank, regulates the banking sector in India, and has issued circulars relating to banking secrecy. The RBI Master Circular on Customer Service in Banks, 2015 states that banks' obligation to maintain secrecy arises out of the contractual relationship between the bank and the customer, and no information should be divulged to third parties except under well-defined circumstances. The exceptions to the rule of secrecy are:

• where disclosure is under compulsion of law;
• where there is a duty to the public to disclose;
• where the interest of the bank requires disclosure; and
• where the disclosure is made with the express or implied consent of the customer.

Further, in the KYC Direction, the RBI stated that when considering requests for data/information from the Government or other agencies, banks are required to satisfy themselves that the information being sought is not of such a nature as will violate the provisions of laws relating to secrecy in banking transactions.

Under the AML Act, banks are required proactively to furnish information to the Director of the Financial Intelligence Unit (FIU)-India in case of suspicious transactions or upon request. Any information received or obtained by the Director may be disclosed to any authority, office, or body performing functions under law if it is determined to be in the public interest.

5. Insurance

The IRDAI imposes additional requirements on insurance companies, over and above the requirements of the SPDI Rules, mandating insurance companies in India to ensure confidentiality.

The IRDAI (Protection of Policyholders' Interests) Regulations, 2017 state that insurers shall, at all times, maintain total confidentiality of policyholder information, unless it becomes necessary to disclose the information to statutory authorities due to the operation of any law.

The IRDAI (Maintenance of Insurance Records) Regulations, 2015 require insurers to ensure that their records are complete and accurate, and the systems where the records are stored have necessary security features. The records must also be stored exclusively in India.

The IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017 (the IRDAI Outsourcing Regulations) require insurers to ensure that their outsourcing service providers:

• maintain the confidentiality of policyholder information;
• have adequate security policies to ensure confidentiality and security of policyholder information; and
• in the case of termination of the outsourcing agreement, ensure that customer data is retrieved and not used by the outsourcing service provider.

The IRDAI Information and Cyber Security Guidelines, 2023 require insurers (including insurance intermediaries) to implement the specific policies and guidelines prescribed thereunder to strengthen their defenses as well as deal with emerging cyber threats.

6. Payment services

The RBI regulates payment services under the Payment and Settlement Systems Act, 2007 (the PSS Act). The PSS Act defines 'payment systems' as systems enabling credit card operations, debit card operations, smart card operations, money transfer operations, or similar operations and requires payment system providers to ensure the confidentiality of documents or any other information obtained from participants in the payment system, except where such disclosure is to comply with orders passed by a court of competent jurisdiction or statutory authority in the lawful exercise of its powers.

The RBI Circular on Storage of Payment Data, 2018 requires all payment system providers to ensure that all data relating to the payment systems operated by them are stored in India. This data includes full end-to-end transaction details and information that is collected, carried out, and processed as a part of payment instructions. In case of a transaction involving a foreign leg, a copy of the data can also be stored in the foreign country, if required.

7. Data transfers and outsourcing

Current law:

As noted above, the SPDI Rules also lay down various procedures and obligations that need to be observed at the time of collection, transfer, or disclosure of SPDI, along with certain required reasonable security practices and procedures.

For example, in the event a data collector wishes to transfer the SPDI of a data subject to a third party, such transfer will be subject to the following:

• the recipient of such SPDI shall maintain the same level of data protection adhered to by the data collector; and
• the consent of the data subject, unless the transfer of SPDI is required for one of the following reasons:
  • performance of a lawful contract between the data collector and the data subject; or
  • compliance with a legal obligation.

In practice, a data collector should enter into a data transfer or data sharing agreement with the third party to whom the SPDI or any other data may be provided to ensure compliance with the data protection standards maintained by the data collector.

The only exception for the requirement to obtain consent for disclosure of SPDI under the SPDI Rules is if such disclosure is for the performance of a lawful contract between the data collector and the data subject, or compliance with a legal obligation.

New data protection legislation:

The Act also mandates obtaining consent from the data subjects prior to any disclosure or transfer of data to third parties (unless it falls within the list of legitimate uses). It further prescribes that where a data controller engages a data processor to process any personal data on its behalf, it must ensure that a valid contract is executed between itself and the data processor and take reasonable security safeguards to protect any data transferred to such processor from breaches.

Account aggregation

The RBI Master Direction – Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016 is a framework for financial information to be shared by banks and other financial information providers (regulated by the RBI), subject to the consent of the customer whose information is to be shared. This information may be shared with any entity registered with and regulated by the RBI, the SEBI, the IRDAI, and the PFRDA. The sharing of information takes place through an NBFC registered with the RBI as an account aggregator.

Outsourcing by banks

The RBI Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by Banks, 2009 requires banks to ensure preservation and protection of the security and confidentiality of customer information in the possession of service providers. In this regard, banks are required to implement controls in their outsourcing agreements to ensure customer data confidentiality and service providers' liability in case of breach of security and leakage of confidential customer-related information. Further, access to customer information by the staff of service providers must be on a 'need to know' basis, which is information required only to perform the outsourced function.

Banks are also required to ensure that service providers can isolate and clearly identify the bank's customer information, documents, records, and assets to protect the confidentiality of the information. In instances where the service provider acts as an outsourcing agent for multiple banks, care should be taken to build strong safeguards to ensure that there is no comingling of information, documents, records, and assets. Banks must review and monitor the security practices and control processes of the service provider on a regular basis and require the service provider to disclose security breaches, which must then immediately be reported to the RBI. In case of a breach of confidential customer information, the bank would be liable to the customers for any damage.

Outsourcing by payment system operators

The obligations of payment system operators, in relation to their outsourcing activities, are identical to those of banks, in accordance with the RBI Framework for Outsourcing of Payment and Settlement Related Activities by Payment System Operators, 2021.

Outsourcing by insurers

The IRDAI Outsourcing Regulations require insurers to implement a board-approved outsourcing policy. The policy shall cover, amongst others, a framework for the assessment of risks involved in outsourcing relating to the confidentiality of data. Further, outsourcing agreements must have in place certain clauses and conditions to ensure data security and protection of confidential information. Lastly, as discussed above, insurers must ensure that their outsourcing service providers:

• maintain the confidentiality of policyholder information;
• have adequate security policies to ensure confidentiality and security of policyholder information; and
• in the case of termination of the outsourcing agreement, ensure that customer data is retrieved and not used by the outsourcing service provider.

8. Breach notification

Under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the CERT-IN Rules), all intermediaries, service providers, data centers, and bodies corporate are required to report cybersecurity incidents to the Indian Computer Emergency Response Team (CERT-In), within a reasonable time of the occurrence.

Further, there are sector-specific reporting requirements, in addition to the reporting requirements under the CERT-In Rules. For example, the RBI requires banks to report cybersecurity incidents to the RBI within two to six hours of the incident being discovered. Further, the IRDAI requires insurers to report cybersecurity incidents to the IRDAI within 48 hours of their discovery. Likewise, SEBI mandates listed companies to also report cyber security incidents to SEBI.

In addition, the Act also mandates that all personal data breaches must be notified to the Board as well as the impacted data subjects in the form and manner as may be prescribed by the specific rules for implementation.

9. Fintech

Payment systems are regulated by the RBI under the PSS Act (see section on payment services above). For example, the RBI has issued guidelines and directions on payment aggregators (PAs) and card tokenization. PAs are entities that facilitate e-commerce sites and merchants to accept various payment instruments from customers and are prohibited from storing customer card credentials. Merchants are prohibited from storing customer card credentials, as well. However, under the RBI card tokenization framework, PAs and merchants are permitted to store tokenized card information to ensure seamless payments by customers.

Insuretech entities are regulated by the IRDAI. Insurance intermediaries must comply with specific regulations and codes of conduct. Insurance web aggregators (IWAs), for example, must comply with the IRDAI (Insurance Web Aggregators) Regulations, 2017, which require IWAs to:

• treat all information supplied by prospects as completely confidential to themselves and to the insurer(s) to whom the business is being offered; and
• take appropriate steps to maintain the security of confidential documents in their possession.

The regulations and codes of conduct for insurance intermediaries, relating to data protection, are generally consistent for all insurance intermediaries.

10. Enforcement

The IT Act and the SPDI Rules

Failure to comply with the SPDI Rules involves the following penalties:

• compensation for an affected individual for a body corporate's negligence in implementing and maintaining reasonable security practices and procedures to secure SPDI under Section 43-A of the IT Act. There is no limit or cap on the quantum of the damages payable as compensation;
• under Section 72-A of the IT Act, imprisonment for not more than three years, a fine of INR 500,000 (approx. $6,002), or both, for disclosing personal information in breach of lawful contract or without the data subject's consent; and
• in case of any incidents of cybersecurity breaches, imprisonment for not more than one year, a fine of INR 100,000 (approx. $1,200), or both for a corporate body's failure to provide information to or otherwise comply with the directions of CERT-In in accordance with the IT Act.

The Act

Non-compliance with the Act may result in the imposition of monetary penalty which can range from INR 500 million (approx. $6 million) to INR 2.5 billion (approx. $30 million).

The AML Act

Under the AML Act, a fine of up to INR 50,000 (approx. $600) and imprisonment for up to two years is the consequence for:

• any person who provides false information under the AML Act; and
• any officer or authority that conducts a vexatious search without reasons recorded in writing.

Further, non-compliance with the AML Act is punishable with a fine of up to INR 100,000 (approx. $1,200) but not less than INR 10,000 (approx. $120) for each failure to comply,

The PSS Act

If any person violates the data confidentiality obligations of a payment system provider, they may be punished with imprisonment for up to 6 months and a fine of up to INR 500,000 (approx. $6,002) or an amount equal to twice the value of damages incurred by the act of such disclosure, whichever is higher, or both. In case of a violation by a company, every person in charge of the company at the time of the violation would be liable for punishment.

The RBI and the IRDAI

Non-compliance with the RBI and the IRDAI guidelines, directions, and regulations may result in the cancellation and suspension of licenses.

The SEBI

Failure by a company to comply with the provisions of the SEBI Disclosure Regulations would result in the imposition of fines, suspension of trading, the freezing of the securities of the promoter group, or any other action that the SEBI deems fit.

11. Additional areas of interest

The data protection landscape in India is likely to continue to evolve in the coming years. The Act is still in its early stages of implementation, and there is likely to be further clarification of the law from the courts and regulators. In addition, the Government is expected to introduce new regulations to address emerging data protection issues, such as artificial intelligence (AI) and cross-border data transfers.

Financial sector regulators are taking proactive measures to regulate the data processing practices of industry participants, particularly with regard to data processed using advanced technologies and AI, recognizing the inherent risks associated with such data processing practices.

Financial institutions will need to stay up to date on the latest developments in data protection law and regulations to ensure that they are compliant. They will also need to continue to invest in data governance and security measures to protect the personal data of their customers.

Probir Roy Chowdhury Partner
[email protected]
J. Sagar Associates, Bengaluru