This is part 1 of the 2 part series on data privacy & its impact on digital lenders. Part 1 explores the current and proposed legislation around data privacy in India.
“The Right to Privacy is a Fundamental Right under the Right to Life” — Supreme Court, August 24th 2017
Digitisation has made collecting, storing and analysing user data much easier, but it has also given rise to concerns related to data privacy and security. Regulators in the EU countries have responded by bringing in GDPR, Indian Supreme Court has declared Right to Privacy as one of the fundamental rights. Also, players such as Google are limiting access to personal data through policy changes — Project Strobe.
What does the current data privacy law of India say?
The concepts of data privacy and data protection were given focused attention for the first time through amendment of the Information Technology Act. The amendments provide data privacy and data security support only for Sensitive Personal Data or Information (SPDI)
Businesses are required to adhere to following guidelines while handling SPDI:
Businesses should adopt reasonable data security practices for handling SPDI. IS/ISO/IEC 27001 is one of the standards specified under the rules.
Businesses need to take prior consent from data provider for collection, transfer & disclosure of SPDI
Businesses should appoint a Grievance Officer to address customer grievances related to SPDI
Why do we need a new law?
In the past few years of digital sharing economy, customer data has exchanged more hands than ever before
With almost all businesses moving online, customers are generating enormous digital footprint. This calls for a well-defined legal framework around the possible collection, processing and usage of this information.
The issue with current data privacy law is that it only applies to SPDI. With the increase in data mining capabilities, it is not that difficult to use seemingly non-sensitive personal data for identification of individuals e.g. using Facebook likes to predict sexual orientation. Thus a broad and flexible definition for “Personal Data” is crucial. This is one of the top themes in the recommendations for new privacy law.
Srikrishna Committee Report on Data Privacy
An expert committee was constituted under Justice (Retd.) Srikrishna to study and identify key data protection issues and recommend methods to address them. The committee published its 176 page report and a draft of the legislation on data protection titled Personal Data Protection Bill, 2018 bringing India one step closer to having its own data protection law. The report recommends —
The relationship between the individual (owner of data) and the service provider (processor of data) must be viewed as a fiduciary relationship
How should lenders prepare for the changes?
Leveraging customer data is crucial for lenders for a profitable delivery of digital lending experience. New regulations around data privacy would empower users with better control & visibility over their data. Thus lenders need to design user experiences which are more transparent & user-centric. We will explore more about this in Part 2 of this post.