Market players prefer relaxed or no regulations in the early stages of an industry. However, studies have shown that an industry booms with regulatory rollout, especially when it comes to data protection.
When the California Consumer Privacy Act (CCPA) was introduced, fintech was wary. But statistically, loan applications to fintech, as compared to traditional banks, jumped by 19% in the mortgage markets of the US. India is on the cusp of the rollout of its online data protection regime, the Digital Data Protection Act, 2023 (DPDP), with the industry having mixed feelings and regulations on a cliffhanger as this article is written.
Data privacy in fintech contract negotiations
In the author’s day-to-day contract negotiations in the banking and finance space, we see one party beseeching protection or indemnity on the basis of a proposed provision of the impending data privacy regime and the party with more leverage batting it off, stating that the regulations are not in force yet. But considering vendor and partnership contracts in banking, financial services and insurance (BFSI) are generally long term, it is advisable for the industry to start playing out negotiations as though the law is already in force.
How DPDP shall change indemnities, cybersecurity arrangements
Founding Partner
AK & Partners
E: secretary@akandpartners.in
This is because the DPDP proposes to shift the power dynamics of consumer data in India so subtly, the industry does not realise it yet. While consent is still necessary for any data collection, storage or processing, continued and changing terms of consent of the consumer shall govern all digital data transactions in India.
Between the data principal (party that has originally sought consent) and the data fiduciary (acting on behalf of the data principal to collect, store or process data), no one will have the upper hand. One shall require the other, and their systems are merged so symbiotically that the flutter of the wings of a butterfly at one end can cause a typhoon (or in this case a data breach, for example) for either of the parties (not just the data principal).
Cybersecurity and audit rights
So, each party in the data system shall have to adequately, if not equally, protect each other’s systems and territories with mutual cybersecurity measures that flow down the value chain of data fiduciaries and consent managers.
It is also important to start thinking about reporting systems beyond incidence and audit. Reliance on certifications and independent audits needs to be increased; otherwise, the entire industry will be in a perpetual state of infosec audits – important, but not contributing any real revenue to the actual business of business.
Consent managers under DPDP
For the first time in the world, India proposes to regulate consent managers. Consent managers shall manage the dynamic consent of a consumer volunteering his/her data for data principals and data fiduciaries. Although their primary agreement shall be with the data principal, the entire system of data use shall not be feasible without the consent manager sharing a technological interface with the data principal’s data fiduciaries.
Fintech contracts after DPDP rollout
In the case of the data principal and consent manager, both shall be equally regulated so one cannot cry wolf and seek additional contractual protections. It shall be the data fiduciary, primarily the fintech in India, that shall have to put their foot down for the protection of their technology and the splashback of regulatory penalties that can flow from the new DPDP regime.
Then there will be a contract between two data fiduciaries, which shall have to be negotiated only on the basis of what boundaries and damages have already been agreed with the data principal and consent managers.
RBI opinion on fintech contracts with regulated entities
Although one-sided onerous contracts may seem like risk hedging for regulated entities, they will impact growth in the long run. A word to the wise for the regulators – the inspection and audit mechanisms of the regulators in India also need to be sensitised to commercial contract negotiations.
The expectation of having the exact regulatory language dictated in circulars is wrong. It is important that the essence and intent are captured. But regulation should not come in the way of the freedom of commercial contracts. Instead of turning regulated entities in India into “big brothers”, it is important that regulation is uniform and universal, if necessary.
The banking, finance, insurance and fintech industries in India are on the cusp of change. Change is good – after all, as we say in India, change is the law of the universe.
AK AND PARTNERS
AK and Partners is a full-service corporate law firm with a strong specialisation in data privacy and protection within the financial sector, including fintech, banking, insurance, and infrastructure. We are dedicated to helping multinational companies in India navigate the complexities of data privacy regulations, ensuring compliance while fostering innovation and growth. Our expertise lies in providing tailored advisory services on data protection strategies, assisting clients in identifying critical data points, operationalising privacy measures, and drafting robust policies to mitigate risks associated with data breaches and unauthorised access.
With a deep understanding of the intersection between data privacy laws and financial and sectoral regulations, we offer comprehensive support for cross-border data transfers, compliance with local laws, and managing regulatory inquiries. Our team ensures that clients maintain their reputations while adhering to strict legal standards. At AK and Partners, we envision becoming the leading legal innovators in the banking, financial services, and insurance (BFSI) sector by championing data privacy practices that empower businesses. We aim to transform legal challenges into strategic advantages while fostering meaningful partnerships that drive growth and innovation.
Our commitment extends beyond immediate solutions; we strive to build a sustainable future by pioneering regulatory frameworks that enhance data security across all business operations. Together, we will navigate the evolving landscape of data privacy in the BFSI sector, equipping our clients to seize every opportunity while safeguarding their sensitive information.
New Delhi
C18 Third Floor, LSC 1
C Block Market, Vasant Vihar
New Delhi 110 057
Contact
T: +91 11 41727676
Website
