11/30/2014

India'sDataProtectionRulesAndTheirImpactOnTheBankingAndFinancialServicesIndustryDataProtectionIndia

Weusecookiestogiveyouthebestonlineexperience.Byusingourwebsiteyouagreetoouruseofcookiesinaccordancewithourcookiepolicy. Learnmore
here .
CloseMe

Home>India>Privacy

India: India's Data Protection Rules And Their Impact On The

Banking And Financial Services Industry
LastUpdated:10April2012
ArticlebyKartikMaheshwari,GowreeGokhaleandHuzefaTavawalla
NishithDesaiAssociates

Doyouhave
Mutual
Contactswith
theAuthor

ReproducedwithpermissionfromWorldDataProtectionReport,null,09/23/2011.Copyright_2011byTheBureauofNational
Affairs,Inc.(8003721033)http://www.bna.com
AccordingtoareportbyglobalmanagementconsultancyMcKinsey&Co.,asmanyas7percentofbankaccountholdersin
Indiaconductbankingtransactionsonline,whichrepresentsasevenfoldjumpsince2007,whereasbranchbankinghasfallen
by15percent.Furthermore,itisenvisagedthatnontraditionalformsofbankingaregoingtorise,withanincreasingnumberof
banksintroducingnovelplatformssuchastelebanking,mobilebanking,etc.,toprovideeaseandconveniencetotheir
customers.
Usageoftheinternetandelectronicmediaforconductingbusiness,especiallyfinancialtransactions,promptedthe
GovernmentofIndiatoenacttheInformationTechnologyAct,2000(''Act'').TheActprovidesforrecognitionofelectronic
signatures,edocumentsandetransactions,andseekstocontroloffencesconductedovertheinternet.Also,post2001,the
ReserveBankofIndiaintroducedguidelinesgoverninginternetbanking,confidentiality,antimoneylaunderingandknowyour
customernorms,whichmayhavepromptedcustomerstomovetowardstheeplatform,albeitwithsomeconcernswithrespect
totheprivacyandsecurityoftheirbankingtransactions.
Inviewofthegrowingoutsourcingindustryandecommerceenvironment,theGovernmentattemptedtointroduceaseparate
billcalledthe''PersonalDataProtectionBill2006''toprotecttheprivacyofindividuals,butthebillwasnotpassedintolaw.In
themeantime,theActwasamendedin2008toincludeSection43AandSection72Atoprotectpersonaldata(''PI'')and
sensitivepersonaldataandinformation(''SPDI'').
Recently,effectiveApril11,2011,theGovernmentalsobroughtintoeffectcertainrulestosupportthesaidprovisions(''Rules'')
(seeanalysisatWDPR,May2011,page11).
SensitivePersonalDataorInformation(SPDI)Whereasanyinformation,notfreelyavailablerelatingtoaperson's
password,financialinformation,healthcondition,sexualorientation,medicalrecordsandhistory,biometricinformationor
anydetailrelatingtotheaboveclausesasprovidedtobodycorporateforprovidingserviceorforprocessing,storedor
processedunderlawfulcontractorotherwiseisdefinedasSPDI.
TheseRulesapplytobodiescorporateorpersonslocatedwithinIndiaandrelatetoinformationofnaturalpersons.
SincebankscollectSPDI,theyneedtocomplywiththeRules,whichlaydowncertainprocedurestobefollowedatthetimeof
collectionofdata,transferofdata,anddisposalofdata,andtomaintainrelevantsecuritypracticesandprocedures.Inthe
eventabankisnegligentinimplementingandmaintaining''reasonablesecuritypracticesandprocedures''inrelationtoSPDI,
whichcauses''wrongfullossorwrongfulgain''toanyperson,thenthebankisliabletopaycompensationtotheaffected
personwhoseSPDIwascompromised.Theaggrievedpersonclaimingcompensationmayapproachanadjudicatingofficer
appointedundertheActinthecaseofdamagesofuptoRs.5crores(approximatelyU.S.$100,000)orbeforethecivilcourtin
casethedamagesclaimedareaboveRs.5crores(approximatelyU.S.$100,000).
TheRuleslaydowndifferentlevelsofcompliancerequiredtobeadheredto:

PrivacyPolicy
Thebank,orapersononbehalfofthebank,thatcollects,store,deals,orhandlesSPDIisrequiredtohaveaprivacypolicyin
http://www.mondaq.com/404.asp?404http://www.mondaq.com:80/india/x/172150/Privacy/Indias+Data+Protection+Rules+And+Their+Impact+On+The&login=

1/4

11/30/2014

India'sDataProtectionRulesAndTheirImpactOnTheBankingAndFinancialServicesIndustryDataProtectionIndia

placewiththeprescribeddetails.Suchprivacypolicyshouldbeavailableonitswebsiteforreviewbytheproviderofthe
information.ThismayinsomecasesapplyevenwhentheinformationbelongstoapersonlocatedinIndiaandiscollectedby
abankoutsideIndiausinganIndiancomputerresource.

Consent
WhilecollectingSPDI,thebankmustseekexpresswrittenconsentfromtheproviderofinformationviaaletter,faxoremail,or
consentgivenbyanymodeofelectroniccommunication,inrelationtothepurposeforwhichSPDImaybeused.Theprovider
ofinformationmustalsobegivenanoptiontowithdrawsuchconsentandmusthaveknowledgeand/orbeprovided
informationasto1)thefactthatinformationisbeingcollected2)thepurposeforwhichitisbeingcollected3)intended
recipientsoftheinformationand4)thenameandaddressoftheagencythatiscollectingand/orretainingtheinformation.
Thisprovisionislikelytocreatepracticaldifficulties,asatthetimeofcollectionofinformationbanksmaynothavefinalized
arrangementswiththirdpartyvendorswithwhomtheinformationmaybesharedorwhenthebankchangesitsvendor(s).

TransferandDisclosure
DisclosureofSPDItoathirdpartyrequirespriorwrittenapprovaloftheproviderunlesssuchdisclosurehasbeenagreedtoin
thecontractbetweenthebankandtheproviderofinformation.Theexceptionsare:
wherethedisclosureisnecessarytobeincompliancewithlaw,or
wherethedisclosureisnecessaryforgovernmentagenciesmandatedunderlawtoprocuresuchinformation.
Further,banksmaytransferSPDItoanythirdpartythatensuresthesamelevelofdataprotectionthatisadheredtobythe
bankasprovidedforundertheRules.Suchtransfermaybeallowedonlyifitisnecessaryfortheperformanceofalawful
contractbetweenthebankandtheproviderofinformationorwheretheproviderofinformationhasconsentedtosuchtransfer.
Therefore,bankswillhavetoensurethroughanauditprocessorotherwisethatthetransfereeoftheinformationalsoadheres
totheRules.

ReasonableSecurityPractices
Banksneedtocomplywith''reasonablesecuritypracticesandprocedures''designedtoprotectSPDIfromunauthorized
access,damage,use,modification,disclosureorimpairment.Incasethereisanagreementbetweenthepartiesinrelationto
practicesandproceduresorthereisanapplicablelaw,thenthesamewouldgovern.Intheabsenceofeither,International
StandardIS/ISO/IEC27001on''InformationTechnologySecurityTechniquesInformationSecurityManagementSystem
Requirements''wouldapply.BestcodepracticesotherthanIS/ISO/IEC27001,asapprovedbytheGovernmentofIndia
throughanyindustrybody,mayalsobeadoptedintheabsenceofanagreementorlaw.
Inlightoftheabove,afewbasicissueswithrespecttodataprivacythatmayariseinrelationtothebankingandfinancial
servicesindustryareasfollows:

OpeningofaBankAccount
Atthetimeofopeningofthebankaccount,thecustomershareshisorherinformationaspertheprevalentknowyour
customernorms(name,address,PINnumber,etc.)withthebank.Atthatstagethebank,inadditiontocomplyingwiththe
prescribedReserveBankofIndiaregulations,willalsohavetocomplywithprovisionsrelatingtoprivacypolicyandconsents
undertheRules.

SharingofInformationwithThirdParties
Throughouttheconductofbankingactivities,banksshareSPDIwiththirdparties,requiringcompliancewiththetransferand
disclosureprovisionsstatedintheRules.SomeoftheinstanceswhereSPDIissharedwiththirdpartiesare:
BankAccounts:Uponallotmentofabankaccount,creditordebitcards,achequebook,anATMPIN,etc.,areprinted
anddispatchedtothecustomer.Thisactivityinmostcaseswouldbeoutsourcedbythebanks.
ATMs:Toincreaseoperationsandexpandconsumerreach,banksavailofservicesofthirdpartiesforaccesstoashared
ATMnetwork.Whileconductingsuchactivities,SPDIisalsosharedwiththirdpartiesbythebank.
CoBrandedCards:Whenmarketerstieupwithbankstoissuecobrandedcardswhichenabletheaccruingofreward
pointsonthebasisofusageofsuchcards,informationsuchasname,address,spendingpattern,etc.,maybeshared
betweenthebank,themarketersandmerchants.
InternetBanking:Whenanebankingfacilityisoutsourced,customerinformation(SPDI)maybesaved,storedor
http://www.mondaq.com/404.asp?404http://www.mondaq.com:80/india/x/172150/Privacy/Indias+Data+Protection+Rules+And+Their+Impact+On+The&login=

2/4

11/30/2014

India'sDataProtectionRulesAndTheirImpactOnTheBankingAndFinancialServicesIndustryDataProtectionIndia

retainedbythirdparties.
BusinessCorrespondents:Withtheobjectiveofensuringgreaterfinancialinclusionandincreasingtheoutreachofthe
bankingsector,theReserveBankofIndiadecided(seeCircularonFinancialInclusionbyExtensionofBankingServices
UseofBusinessFacilitatorsandCorrespondents[RBI/200506/288])toenablebankstousetheservicesofnon
governmentalorganisations/selfhelpgroups(NGOs/SHGs),microfinanceinstitutions(MFIs)andothercivilsociety
organisations(CSOs)asintermediariesinprovidingfinancialandbankingservicesthroughtheuseofthebusiness
correspondent(''BC'')model.Rathersimplyput,aBCisanaffiliateofthebank,providingcertainapprovedserviceson
behalfoftheparentbankinareaswherenobranchorATMofthebankexists.TheseBCsareallowedtoperforma
numberoffunctions,includingdisbursalofsmallvaluecredit,collectionofsmallvaluedeposits,saleofmutualfund
productsandreceiptanddeliveryofsmallvalueremittances.Therefore,theseBCsareintermediariesofbanksand
wouldneedtoadheretotheRulesifanyinformationistransmittedorprocessedinanonphysicalformat.

PaymentGateways
Paymentgatewaysfacilitatethetransferofinformationbetweenapaymentportal(suchasawebsite,mobilephone,etc.)and
thebank.Sincethepaymentgatewayoperatorswillbevalidatingpaymenttransactionsonthebasisofinformationprovidedby
thecustomer(CVVnumber,creditcardnumber,dateofexpiry,etc.),theywouldneedtohaveinplacemechanismstoensure
datasecurityprotectionaspertheRules.

TeleBanking/MobileBanking
Wheneveracustomercallsatelebankingnumberorundertakesbankingactivitiesthroughhisorhermobilephone,heorshe
mustshareuniqueidentifiableinformationlikehisorheraccountnumber(SPDI),withoutwhichheorshedoesnotgainaccess
totheseservices.AspertheAct,''CommunicationDevice''includescellphones,personaldigitalassistants,oracombination
ofboth,oranyotherdeviceusedtocommunicate.Thus,tele/mobilebankingmayalsofallwithintheambitoftheRules,and
wouldthereforerequirespecificcomplianceassoonasthecustomeravailsofsuchservices.
ApartfromtheRulesinrelationtoSPDI,thegovernmenthasalsoissuedrulesinrelationtointermediaries.Intheeventany
bankingandfinancialservicesindustryentityactsasanintermediary,theRuleswouldberequiredtobeadheredtobysuch
intermediary.

WayForward
ThoughtheseRulesarebeingapplaudedbycivilrightsactivistswhoappreciatethemovetoprotecttheprivacyofindividuals,
industryplayers,ontheotherhand,arguethatsuchonerouscompliancerequirementswouldbeanadditionalburdenonthem.
Section43Adoesnotsetamaximumcapinrelationtothecompensationwhichwouldberequiredtobepaid,andessentially
represents''unlimitedliability''forcompanies.
TheGovernmentofIndiaonAugust24,2011,issuedaclarificationthattheseRuleswouldapplyonlytobodiescorporateor
personslocatedwithinIndia(seehttp://www.mit.gov.in/sites/upload_files/dit/files/PressNote_25811.pdf).However,therestill
existconcernsoverthepossibleextraterritorialramificationsthattheseRulesmayhave.Forexample,ifabankislocated
abroadbutiscollectinginformationfromcustomerslocatedinIndiaviaacomputerresourcelocatedinIndia,wouldthe
provisionsoftheActapply?ItwillbeinterestingtoseeiftheregulatorsorthejudiciaryinterprettheRulessoastomakeabank
locatedoutsideIndialiableforcontraventionoftheAct,whentheRulespersearenotapplicabletosuchbanks.
Lastly,sincetheseRulesarefairlynew,thereisnoestablishedjurisprudenceonthissubject.Thus,itisrecommendedthatthe
bankingandfinancialservicesindustrytreadcarefullyandrevisititsexistingbusinessmodelstodeterminevariouslevelsat
whichdataiscollected,received,possessed,stored,dealtorhandled,soastoensurerelevantcomplianceasspecifiedinthe
Rules.
TheInformationTechnology(ReasonableSecurityPracticesandProceduresandSensitivePersonalDataorInformation)
Rules,2011areavailableathttp://op.bna.com/pl.nsf/id/byul8gypzn/$File/IndiaIndia.pdf.
Thecontentofthisarticleisintendedtoprovideageneralguidetothesubjectmatter.Specialistadviceshouldbesoughtabout
yourspecificcircumstances.
DoyouhaveaQuestionorComment?

InterestedinthenextWebinaronthisTopic?

ClickheretoemailtheAuthor

ClickheretoregisteryourInterest

Contributor
KartikMaheshwari
NishithDesaiAssociates

EmailFirm

MorefromthisFirm
MorefromthisAuthor

http://www.mondaq.com/404.asp?404http://www.mondaq.com:80/india/x/172150/Privacy/Indias+Data+Protection+Rules+And+Their+Impact+On+The&login=

3/4

11/30/2014

India'sDataProtectionRulesAndTheirImpactOnTheBankingAndFinancialServicesIndustryDataProtectionIndia

Authors
KartikMaheshwari

GowreeGokhale

HuzefaTavawalla

Doyouhave

Mutual
Contactswiththe
Author

ContactUs | YourPrivacy | Feedback

MondaqLtd19942014
AllRightsReserved

http://www.mondaq.com/404.asp?404http://www.mondaq.com:80/india/x/172150/Privacy/Indias+Data+Protection+Rules+And+Their+Impact+On+The&login=

4/4