Data Privacy in the Age of Micro-lending Apps

Welcome to the digital age, a world where technology and data are fast becoming the coveted Holy Grail. Whoever holds the most advanced means of innovation and data optimization ability today definitely holds the keys to tomorrow. With the global business sphere pressing towards digitisation and remotely-operated virtual offices due to the advent of the Covid-19 pandemic, the risks of data manipulation, theft, and sabotage have also multiplied considerably. Therefore, the need to implement critical data privacy laws to secure and streamline the data collection process is of utmost essence.

This process involves a number of aspects such as directing the collation of data from various digital channels, notifying the data-subjects and maintaining the degree of control a data-subject is allowed once their credentials have been transferred unto the digital plane. In case, a certain organization or service provider’s website is unable to meet the privacy standards set by the regulatory bodies, it may invite numerous fines, law suits, or even long-term bans on the website’s operation across various parts of a region.

Article 21 of the Indian constitution explicitly underlines the fact that the right to privacy is a basic human right of every citizen. The historic judgment delivered by the nine-judge bench led by Justice K.S Puttuswamy vs. the Union of India further mandated the ‘right to privacy’ as an innate element of Part 3 of the Constitution of India.

In stark contrast to developed and developing economies, India still has not put in place a well-structured and independent personal data protection law to secure personal data or information in the oral, written, or digital form. The existing laws in the country are still in a nascent form and are present mostly as a combination of rules, regulations and statutes.

The most crucial constitutional provisions for ensuring digital privacy are the Information Technology Act, 2000 (as amended by the Information Technology Amendment Act, 2008) combined with the Information Technology [Reasonable Security Practices and Procedures and Sensitive Personal Data or Information] Rules, 2011 (SPDI Rules). It is the primary law in India that has been devised to counter cybercrime and unwanted turbulence in the e-commerce vista.

Correspondingly, section 43A of the IT Act attributes liability on a corporate body (including a firm, sole proprietorship or other association of individuals associated with commercial or professional endeavours) which holds, deals or handles any sensitive personal data or information in a computer resource that it owns, controls or operates to extend damages through recompense, to the person affected if there is any wrongful loss or wrongful gain to any person caused because of the negligence in implementing and maintaining reasonable security practices and procedures to protect the information of the person impacted.

To that end, the Personal Data Protection Bill, 2019 was inaugurated in Lok Sabha by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019. The Bill sought to safeguard the personal data of individuals, and create a Data Protection Authority for the same.  The Bill warrants processing of data by fiduciaries only if due consent is offered by the individual. Nevertheless, in certain cases, personal data may also be processed without sanction.  These are: (i) if required by the State for extending benefits to the person, (ii) legal proceedings, (iii) in response to a medical urgency.

The US boasts of hundreds of data privacy and security laws distributed across numerous states, territories, and localities alongside the already established federal laws and regulations. Currently, about 25 US state attorney generals preside over these data privacy laws that oversee the collation, storage, protecting, disposal, and use of personal data taken from their residents, especially regarding data breach notifications and the safety of Social Security numbers. With relation to their scale and ambit, some are pertinent only to governmental entities while some concern only private bodies and some are valid for both.

The Data Privacy Policies Framework has evolved tremendously on US soil and is considered a worthy benchmark for other nations to emulate.  The vast gamut of private and federal privacy policies adhered by American fintech companies believe in maintaining the highest regard to the data privacy of their customers. Take for instance; the Fintech companies in the state of California extend a number of crucial privacy options to their users such as:

• seeking consent before information sharing with third party leaders
• the right to restrict data sharing with companies that are affiliated
• the ability for users to change personal data and have their information secured
• allow users the right to opt for data obliteration
• the right to opt out of sale of personal information
• right to non-discrimination and exercise individual rights enlisted under CCPA
• the right to assign an authorized representative who is authorized to act on the user’s behalf

The Data Privacy scene in India is still at a nascent stage. As far as our country’s microfinancing sector is concerned, the Microfinance Institutions (Development and Regulations) Bill proved to be ground-breaking in terms of combining the bulk of microfinance policies in the country under the supervision of the Reserve Bank of India.  This has further triggered the expansion and appliance of those dynamic consumer protection policies within the microfinance system that were previously developed and pulsating within the country’s banking framework. 

A bulk of the next gen dedicated microfinancing enterprises in India strongly adhere to the pre-set rules and regulations imposed by the country’s Personal Data Protection (PDP) Bill such as:

• Warranting that personal data is processed only after explicit consent is granted by the data principal at the onset of the process.    

• Ensuring that personal data is collected only to the point that is necessary for instigating the data processing operation. This drives home that no data is processed without declaring its causal intention.    

Presently, the government must initiate efforts in the right direction and alter rules into laws as the need for robust and resilient data privacy guidelines have never been higher than in contemporary times. This is a must for shielding and fortifying the critical data and information of individuals and organizations with calibrated efficiency. 

The author is co-founder & CEO, Smartcoin

DISCLAIMER: Views expressed are the author's own, and Outlook Money does not necessarily subscribe to them. Outlook Money shall not be responsible for any damage caused to any person/organisation directly or indirectly.