FINANCIAL DATA PROTECTION FRAMEWORK – A JURISDICTIONAL ANALYSIS

This article has been authored by Priyal Reddy & Nayankikaa Shukla, students of National Law Institute University, Bhopal

Introduction

Ever since the ground breaking judgment on privacy i.e. Justice K.S. Puttaswamy (Retd.) v. Union of India[1] was delivered, data privacy and protection has become a hot topic in India. Everything around us is data, right from our names to our biometric information. Anything which can be used to profile our personality is data; better known as ‘Personally Identifiable Information’ (“PII”). Lately, the Government of India has started paying attention to the numerous threats and breaches relating to data security in the country. Divulging PII during transactions has become common to businesses all over the world; hence data breach has become a growing concern, especially in industries such as hospitality, retail and the financial sector, which collect personal information from customers for its day to day functioning. According to a report on 'Breach Level Index' by the global digital security firm Gemalto, identity theft and unauthorised access to financial data were the leading type of data breaches, accounting for 73% of all data theft in 2019.[2] From the data collected on the top ten data breaches in the USA since 2007, 6 out of 10 data breaches were at financial service firms causing a loss as high as 10 Million US$[3]. In the light of all this, the Personal Data Protection Bill (“PDP Bill”) was introduced in the Lok Sabha in December, 2019.

The PDP Bill seeks to provide for the protection of personal data of individuals in almost all possible sectors including the Financial Sector. The Bill classifies data into three types - Personal Data, Sensitive Personal Data (“SPD”) & Critical Personal Data. According to the Bill, SPD means such personal data which may reveal, relate to or constitute financial data, health data, biometric information, sexual orientation, etc.[4] Under the PDP Bill, Financial Data means “any number or other personal data used to identify an account opened by, or card or payment instrument issued by a financial institution to a data principal or any personal data regarding the relationship between a financial institution and a data principal including financial status and credit history”.[5] Not only this but a surge of other PII is used by the Financial Sector in the name of financial data and record keeping. Although India is lagging in the race of establishing a steady data protection regime in the country, it has taken up a unique spot by categorising financial data as SPD. This might prove to be a welcoming move in the path to tackle the various problems of data breach in the financial sector.

Brief Analysis of treatment of Financial Data across different Countries

i. European Union– General Data Protection Regulation

As the world economies increasingly adopt data based transactions, the need for a protective framework for maintaining the anonymity of such data increases too. The European Union (“EU”) is the torch bearer in the field of data privacy regulations and has created one of the finest data protection regulations in the world. On May 2018, the long-awaited and much debated General Data Protection Regulation (“GDPR”) came into force, thereby updating privacy regulations throughout the EU and at the same time impacting businesses across the globe. GDPR lays out the basic premise that individuals should have control over their own data while regulating the financial institutions and other organizations seeking to store, process or transmit that data.[6]

GDPR is said to be the mother ship for almost all the data privacy regulations worldwide. It covers all 27 states of EU within its ambit, while also regulating all organisations collecting information of residents of these members (even outside their borders). It can be safely said that the PDP Bill is largely based on the principles of GDPR and the same can be supported with the evident similarities between the two regimes like their approaches to defining personal data, their articulation of the rights of data principals, recognition of data protection principles (such as purpose and storage limitation) and approach towards enforcement.[7] GDPR classifies personal information into two categories – the first includes ‘personal data’ that can be used to identify a person, as defined under Article 4,[8] and the second category includes ‘private information’ about an individual such as their religious beliefs, sexual orientation, biometric information, etc. as defined under Article 9.[9] Financial data is categorised as a subset of ‘personal data’, however the same is not expressly provided under the legislation.

Despite adopting a protective approach towards data privacy, the European Union has not included financial data in the category of “Sensitive Personal Data”.[10] This reduces the extraneous compliance hassles and eases transactions. However, even for protection of personal data, the present set of norms under GDPR place heavy burden on the financial sector, so this classification is of little benefit to them.

Considering that financial service institutions frequently and extensively deal with personal data, they are required to comply with the norms laid out in the national legislations as well as the GDPR. The approach of most of these legislations is proactively protective, and they require that all companies and authorities in possession of personal data maintain data protection “by design and by default”.[11] Noncompliance results in hefty amounts of fine to the tune of 2-4% of the annual turnover of the companies or €10-20 million, whichever is higher.[12] The subsequent loss of business and goodwill is an additional penalty to noncompliant institutions.

While this protective system of governance is beneficial for the customers who give their personal information, voluntarily or involuntarily, to such institutions, the burden of compliance increases manifold as they are expected to comply with GDPR as well as the national legislations of the countries wherein they carry out their business. For instance, an institution operating within the United Kingdom must comply with the GDPR as well as the Data Protection Act, 2018[13]. If such institution engages in cross border data transactions to other countries, it would be required to comply with the data protection norms of that country as well. This also applies extraterritorially to organisations if they are processing personal data of citizens of EU member states, either for offering goods and services or for monitoring their behaviour.[14]

ii. United State of America

The legislative framework for the protection of PII in the USA resembles a patchwork art piece. Unlike other jurisdictions, the US does not have a single dedicated data protection law at the federal level, but instead different states regulate privacy primarily by industry, on a sector-by-sector basis.[15] In the context of financial sector, the Consumer Financial Protection Bureau and various financial services regulators have adopted standards pursuant to the Gramm-Leach-Bliley Act (“GLB”) that prescribe how firms, subject to their regulations, may collect, use and disclose non-public personal information.[16] It applies to “financial institutions”, which is broadly defined as ‘any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956’.[17]

Apart from the GLB, there are various other legislations such as Fair Credit Reporting Act that bear restrictions on use of information relating to an individual creditworthiness and other associated data.[18] Speaking of state laws, the recently enacted Californian state law- California Consumer Privacy Act is said to be based on the GDPR model.

Since there is no one dedicated law, the definition of PII also keeps modifying while moving from legislation to another, but all of them cover identifying and transactional information. The personal information covered by the GLB is termed ‘Non-public Personal Information’ (“NPI”) which means ‘personally identifiable financial information’[19]and generally relates to regulating (1) sharing NPI with third parties, (2) providing privacy notices to consumers, and (3) securing NPI from unauthorized access.[20] The GLB also has restrictions similar to the GDPR and the PDP Bill and levies restraints on usage and transfer of PII.

The one recurring problem that exists with GDPR can also be seen in the US privacy laws, and that is extra territorial compliance. The businesses working in the US have to comply with the federal law as well as the state law, increasing the cost of data compliance. Not only this, but similar to GDPR, the US data protection laws also extend to businesses in other jurisdictions who collect, store and process data of US residents.[21] Because of this, the cost of compliance increases manifold as the organisations have to comply with multiple laws at the same time, in a recent report it was found out that companies spent more than $82 billion on compliance solutions and experts believe the costs to increase further in the coming times.[22]

In order to facilitate cross border data transfer and support trade, The U.S. Department of Commerce, the European Commission and Swiss Administration together designed the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.[23]The primary aim of this agreement was to promote transatlantic trade and commerce. By this agreement, compliance requirements of privacy laws of all countries involved are clearly laid out in a financially feasible manner.

However, this privacy shield does not cover transfer of financial data, therefore, financial institutions involved in business in these countries cannot benefit from this shield. To remedy the situation and bring forth a uniform national law on data privacy, the central government of USA has proposed making significant strides in reforming the existing data privacy laws. However, a study by Information Technology and Innovation Foundation shows that if a federal legislation is passed along the lines of GDPR or the California Consumer Protection Act (CCPA), the economy would be severely impacted and would suffer a blow as huge as $122 Billion.[24] However, if the said federal law only lays down targeted norms for data privacy, it would encourage business as well as consumer protection while being cost efficient at the same time.

iii. India

The data protection regime in India is still at incubation stage. But even before the PDP Bill was introduced in the Lok Sabha, the Reserve Bank of India (“RBI”) had issued a notification on 6 April, 2018 on the issue of ‘Storage of Payment System Data’.[25] As per RBI, not all system providers store payments data in India, hence the need for supervisory access to data stored with these system providers was felt strongly. The notification asked all the system providers to ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction, etc.[26] The notification creates an exception and allows the storage of a copy of payments data abroad, but the PDP Bill has gone one step ahead and says once processing has been completed even the payments data should be brought back to India within 24 hours.[27]

Through the PDP Bill, India took a leap in financial data security and defined the term ‘financial data’ exhaustively. The definition[28] is very broad in nature and includes information used to open an account as well as the credit history and the financial status of the customer. Such a widened definition will certainly pose problems in management of data related fraud.

The Bill doesn’t specifically define what can be PII, hence covering all the three categories i.e. Personal data, sensitive personal data and critical personal data under PII. It classifies financial data as Sensitive Personal Data (SPD), requiring it to be treated with much more caution with respect to its processing and transfer.[29]

Classifying financial data as SPD places unnecessary burden of compliance requirements on companies. This impact of this classification can only be realised in the coming days, although it can be safely said that this would increase the cost of availing financial services. A company would be required to obtain explicit consent from the customers to store basic information for their database;[30] for this, they would also have to inform the customers about the processing of their data at every step which would invariably increase the burden and would slow down the process. This would, in turn, hamper business operations and is also cost inefficient. To make this classification of data and the compliance norms thereof more practical and feasible for companies, the Bill should make a clear demarcation of classification and also consult the stakeholders i.e. the financial service providers for the same.

Recently, the Reserve Bank of India (RBI) released a note seeking exemption from the PDP Bill. The note states that RBI has regular dealings in 'financial data' and the data retention period in the Bill does not align with RBI circulars for data storage. In the note, the RBI also cited Bank of England to be in exemption of the Data Protection Act, 2018 and the GDPR. Notably, this move of keeping the central bank of the country within the purview of the Bill is an unprecedented move with has the potential of causing a “dampening effect” on India’s effort at financial inclusion. The government must take RBI’s concerns into account and create a framework that allows more autonomy in the hands of the service providers.

Additionally, under the Bill, each company would be required to prepare a 'Privacy by Design' policy, much like the ‘by design and by default policy’ of GDPR. This policy must get the approval of Data Protection Authority of India and a certificate would be issued by the Authority. The policy is expected to substantiate the managerial, organisational, business practices and technical systems that a company has designed to anticipate, identify and avoid harm to the person whose data is being processed.[31] This compliance would come at a substantial cost. Further, considering the state of bureaucracy in India, there is a huge possibility of excessive delays in the process of certification and thus, business would be adversely affected.

Conclusion

Protection of personal data and the right to privacy is one of the most important facets to an individual’s wellbeing in the current technology driven world. After the implementation of GDPR, states all across the world are updating their data protection regimes, thereby making extensive compliance norms for every possible sector. But the problem of double jurisdiction or excessive compliance exists and directly hampers the ease of doing business. In today’s globalisation driven era, financial organisations are not limited to a single state or jurisdiction, but are rather widely spread across make availability of financial services easier. But as already discussed, this increases the cost of compliance due to the problem of multiple jurisdictions and state specific laws. For e.g. under GDPR, the maximum penalty for data breach is 4% of the turnover or 20 million pounds, whichever is higher[32]. Now in case of a breach, the Data Protection Authority (“DPA”) can levy a fine and as well as the state’s local financial officer like the Financial Conduct Authority (“FCA”) for UK. Therefore, Post-Brexit, a transgressor could face a double fine if the breach affected UK and EU citizens: a fine from an EU DPA and one from the UK’s FCA.[33]

The strict data compliance regulations have also increased the organisation’s cost as now there is need for data protection officers and data privacy managers, and firms have a hard time meeting these requirements. All this increased cost would have a direct impact on availing financial services, as the organisations would seek to cover these costs from the consumers in one way or another. The results of increased compliance for financial data privacy will have a strict effect on the amount of data breaches, but this intra and extra territorial compliance requirements might just negate the positive effects.

Having multiple laws also has its effects on consumers, as companies complying with different laws send an update to consumer each time asking them to share their details or opt out of services. But all this to what avail; most of the consumers don’t read the terms and conditions or permission notices before opting for a service. In a recent survey conducted by Deloitte, it was found that 91% of people consent to legal terms and services conditions without actually reading them[34]. Hence this leads us back to the same question, does this excessive compliance in the financial industry would actually show promised results or would lead to increased costs to both service providers and consumers?

To strike a balance between consumer data protection and business is considerably important. Excess of regulation might hamper business while too less of it might lead to data fraud and mismanagement. Ergo, governments should be extremely mindful of the far reaching impact such laws would have on the industry and consider its effect on all stakeholders. The new framework must allow more discretion to the financial sector to provide their services practically and efficiently, thus benefiting the customers.

[1] Justice K. S. Puttaswamy v. Union of India, (2017) 10 SCC 1. [2]36.6 Million Data Records Were Breached In 33 Data Breaches In India Last Year, 3 April 2017, available at: https://www.firstpost.com/tech/news-analysis/36-6-million-data-records-were-breached-in-33-data-breaches-in-india-last-year-3700421.html. [3]Data Privacy in the Financial Services Industry, available at: https://www.capgemini.com/wp-content/uploads/2017/07/Data_Privacy_in_the_Financial_Services_Industry.pdf. [4] Clause 3(36) of the Personal Data Protection Bill, 2019. [5] Clause 3(18) of the Personal Data Protection Bill, 2019. [6] Finance and GDPR: What You Need To Know, available at: https://cdw-prod.adobecqms.net/content/dam/cdw/on-domain-cdw/tech-solutions-library/security/gdpr-finance-wp.pdf. [7]Arun Parbhu & Samraat Basu, India: Comparing the Personal Data Protection Bill 2018 with the GDPR, December 2018, available at: https://www.dataguidance.com/opinion/india-comparing-personal-data-protection-bill-2018-gdpr. [8] Article 4 of the General Data Protection Regulation, 2016. [9] Article 9 of the General Data Protection Regulation, 2016. [10]Phil Lee, Getting to know the GDPR, Part 1 - You may be processing more personal information than you think, 12 October 2015, available at:https://www.fieldfisher.com/en/services/privacy-security-and-information/privacy-security-and-information-law-blog/getting-to-know-the-gdpr-part-1-you-may-be-processing-more-personal-information-than-you-think. See also https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML. [11]Article 25 of the General Data Protection Regulation, 2016. [12] For some interesting examples of cases of violation of GDPR, visit https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/. [13]Data Protection Act, 2018, available at: https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted. [14]Does the GDPR apply to companies outside of the EU, available at: https://gdpr.eu/companies-outside-of-europe/?cn-reloaded=1. [15]Aaron P Simpson & Lisa J. Sotto, Data protection and privacy in USA, 27 August 2019, available at: https://www.lexology.com/library/detail.aspx?g=076d0ed2-364a-4187-9c88-14074c473e55. [16]Ibid. [17] Section 509(3)(A), The Gramm-Leach-Bliley Act, 1999. [18] Tim Hickman and Detlev Gabel, Data Protection Laws and Regulations 2020, 6 July 2020, available at: https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa. [19] Todd Nunn, Protecting customer data under the Gramm-Leach-Bliley Act, 12 March 2007, available at: https://www.insurancejournal.com/magazines/mag-legalbeat/2007/03/12/77898.htm#:~:text=The%20personal%20information%20covered%20by,consumer%3B%20or%20otherwise%20obtained%20by. [20]Section 509(4), the Gramm-Leach-Bliley Act, 1999. [21] Supra Note 18. [22]Samantha Ann Schwartz, Confidence in breach response low as privacy fines sink into companies, 04 March 2020, available at: https://www.ciodive.com/news/data-breach-privacy-fines-GDPR/573413/. [23]Privacy Shield Overview, available at: https://www.privacyshield.gov/Program-Overview. [24] Alan McQuinn and Daniel Castro, The Costs of an Unnecessarily Stringent Federal Data Privacy Law, 05 August 2019, available at: https://itif.org/publications/2019/08/05/costs-unnecessarily-stringent-federal-data-privacy-law. [25]Reserve Bank of India, Notification, Storage of Payment System Data, RBI/2017-18/153 (issued on 06 April 2018). [26] Supra Note 25. [27]RBI seeks exemption from data protection law, Hindustan Times, 10 September 2020, available at: https://www.hindustantimes.com/india-news/rbi-seeks-exemption-from-data-protection-law/story-kwQzNs614s0C56VK6HTCJP.html. [28] Supra note 5 [29]Clause 3(18) of the Personal Data Protection Bill, 2019. [30]Clause 11 of the Personal Data Protection Bill, 2019. [31]Goutam Das, Personal Data Protection Bill to burden firms with long-drawn, expensive compliance process, 11 December 2019, available at:https://www.businesstoday.in/current/economy-politics/data-protection-bill-to-burden-firms-with-long-drawn-expensive-compliance-process/story/391902.html. [32]Article 83(5) of the General Data Protection Regulation, 2016. [33]Report on the impact of GDPR on financial services, page 15 of the report, available at: https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/risk/deloitte-uk-the-impact-of-gdpr-on-the-financial-services.pdf. [34]Gayathri Murthy & David Medine, 20 December 2018, Data protection and financial inclusion: Why consent is not enough? available at: https://www.cgap.org/blog/data-protection-and-financial-inclusion-why-consent-not-enough.