Divide and Destroy Policy to delay Passing of PDPB 2019

Hindustan Times has carried an article today under the title “RBI Seeks exemption from Data Protection Law”.  At first glance it appears to be a serious opinion from the financial regulator but on deeper verification, appear to be a planted story to support views of some lobbies.

Given an opportunity, there is no doubt that even FaceBook wants to be exempted from Data Protection Law and may be even other organizations. Just as the Parliament session is about to commence on September 14th and we are expecting that the JPC would place its recommendations to get the Personal Data Protection Bill 2019 (PDPB 2019) to the next stage, HT’s article suggests that there is an attempt to plant dissidence among the regulatory agencies.

In the next few days we may expect articles suggesting that even TRAI, IRDAI, SEBI etc all would like to be exempted from the PDPA.

It appears that this article is part of the propaganda unleashed to scuttle the passage of the Bill. In all probability this could be a fake story published to stir up a controversy.

The approach of PDPB is similar to GDPR in that it is not a sectoral approach to Privacy protection but an across the board approach. It will affect Financial information, Health Information, stock market information etc. To some extent it will disrupt the existing regulators. But this is natural and inevitable. In fact PDPB is a continuation of ITA 2000/Section 43A and hence there is no reason why RBI which was comfortable all these years when 43A defined financial information is “Sensitive Personal Information”, should raise an objection now.

In all probability the views expressed in the article are not that of RBI. In fact RBI was more stringent regarding the data localization and PDPB is far more lenient.

There is a strong lobby of credit card processors lead by NASSCOM which does not want “Financial Information” to be within the PDPB. The reason is that Financial information is the most valuable personal information and several organizations are making money in processing the information in a manner in which PDPB will not allow.

PDPB does not exempt even the DPA from the provisions of being considered as a Data Fiduciary and there is no reason why RBI or any other organization should seek exemption. It is also not clear why RBI should be concerned since the personal data it handles is minimal and is restricted to that of the employees. It is the individual Banks who would be subject to PDPB and hence RBI need not worry about any serious disruption of its activities.

When RBI collects any financial information of a data subject, it may come through a Bank and hence its role may be only that of a data processor. Also most of the time the data is used for monitoring the security of the financial transactions as well as for statistical purpose and hence PDPB has in built exempts for RBI.

There are several other points mentioned in the article as if they are stated by some anonymous representative of the RBI. It is however more likely that this is a planted story of some vested interests who are worried about the loss of their commercial opportunities to exploit the financial data of individuals.

The report is also false when it mentions that “Data Retention Norms” are mentioned in PDPB. There is no such norms and RBI’s regulations will determine how long Banks keep the personal data. Similarly it is wrong to say that PDPB does not allow storage of payment data abroad at least in the current version. It only says that a copy should also be kept in India.

RBI”s role as operator of RTGS and NEFT are technology platforms which are managed through the Banks and hence the role of RBI is only as an intermediary through which the data passes through and not as a Data Fiduciary.

The report therefore needs to be ignored as yet another attempt by lobbyists to check the passage of PDPB in the current session. It would be advisable that RBI comes up with its official view whether the comments attributed under the article are official views of the RBI.

Just as the CDS has to manage the relationship with the three service chiefs, the regulators like RBI, IRDAI, TRAI, SEBI etc., need to manage the relationship with the DPA and unless there are ego issues, senior people should be able to manage the overlapping issues that may come from time to time.

It is unfortunate that the media is trying to create a divide between RBI and the Government to help some industry interests to prevail.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.