Regulatory Sandbox of RBI and DPDPA

Yesterday, RBI also released a document namely “Enabling Framework for Regulatory Sandbox” which inter-alia attracted interest of Data Protection professionals because a reference was made about DPDPA.

RBI is a sectoral regulator and how its regulations that may overlap with DPDPA is closely watched.

Under Section 16(2) of DPDPA, which applies to Cross border transfer of personal data, it is stated that…

“Nothing contained in this section shall restrict the applicability of any law for the time being in force in India that provides for a higher degree of protection for or restriction on transfer of personal data by a Data Fiduciary outside India in relation to any personal data or Data Fiduciary or class thereof”.

Since RBI already has some stricter regulation regarding transfer of data by its Regulatory Entities (REs) which may be both personal and non personal, it is understood that those regulations will remain.

Under Section 17(1(b) certain provisions of Chapter II, Chapter III and Section 16 is not applicable for the processing of ” 0f personal data by … or any other body in India which is entrusted by law with the performance of any …. regulatory or supervisory function, where such processing is necessary for the.performance of such function;

However the new Framework for regulatory sand box for Fintech industry once the sand box scheme is approved by RBI, the Fintech regulatory compliance will be supported through some relaxations by RBI.

However,  The sandbox entity must process all the data, in its possession or under its control with regard to Regulatory Sandbox testing, in accordance with the provisions of Digital Personal Data Protection Act, 2023. In this regard, the sandbox entity should have appropriate technical and organisational measures to ensure effective compliance of the provisions of the Act and rules made thereunder. Further, the sandbox entity should ensure adequate safeguards to prevent any personal data breach.

In the event such startups are notified by MeitY under DPDPA, Section 5, Section 8(3), 8(7) , Sec 10 and 11 of the DPDPA may be exempted.

Sec 5 is “Notice”. Sec 8(3) is accuracy and updation if the data is used for disclosure or automated decision making, Section 8(7) data retention and erasure, Sec 10 is “Significant Data Fiduciary” and Section 11 is Right to access.

A Start up working inside an RBI sandbox and notified by MeitY will have the benefits of both Section 17(1)(3) with above exemptions and the RBI exemptions as provided under the notification.

The RBI notification reiterates that RBI will manage the Fintech regulations and MeitY will regulate the DPDPA regulations. There  no other special impact of the RBI regulation on DPDPA.

There is however one observation. RBI notification is currently applicable and recognizes the existence of DPDPA.. though it is yet to be notified for effect. In a way RBI is validating the effectiveness of DPDPA even today .


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.