- Home
- News
- Articles+
- Aerospace
- Agriculture
- Alternate Dispute Resolution
- Banking and Finance
- Bankruptcy
- Book Review
- Bribery & Corruption
- Commercial Litigation
- Competition Law
- Conference Reports
- Consumer Products
- Contract
- Corporate Governance
- Corporate Law
- Covid-19
- Cryptocurrency
- Cybersecurity
- Data Protection
- Defence
- Digital Economy
- E-commerce
- Employment Law
- Energy and Natural Resources
- Entertainment and Sports Law
- Environmental Law
- FDI
- Food and Beverage
- Health Care
- IBC Diaries
- Insurance Law
- Intellectual Property
- International Law
- Know the Law
- Labour Laws
- Litigation
- Litigation Funding
- Manufacturing
- Mergers & Acquisitions
- NFTs
- Privacy
- Private Equity
- Project Finance
- Real Estate
- Risk and Compliance
- Technology Media and Telecom
- Tributes
- Zoom In
- Take On Board
- In Focus
- Law & Policy and Regulation
- IP & Tech Era
- Viewpoint
- Arbitration & Mediation
- Tax
- Student Corner
- ESG
- Gaming
- Inclusion & Diversity
- Law Firms
- In-House
- Rankings
- E-Magazine
- Legal Era TV
- Events
- News
- Articles
- Aerospace
- Agriculture
- Alternate Dispute Resolution
- Banking and Finance
- Bankruptcy
- Book Review
- Bribery & Corruption
- Commercial Litigation
- Competition Law
- Conference Reports
- Consumer Products
- Contract
- Corporate Governance
- Corporate Law
- Covid-19
- Cryptocurrency
- Cybersecurity
- Data Protection
- Defence
- Digital Economy
- E-commerce
- Employment Law
- Energy and Natural Resources
- Entertainment and Sports Law
- Environmental Law
- FDI
- Food and Beverage
- Health Care
- IBC Diaries
- Insurance Law
- Intellectual Property
- International Law
- Know the Law
- Labour Laws
- Litigation
- Litigation Funding
- Manufacturing
- Mergers & Acquisitions
- NFTs
- Privacy
- Private Equity
- Project Finance
- Real Estate
- Risk and Compliance
- Technology Media and Telecom
- Tributes
- Zoom In
- Take On Board
- In Focus
- Law & Policy and Regulation
- IP & Tech Era
- Viewpoint
- Arbitration & Mediation
- Tax
- Student Corner
- ESG
- Gaming
- Inclusion & Diversity
- Law Firms
- In-House
- Rankings
- E-Magazine
- Legal Era TV
- Events
The Reserve Bank of India (RBI) has sought exemption from the country's proposed Personal Data Protection Law for its regulatory, policy, and supervisory functions, and also does not want financial data of individuals to be classified as sensitive personal data, according to sources.The RBI has reportedly said that "We would request that the monetary, regulatory and supervisory functions of...
ToRead the Full Story, Subscribe to
Access the exclusive LEGAL ERAStories,Editorial and Expert Opinion
The Reserve Bank of India (RBI) has sought exemption from the country's proposed Personal Data Protection Law for its regulatory, policy, and supervisory functions, and also does not want financial data of individuals to be classified as sensitive personal data, according to sources.
The RBI has reportedly said that "We would request that the monetary, regulatory and supervisory functions of the RBI, as well as its role as the operator of payment systems, may be exempt from the purview of the Bill." It added that treading financial data as sensitive personal data may have a "dampening effect" on India's efforts at financial inclusion.
The banking regulator routinely deals with lots of data on banks and financial institutions in its role as a regulator and supervisor, it has data on senior bank employees; it has data on the clients of banks, and much of this is needed to ensure compliance, prevent frauds, and ensure the smooth running of the system.
The RBI has also suggested that instead of the Central government, "sectoral regulators be given the power to classify personal data as critical." Any critical data, according to the proposed act, can be processed only in India.
Objecting to the classification of financial data as sensitive personal data, RBI's note maintained that this would lead to higher compliance and explicit consent, which "would translate to increase in costs for providing services to customers. Financial inclusion efforts rely on lower service charges for offering basic banking services. The increase in costs would compel banks to increase the charges associated with offering banking services."
RBI's note also pointed out that countries such as the UK, France, Germany and Italy do not make such a classification.
However, according to privacy experts, the RBI cannot legally claim an exemption from the obligations that stem from the 2017 Supreme Court ruling as the Puttuswamy judgment, which upheld privacy as a fundamental right for Indian citizens.
The Personal Data Protection Bill, introduced in Indian Parliament in 2019, aims to create the first legal framework to protect privacy of the country's citizens after it was held as a fundamental right by the Supreme Court in 2017. In the digital landscape where data is the key asset, the bill lays down certain obligations on the part of entities or data fiduciaries handling such personal data.
The RBI also highlighted that the data retention period mandated by the bill is not in alignment with the RBI circulars on data storage. These mandate that if the processing is done abroad, payment data should be deleted from the systems abroad and brought back to India within 24 hours.
The RBI note also added that in case of cross-border transactions, RBI has allowed storage of copy of payment data abroad. In case of banks, especially foreign banks, RBI has also allowed storage of banking data abroad. But the provisions of the bill do not enable such storage. The RBI is seeking exemption on these grounds as well.
Pointing out that Clause 33(2) empowers the Centre to classify personal data as critical and mandate its processing exclusively within India, RBI stated that it will take away RBI's power to declare what data can be stored and processed in India.
The RBI also pointed out that it works towards the greater objectives of ensuring monetary and financial stability, strengthening the banking and non-banking system and regulating payment process and therefore the personal data collected by RBI is incidental to the functions and not for deriving any commercial gain.
It also said that data is collected by regulated entities and not directly by RBI and as "data fiduciaries, the entities themselves would have met the obligations towards data principals."
The note further stated that as the owner and operator of RTGS and NEFT, it would not be practical for RBI to give notice, obtain consent etc, in carrying out the payment system actively. RBI has suggested that clauses may be amended to exclude regulatory statues such as the RBI Act, the Banking Regulation Act, Payment and Settlement System Act from the overriding reach of the data protection law.
It is to be noted that the bill does have exemptions that allow personal data to be processed for protecting national security, pursuing investigations and complying with court orders, and for journalistic purposes.