Introduction

In May 2022, the Indian fintech sector faced a massive shock when hackers reportedly stole Rs. 7.3 crores from payment gateway operator RazorPay by manipulating authorization processes. Earlier in June 2020, in a similar instance, sensitive data of more than 7 million users of BHIM payments application was exposed on the dark web. These concerns become graver with the government withdrawing the much-awaited Personal Data Protection (“PDP”) Bill 2019 on grounds of serious deficiencies with a ‘proposal’ to present a more comprehensive law, leaving the nation without any robust data protection code. In the absence of the PDP Bill, data privacy is single-handedly governed by the Information Technology Rules, 2011 (“SPDI Rules” or “Rules”).

This analyses the SPDI Rules in light of a recently emerging fintech product, electronic-wallets. This shall be done by; firstly, briefly explaining its impact on e-wallet corporations; secondly, critically analyzing the Rules in light of their failure to both, protect privacy interests of consumers and facilitate ease of doing business; lastly, it argues for a need to gradually shift from activity-based (“AB”) to entity-based (“EB”) regulation for better regulation of data and privacy matters in the industry.

E-Wallet Market and The Implications of SPDI Rules

An e-wallet is a digital payment mechanism that facilitates cash-less transactions through a computer device. E-wallets, for this paper, shall include both Prepaid Payment Instruments (“PPI”) such as PayTM and Mobikwik wallets as well as United Payments Interface Instruments (“UPI”) such as Google Pay and PhonePe. The first ever e-wallet – Oxigen wallet was launched in 2004 but this fintech instrument gained traction only after 2016, post-demonetization. E-wallets have been booming with a CAGR of 52.21% because of the government’s push towards a cashless economy. As of 2021, about 45.4% of e-commerce transactions and 22% of in-store payments were routed through digital mobile wallets.

The deep and extensive entrenchment of this fintech product in our lives makes it compelling to study the data regulatory framework in which they operate for two reasons. Firstly, E-wallets possess voluminous amount of sensitive personal information of their customers including both financial (bank details, transaction history etc.) and otherwise (KYC details such as documents, biometrics etc.), which may be prone to theft. Secondly, as intermediaries, their working may involve sharing of data with affiliates such as banks potentially leading to data-sale to third parties. Moreover, recent RBI guidelines which allowed for interoperability within e-wallets, allowing users to freely send money from one wallet to another just like banks, exacerbates concerns surrounding data security.

In light of the growing activity on electronic platforms, the SPDI Rules were notified under Section 87(2) read with Section 43A of the IT Act in April 2011. The impact of these Rules is in the form of additional compliances and structural amendments to e-wallet applications. Data that was hitherto collected and used freely, now requires the consent of the users at the time of collection, which is at any point of time [Rule 5(1)]. Additionally, the utilization of sensitive data is restricted to only ‘necessary’ purposes [Rule 5(2)(b)]. The entity is required to publish a policy delineating the methodology and purposes of handling the collected data [Rule 4]. As structural changes, the entity is required to implement ‘reasonable’ security control measures to safeguard data [Rule 8] and appoint a Grievance Officer to address all related concerns [Rule 5(9)].

Although, such guidelines sound comprehensive at the outset, they have serious substantive as well as drafting flaws that leave severe loopholes. The next section appraises these concerns.

Ambiguous Drafting and Redundancy: A Critical Appraisal of SPDI Rules

As can be extracted from the above discussion, the objective of these Rules is two-fold; firstly, to secure the interests of customers by protecting their personal data and also, secondly, to moderate the regulations imposed on the companies so as to not make it difficult for them to operate efficiently. The Rules have proven to be insufficient to regulate the dynamic nature of this fintech industry and have proven to have failed on both fronts.

Securing Privacy

As a fundamental flaw, the definition of ‘sensitive personal data or information’ under Rule 3 is ‘exhaustive’ and nothing outside the prescribed list is protected by the Rules. This is deficient since it fails to take into account the dynamic nature of the fintech market which is known for innovation. Several important indicators of personal life that e-wallet applications might store such as income, credit history, transaction details etc. aren’t included within this definition. If not included within this definition, the company is at free will to use this data without being subject to any provision of the Rules.

An important aspect of these Rules is the value attached to ‘consent’ which, unfortunately, isn’t defined anywhere in the Rules. There exists a substantive limitation in which this consent is acquired for collecting, storing and transferring data. As a trade practice, all e-wallet corporations have adopted the standard form model or more simply, the take-it-or-leave-it type contracts, which favour the drafter (here, the corporation). Instead of separately demanding consent to utilize data, it is clubbed with the other terms which need to be signed to utilize the platform. Due to the ubiquity and essential nature of e-wallets, this leaves the customer with no choice but to give consent. The user is precluded from moving to another competitor as all players follow the same practice. Therefore, the consent requirement stands redundant in effect.

Another limitation is the absence of any clause on ‘data localization’. It is unclear whether a company which stores data outside India will go beyond the jurisdiction of these Rules. As many e-wallets in India today are operated by foreign companies such as Amazon Pay, Google Pay etc., this question becomes pertinent. In 2018, PayTM co-founder Vijay Sharma alleged that Google Pay was selling users’ data to advertisers and that it was permitted within its policy framework. This couldn’t have been effectively regulated as Google’s data was stored outside which made it difficult to track and also added legal complexities in enforcing Indian law.

Another problem that this 2018 incident highlights is the lack of a national regulator dedicated for data protection, without which it would have been difficult to enforce claims against Google. An overarching data protection authority is required to admit complaints, enforce laws and also take suo-moto cognizance. This becomes crucial in light of the bargaining power and informational asymmetry that exists between corporates and their users and makes it difficult for them to enforce rules in the regular courts. A legally empowered regulator like IRDAI or SEBI can constantly monitor such big-techs and prevent exploitation of users.

As one can now infer, the SPDI Rules have been weakly framed and are exploitable. One such example is Google Pay’s policy that explicitly allows sharing of data to all its subsidiaries. It is conveniently able to circumvent Rule 7 which states that data can be transferred only when a) it’s necessary and b) due consent in obtained. It argues that users don’t make a singular account at Google Pay, rather they make a collective account at Google LLC applicable to all of their platforms at once. A common google account, as they posit, is essential for proper risk management, prevention of frauds and offering the users a complete experience and hence sharing of data is ‘necessary’.

Ease of Doing Business

Rule 4 reads “The body corporate…shall provide a privacy policy for handling…sensitive personal data or information”. As result of poor drafting, the word “or” creates an ambiguity as to whether it separates “information” from “sensitive personal data” – or – just from “data”. If the former interpretation is followed, the act becomes too overbroad (Acharya, 2013). As a result, the corporate would be required to regulate and take consent for using even the most non-personal and obvious information it receives from anywhere. This drastically impinges on the corporates freedom of doing business and makes their operations highly inefficient and red-taped.

In conclusion, the SPDI Rules are poorly drafted and unfit to adapt to changing needs of the society. As Amstad posits, two major objectives of any fintech regulation are countering informational asymmetry and maintaining market integrity. Loopholes in the Rules which allow companies to be complacent and opaque about data utilization promoted informational asymmetry instead of tackling it. Alongside, the recent disruptions to the e-wallet industry with massive data thefts and allegations of companies selling data to third-parties showcase the failure of the Rules in preserving market integrity.

AB versus EB Regulations: Regulating Complex Fintech Firms

In September 2021, RBI Deputy Governor T. Rabi Shankar said that fintech regulation should be less activity based and more entity based. Put simply, AB regulation involves a common policy being applied to all entities performing the same activity whereas, EB regulations are uniquely curated for specific players which are either engaged in extremely diverse activities or require specific attention due to their size and control over market. (Borio and others, 2022)

The SPDI Rules, as we have seen above, regulates the activity of data privacy and not any entity specifically and hence, is AB. This works on the “same risk, same rules” model, presupposing that all e-wallets have an identical operating framework and hence, can be regulated by identical rules (Amstad, 2019). This might have been true for 2011, but not for today as the market has drastically evolved. As Fernando Restoy argues for fintech generally, and this paper shall show for the e-wallet industry specifically, EB regulations are more suitable because of three reasons –

1. Different products even under the same bracket have distinct risk models (Restoy 2021). Different wallets would differ in risk based on their degree of openness – an open wallet (ICICI Pocket) would have greater risk than a semi-closed (PhonePe) or closed wallet (Swiggy Pay). (Mishra and others, 2019)
2. It helps prevent regulatory arbitrage by preventing entities within regulated arenas from entering into unregulated zones within the same framework i.e., without complying to any new regulatory framework. Consider for example, the Master Directions on PPIs issued essentially in furtherance of the SPDI Rules, were framed to regulate prepaid e-wallet applications. Before 2016, PayTM was merely an e-wallet application but post that it diversified into new areas such as bill payments, loan processing, ticket booking etc. Although the new services have different operational models i.e., different ways of dealing with data which requires distinct targeted policies, they continue to be regulated by the same Master Directions. An EB policy would be able to manage PayTM holistically dealing with each of its distinct arenas in a uniquely according to its own specific needs. (Borio and others, 2022)
3. Linked to the last point, EB becomes useful to regulate bigger firms that have greater market influence. Such firms, which have the potential to engage in anti-competitive practices may require to be treated differently to protect the public interest (Restoy 2021). In economic terms, this would entail a third-degree regulatory discrimination wherein firms would be differentiated on their market capitalization, revenue sizes, or asset worth and differently regulated. A case in point is the GAFA tax imposed by France based on the annual revenues of digital companies.

Conclusion

Adopting EB regulatory, the state is able to uphold the consumer interest by targeting individual entities with specific policies ensuring that no activity goes unregulated and consumers are not exploited in any manner. This additionally allows regulators to draft need-specific guidelines for individual corporates promoting ease in doing business. Moreover, it also assists in creating a level playing field in the e-wallets market where stronger players are strictly regulated and newcomers are given deference. Thus, the EB framework assists in striking the right balance between consumer and business interests where the existing regulatory framework has failed.

This essay has highlighted the failure of the SPDI Rules due to its obsolete nature. What remains to be seen is how the new Personal Data Protection Bill is drafted. While our regulatory framework can’t be entirely Entity-Based due to practical difficulties, it would be wise to draft a law that is activity-based in general and entity-based at specific instances to target certain corporates or fragile areas that need special attention.

(This post has been authored by Siddhant Pengoriya, a second-year law student at NLSIU, Bangalore.)