Financial privacy must be recognised in India
The study has been authored by Shohini Sengupta.
Does one grain of sand make a ‘heap’? Do two grains of sand make a heap and consequently how many grains of sand make a heap? Is there and should there be a sharp distinction between a ‘heap’ and a ‘non-heap’? This is a familiar hypothesis for philosophers called the ‘sorites paradox’, and over the years, linguists and logicians, and even legal philosophers have used it to analyse the language of the law.
As is the case with most language, the language of law also suffers from this vagueness; however, the distinguishing feature of the latter being that continued linguistic ambiguity may have a profound impact on the development of legal principles, and consequently on the lives of people. Of course, some amount of vagueness is desirable and makes the law a flexible, evolving entity, capable of adapting to new worlds.
However, obfuscations in legal regulatory language, particularly one that touches upon crucial issues such as privacy, identity, and dignity, particularly in a country like India, creates impediments in the assertion and enforceability of rights, while also inhibiting the formation of clear legal standards and accountability mechanisms.
In a recent article linked below, this linguistic conflation in the context of ‘financial privacy’ is examined in the context of India’s technology and financial sector laws governing the vast field of ‘fintech’, including public and private financial institutions, regulators, government bodies and ministries, and financial institutions like banks, insurance companies, pension funds and credit information registries, in addition to several other like bodies.
The article finds that the language of financial law and financial consumer protection policies, particularly within the realm of banking regulations, appears to often conflate ‘privacy’ with ‘secrecy’ and ‘confidentiality’, with no real boundaries drawn between them, and obfuscating the express harms that arise from using these words synonymously, and thereby reducing the import of ‘privacy’ as imagined in the landmark case of K.S. Puttaswamy v Union of India which declared privacy as a fundamental right.
In fact, the realm of financial privacy and the harms from not providing for it in law adequately also arise from the fact that a lot of financial information in India is collected either by non-financial bodies, or collected in conjunction, as a motley data set, en masse along with biometric, gender, caste, health, telephonic and other non-financial data. Further, several government-owned entities such as public sector banks and state co-operative banks are frequently used as delivery vehicles for attaining social welfare goals such as opening zero-balance accounts, state-funded insurance, and pension plans. This en masse collection of data, financial and otherwise, is also possible because of the near ubiquitous use of Aadhaar in India, which now forms the primary focus of a centralised digital identity and data collection system. The article, therefore, suggests that the regulation of financial data in India would have to be connected with matters of both personal, financial, and interrelated non-financial information, and be imagined distinctly as ‘financial privacy’.
This realisation is particularly important during a pandemic, which has seen an increasing push worldwide for the adoption of digital finance and banking methods to promote social distancing. In this regard, the International Monetary Fund (IMF) has expressly warned that there are several risks to this, including a threat to stability and integrity, including from operational constraints, cyberattacks, fraud, money-laundering, data, and privacy issues that are always present, which may worsen if the use of digital financial services is scaled up in times of crisis; issuing a particular warning that this could create legitimate concerns about a surveillance state during crisis episodes.
In sharp contrast, however, in India, the push towards increased financial inclusion through the rapid adoption of fintech, issuance of newer banking licences, intermediation of traditional financial firms with giant technology companies like Apple and Google, has exaggerated concerns over financial data protection, particularly for the unbanked population, who may be more vulnerable than their urban and financially more literate counterparts. Despite this, there is little acknowledgement of growing financial data protection risks in India. For instance, the Report of the Committee on Deeping Digital Payments, constituted by the Reserve Bank of India (RBI) and chaired by Nandan Nilekani in 2019 framed privacy largely as a consumer awareness and financial literacy problem.
Further, the recommendations on deepening financial inclusion and managing the ecosystem on data did not state India’s lack of a robust data protection policy, and instead asked the regulator to increase data collection on digital payments. The article lists several other such policies. This should be juxtaposed with reports of data leaks, such as the alleged one by the digital payments firm, MobiKwik of its 110 million users, or the data breach of Aadhaar card information of users of BHIM, a mobile payments app last year, and of Juspay earlier this year. In spite of this, there has been resistance by the apex regulator to seriously consider data protection, evidenced by reports of the RBI seeking exemptions from the country’s draft data protection bill.
Given the growing body of literature on the clear social and economic benefits emanating from the institution of privacy enhancing legislation across the world, and India’s own rich jurisprudence stating the same, it is hoped that financial regulators, but more specifically RBI will welcome a distinct data protection law. The lack of a separate data protection law in India, combined with an absence of a cross-sectoral financial consumer protection law creates both an urgent need, and an opportunity for the government and RBI to reframe the discourse to seek linguistic clarity and assert a right to privacy for financial consumers, and prevent sorites paradox from being taken to its natural absurd conclusion.
(The study has been authored by Shohini Sengupta)