[This article is authored by Avinash Kumar, II Year B.A. LL.B. (Hons.) student at Dr. Ram Manohar Lohia National Law University. This is the first part of a two-part series evaluating the challenges of handling Data Subject Access Requests (DSAR) under the Digital Personal Data Protection Act, 2023, from the perspective of Financial Service Providers (FSPs).]

PART-1

I. Introduction

The continuous proliferation of data in present times is changing how people engage with organisations. The processing of personal data by every click, swipe, roll or scroll is how corporations have come to know more about us than we know about them. We are left in the dark about what kind of data they collect, how they use it and to whom it is shared. Companies collect, analyse, and commodify our personal data to predict and influence our behaviour. While over the years, we assume platforms offer services as their product, in reality, it is users’ data that is being monetised.

II. The Data Economy and Regulatory Response

There are regulations in place to manage the digital footprints we create, which serve to protect us from potential harm. The European Union introduced the General Data Protection Regulation (‘GDPR’), while China enacted the Personal Information Protection Law (‘PIPL’). In the U.S., various state laws, particularly the California Consumer Privacy Act (‘CCPA’) contribute to this essential framework of privacy protection. For data governance in India, the Digital Personal Data Protection Act, 2023 (‘the Act’ or ‘DPDPA’) replaces Section 43A of the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘SPDI’ Rules). This comes as an important facet for organisations in meeting global data protection standards and India’s goal of a $1 trillion digital economy.

Across the board, when we look into financial institutions (‘FIs’), these are the entities processing a large volume of sensitive information. Financial Service Providers (‘FSPs’), including banks, insurance companies, Non-Banking Financial Companies (‘NBFCs’) and FinTech firms are designated as ‘Data Fiduciaries’ under Section 2(i) of the Act. The FSPs (some of them would qualify as Significant Data Fiduciary) have turned into a hotspot for cyber intrusion with 65% of financial organisations enduring ransomware attacks.

This article examines how financial institutions handle requests for personal data from individuals complying with data privacy laws like the DPDPA and GDPR and their impact on personal data in modern finance. Case-based analysis at instances has been highlighted where FSPs’ legal obligations and managing operational risk have intersected. Throughout the article, data transparency has been provided as the primary approach and the challenges of handling Data Subject Access Requests (DSAR) in light of legal requirements and their operational impact. By the end, the paper outlines a forward-looking framework for banks to manage DSAR, balancing compliance with customer data and regulatory entities.

III. The Extent of Personal Data

Section 2(n) of the DPDPA defines ‘digital personal data’ which pertains to personal data collected online and offline that is later digitised. In terms of financial institutions, these might include transaction histories, investment portfolio details, loan applications and multiple types of Personal Identifiable Information (‘PII’) requisite to credit scoring and other financial assessments. Financial PII, notably account numbers, identification cards, income details, health information (processed by insurance companies) and biometric data, would often be classified as ‘sensitive PII’. This stems from substantial harm involving financial loss, identity theft, reputational damages and others resulting from unauthorised disclosure or misuse.

Section 11 of the DPDPA affirms data subjects’ right to access which mirrors the scope of Article 15 of the GDPR. The right to access the pieces of information that these companies hold against us, which in the past had been viewed as a high-end option now seems an ordinary deal in line with existing statutes. For instance, a survey by EY Law reports that 62% of responding organisations recorded an increase in DSAR, primarily driven by the GDPR and increased individual awareness of their rights.

To what extent does personal data classify as ‘personal’ and how wide is the ambit of individuals’ right to access? This could be shunned by the ruling of the High Court of London deciding on the Michael Ashley v His Majesty’s Revenue and Customs (HMRC) under UK GDPR. Ashley submitted a subject access request to obtain his personal data relating to property valuations for tax purposes to which HMRC didn’t comply. The court observed that personal data must be searched across all the departments and systems wherever it may exist.

Additionally, the court clarified that not all information used to reach a conclusion qualifies as someone’s personal data, i.e., internal guidance, comparable property data, HMRC’s internal process may not necessarily be “about him”. Weighing in on the HMRC’s claim of tax exemption clause under the Data Protection Act 2018 which restricts the disclosure of data if it prejudices tax collection, the court denied the claim. The court reasoned that the evidence failed to present any actual harm under the three-stage test, which requires grasping the particular harm, corroborating how disclosure would affect it, and assessing the likelihood of it happening.

IV. The Grey Area in between Privacy and Public Interest

This interpretation of the law by the UK court highlights a layered obstacle between the principles of privacy and transparency in the Indian terrain. Earlier, under Section 8(1)(j) of the RTI, the government could deny information if it was not related to public activities or if sharing it would invade someone’s privacy unless there was a significant public interest involved. This has been prioritised by the Supreme Court in Girish Ramchandra Deshpande v. Central Information Commissioner & Ors.

That said, the newly notified rules of DPDP under Section 44(3) amend Section 8(1)(j) of the RTI Act, empowering the authorities to withhold any ‘personal information’, and skip through the spectrum of earlier public interest tests. Under the earlier interpretation of the public interest test in the RTI framework, information was disclosed if it was shown to promote transparency, accountability or prevent misuse of public office, even when exemptions under Section 8 were invoked.

If this amendment turns out to stand as it is, wiping out the public interest test and forging a blanket exemption for all personal information would dismantle the even flow of deliberately calculated doctrine. This would defeat the essence of public audits and citizen oversight of government programs, particularly FI, depending on accessing detailed personal data to identify corruption and misuse of power.

V. Triangulation of FIs in Whirlwind of DSAR

Financial services in India are governed by four main regulators. The Reserve Bank of India supervises commercial banks, urban cooperative banks, financial institutions and NBFCs; the Securities and Exchange Board of India governs mutual funds and capital markets; the Insurance Regulatory and Development Authority of India oversees the insurance sector and the Pension Funds Regulatory and Development Authority moderates the pension sector.

These entities are mandated to handle the ‘Data Principals’ information either with their consent or for ‘certain legitimate purpose’ under Section 4 of the Act. This implied consent gives data fiduciaries expansive processing rights while data principals lose clarity and control of data. The institutions are to comply with Section 5, which means anticipating sending a notice to customers asking for their explicit consent before processing data. Section 6 of the Act explains the need for getting free, specific, informed, unconditional and unambiguous consent from Data Principals. This assures that individuals get the whole picture of the need to process their data.

All of this is to be exercised transparently, for the velocity at which financial data is generated and processed adds multiple layers of detail. Transactional data, market data feeds, customer interactions and other services recur on a daily basis. These exist in structured formats (e.g., a database on customers’ accounts), semi-structured (e.g., XML/JSON feeds from record logs) and unstructured (e.g., emails, documents, helpdesk notes). To retrieve data on customer requests, all of it needs a multi-departmental effort.

VI. Conclusion

The institutions are to devise a strong, forward-looking approach essential to safeguard individual rights. With the growing demand for DSARs and overlapping regulatory expectations, balancing transparency and compliance is critical. Legal precedents and policy shifts must be interpreted in a way that respects both privacy and public interest. Moving forward, FSPs must invest in data governance frameworks for a core organisational value. I will explore this topic further in the second part of the blog.