Navigating Fintech Privacy: India's DPDPA and RBI Guidelines in a Global Context
The global fintech landscape, driven by rapid innovation, increasingly demands robust privacy frameworks. For Indian businesses operating in this space, understanding the interplay between domestic regulations like the Digital Personal Data Protection Act (DPDPA) 2023 and the Reserve Bank of India (RBI) Digital Lending Guidelines, alongside international benchmarks such as the US Gramm-Leach-Bliley Act (GLBA) and the EU’s General Data Protection Regulation (GDPR) and Payment Services Directive 2 (PSD2), is paramount. As of June 2026, with the DPDPA fully operational, India’s privacy posture is significantly strengthened, offering both unique stringencies and areas of convergence with global norms.
Consent and Data Collection Principles
India’s DPDPA 2023 establishes a foundation of consent-based data processing, requiring clear and affirmative consent from the data principal (Section 7) for any personal data collection. This is significantly amplified for fintech through the RBI Digital Lending Guidelines (2022), which mandate explicit, prior consent for all data collection (para 3.2.1) and strictly prohibit access to mobile phone resources like contacts, call logs, or galleries (para 3.2.5). This specific prohibition makes India’s stance on device data access notably stricter than its global counterparts.
In the EU, GDPR (Article 6, 7) similarly demands explicit, unambiguous consent, especially for sensitive data (Article 9). PSD2 reinforces this for payment services, requiring explicit consent for third-party access to account information (AISP) and payment initiation (PISP). The US GLBA, conversely, operates on an opt-out model for sharing customer financial information with non-affiliated third parties (Privacy Rule), making it a looser regime regarding initial consent for data sharing compared to India and the EU.
Data Principal Rights and Transparency
The DPDPA grants data principals a suite of rights, including the right to access information, correction, erasure, and grievance redressal (Sections 13-16). A unique aspect is the right to nominate a person to exercise these rights in case of death or incapacity (Section 16). The RBI Digital Lending Guidelines further bolster these by explicitly mandating the option for data principals to revoke consent and request data deletion (para 3.2.6).
The GDPR (Articles 12-22) provides comprehensive data subject rights, including the right to information, access, rectification, erasure (right to be forgotten), restriction of processing, data portability, and objection to processing. Transparency requirements are also extensive (Articles 13, 14). GLBA’s focus is primarily on requiring financial institutions to provide clear privacy notices explaining their information-sharing practices and the opt-out mechanisms available, offering fewer direct data subject rights compared to the DPDPA or GDPR. Thus, India and the EU offer more robust and proactive rights to individuals over their data.
Security, Accountability, and Governance
All three frameworks mandate robust security measures. The DPDPA requires data fiduciaries to implement reasonable security safeguards to prevent data breaches (Section 9) and notify the Data Protection Board of India and affected data principals in such events (Section 18). For Significant Data Fiduciaries, a Data Protection Officer (DPO) is mandatory (Section 10(2)). The RBI Digital Lending Guidelines add specific requirements for data storage within India (para 3.2.4) and robust IT infrastructure (para 3.3), making them uniquely stringent on data localisation for the lending sector.
GDPR (Articles 25, 32) emphasizes data protection by design and by default, requiring appropriate technical and organisational measures. It also mandates Data Protection Impact Assessments (DPIAs) for high-risk processing (Article 35) and DPOs for certain organisations (Article 37). PSD2 mandates strong customer authentication (SCA) for payment transactions, adding a layer of security specific to fintech. GLBA’s Safeguards Rule requires financial institutions to develop, implement, and maintain an information security program to protect customer information. While all regimes demand security, the EU and India are more prescriptive on governance structures (DPO, DPIA, SDFs) and, in India’s case, data localisation.
Cross-border Data Flows
Cross-border data transfer mechanisms represent a significant divergence. The DPDPA (Section 16) permits the transfer of personal data to such countries or territories as may be notified by the Central Government, subject to terms and conditions to be prescribed. As of mid-2026, while the DPDPA is in force, the specific list of notified countries and conditions is still an evolving area, potentially making India’s framework for international transfers initially looser pending detailed rules, but with the potential for strictness.
GDPR (Articles 44-50) has a highly developed and stringent framework for international transfers, relying on adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or specific derogations. GLBA, being a domestic US law, does not explicitly address cross-border data transfer mechanisms, focusing on the protection of US customer data by financial institutions regardless of where that data might be processed globally, largely relying on contractual obligations.
Practical Takeaway
For Indian businesses, particularly those in fintech, a multi-jurisdictional compliance strategy is crucial. The DPDPA, combined with the RBI Digital Lending Guidelines, sets a high bar for consent, data minimisation (especially regarding device access), and data principal rights that often align with or even exceed GDPR’s stringency in specific areas. While GLBA offers a comparatively looser approach on initial consent, its security mandates remain critical. Businesses should adopt the highest common denominator across these frameworks, particularly adhering to the explicit consent and data localisation mandates of RBI, while preparing for the detailed cross-border transfer rules under the DPDPA