Navigating Fintech Privacy: India's DPDPA and RBI Rules in a Global Context

The global financial technology landscape is a complex web of innovation and regulation, with privacy at its core. As India’s Digital Personal Data Protection Act, 2023 (DPDPA) has now fully come into force, coupled with sector-specific mandates like the RBI’s Digital Lending Guidelines (DLG), Indian fintechs face a dual challenge: adhering to domestic law while understanding international benchmarks set by frameworks like the US Gramm-Leach-Bliley Act (GLBA) and the EU’s General Data Protection Regulation (GDPR) and Payment Services Directive 2 (PSD2). This analysis anchors on the Indian regime to compare its stringency and scope against these global counterparts.

Scope and Applicability

The DPDPA casts a wide net, applying to the processing of digital personal data within India and, under certain conditions, to processing outside India if it relates to offering goods or services to data principals in India (Section 3). This broad jurisdictional reach is comparable to GDPR (Article 3), which applies to data processing relating to individuals in the EU, regardless of where the processing takes place. In contrast, GLBA’s Privacy Rule (16 CFR Part 313) and Safeguards Rule (16 CFR Part 314) are specifically tailored to “financial institutions” and their affiliates, defining them broadly to include entities engaged in activities that are financial in nature. This makes GLBA’s scope narrower by entity type compared to the DPDPA and GDPR’s person-centric approach.

For fintechs in India, the RBI’s DLG (issued September 2022) provides an additional layer of specific, stringent requirements for Regulated Entities (REs) and their Lending Service Providers (LSPs). These guidelines mandate specific data practices for digital lending, irrespective of the DPDPA’s broader application. This dual-layer regulation (general data protection law + sector-specific rules) makes the Indian regime uniquely robust for financial services. PSD2, while also sector-specific, focuses on payment services, access to account information, and strong customer authentication, with its data protection aspects largely underpinned by GDPR.

Consent and Data Processing Principles

Consent is a cornerstone of data processing under the DPDPA, requiring it to be free, specific, informed, unconditional, and unambiguous (Section 6). The DPDPA also introduces “legitimate uses” (Section 7), which permit processing without consent for specific purposes like employment, public interest, or fulfilling legal obligations – a concept similar to GDPR’s “legitimate interests” (Article 6(1)(f)) but arguably more prescriptive. The RBI DLG further tightens this for digital lenders, mandating explicit consent for all data collection (Para 3.3.2), not just sensitive data, and prohibiting automatic access to mobile phone resources like contacts or call logs. This makes the Indian framework potentially stricter on consent for digital lending than even GDPR, which allows for other lawful bases beyond explicit consent.

GLBA, in contrast, primarily operates on an “opt-out” mechanism for sharing Non-Public Personal Information (NPPI) with non-affiliated third parties (16 CFR Part 313.10(a)). Financial institutions must provide a clear notice and an opportunity to opt out. This is a significantly looser standard than the DPDPA’s and GDPR’s default “opt-in” requirements, representing a fundamental difference in privacy philosophy. Data minimization and purpose limitation (DPDPA Section 8(1), GDPR Article 5(1)(b)-(c)) are explicit in Indian and EU law, requiring data to be collected for specified purposes and not retained longer than necessary. While GLBA implies these principles through its Safeguards Rule, they are not as explicitly articulated or enforced as core processing principles.

Data Security and Breach Notification

All frameworks demand robust data security. The DPDPA requires data fiduciaries to implement reasonable security safeguards to prevent data breaches (Section 8(5)) and notify the Data Protection Board of India and affected data principals in the event of a breach (Section 19). Similarly, GDPR mandates appropriate technical and organisational measures (Article 32) and requires breach notification to supervisory authorities within 72 hours and to data subjects if there’s a high risk to their rights and freedoms (Articles 33-34). PSD2 also imposes specific security requirements for payment service providers, including strong customer authentication (Article 97) and secure communication channels.

GLBA’s Safeguards Rule (16 CFR Part 314) requires financial institutions to develop, implement, and maintain a comprehensive information security program. While it doesn’t prescribe a specific breach notification timeline or recipient in the same way DPDPA or GDPR do, federal and state agencies often have their own notification requirements. The RBI DLG adds to this for digital lenders, requiring an audit trail for data access (Para 3.3.3) and ensuring data is stored only in India (Para 3.3.4), which is a specific geographical restriction not found in GLBA or GDPR (though GDPR has strict cross-border transfer rules).

Cross-border Data Transfers

The DPDPA adopts a relatively permissive approach to cross-border data transfers, stating that the central government may notify countries or territories to which data fiduciaries may transfer personal data (Section 16). This “whitelisting” approach is a departure from the GDPR’s more complex system of adequacy decisions, standard contractual clauses (SCCs), or binding corporate rules (BCRs) (Articles 44-50), which often require rigorous assessments of recipient countries’ data protection standards. GLBA does not specifically regulate cross-border data transfers, focusing instead on the protection of NPPI regardless of its location, though other US laws or state regulations might impose restrictions. India’s approach, while providing clarity, could be seen as looser than GDPR’s in terms of the initial burden on the transferring entity, but the government’s power to whitelist could also make it stricter depending on the criteria applied.

Practical Takeaway

For Indian businesses, especially those in fintech, navigating this multi-layered regulatory environment requires a sophisticated approach. The DPDPA sets the baseline for all personal data processing, while the RBI DLG imposes heightened, often stricter, requirements for digital lending activities. Businesses must ensure their privacy policies and consent mechanisms are DPDPA-compliant (Section 6, 8(1)) and, if applicable, meet the explicit consent and data deletion mandates of the RBI DLG (Para 3.3.2, 3.3.5). When engaging with global partners, understanding the “opt-out” nature of GLBA versus the “opt-in” and extensive rights under GDPR is crucial. While India’s cross-border transfer regime (Section 16) may seem simpler than GDPR’s, the government’s future notifications will dictate its practical ease. GCs and DPOs should conduct thorough data mapping to identify all data flows, apply the most stringent applicable standard (often the RBI DLG for digital lenders), and regularly audit their compliance posture against both domestic and relevant international frameworks.