FPIs move MeitY against data bill, seek exemption
FPIs are mainly concerned about categorisation of all types of financial information as sensitive data under the new law.
The proposed Personal Data Protection Bill (PDPB) has prompted the foreign fund lobby grouping, Asia Securities Industry & Financial Markets Association (Asifma), to approach the Ministry of Electronics and Information Technology (MeitY). Asifma, which represents the interests of FPIs such as Citi, Invesco and CLSA, has told MeitY in a letter that the proposed law would create further problems in the financial services sector. ET has reviewed the letter.
FPIs are mainly concerned about categorisation of all types of financial information as sensitive data under the new law. FPIs argue that since they don’t deal with the data of Indians, they be exempt from the law. As financial data have been categorised as sensitive, all entities handling them are now required to maintain at least a copy of such data within India. Operational and trade-related data of FPIs are stored within India. But the more sensitive types of data, such as details of ultimate beneficiaries or off-shore banking accounts of FPIs, are stored in regional financial hubs such as Singapore and Hong Kong. The new law, however, will make it mandatory for the custodians to store even a copy of these crucial FPI-related details within the country.
A global custodian privy to the development said representatives of leading foreign funds are also planning to meet MeitY officials in October to discuss the subject. The FPI lobby has also expressed concerns about the consultation process for the new data protection law, saying that only a few select stakeholders could give their inputs. MeitY may come up with a white paper for public consultation on how non-personal data, such as those held by Google, Uber and Amazon, can be regulated. But there is no clarity yet on consultations regarding the regulation of financial data.
According to Asifma, the law should apply only to entities that process the data of Indian individuals. Furthermore, the data collected by FPIs are already in accordance with the data privacy laws applicable in the home countries of FPIs.
“Asifma recommends that data from heavily regulated sectors such as financial services be excluded from the extra-territorial applicability of PDPB on grounds that such data is already subject to confidentiality and other regulatory requirements,” Asifma said in the letter. “Data collected offshore pursuant to offshore data protection legislation should, therefore, be excluded from the PDPB regime.”
To be sure, Asifma is not the first industry body to voice such concerns. The Internet and Mobile Association of India, in a recent recommendation report to the government, also sought the exclusion of financial data (for example: bank account numbers) from the ambit of Sensitive Personal Data (SPD). It said that such data “cannot be abused to the detriment of the data principal. On the contrary, only data related to second-factor authentication may be made SPD,” the report said.
Second-factor authentication refers to a security process in which users provide two different authentication factors, such as a onetime password apart from a username and password.
Off-shore funds are also wary about the broader definition of financial data under the new law. It covers any data that can be used to identify an account or payment instrument. Further, it could also include any data that depict the relationship between a financial institution and a person. As per the draft law, prior consent from the individual is mandatory while using, processing or transferring any financial data.
“The definition could mean anything from the KYC documents to Net Asset Value (NAV) statements generally sent out by custodians or brokers,” said the global custodian cited above.
“If the same definition is retained in the final law, custodians will be forced to obtain consent from FPIs every time they use their data.”