India needs stronger data protection laws for its Chinese-funded fintech startups

Retaliating on the internet.
Retaliating on the internet.
Image: REUTERS/Danish Siddiqui/Illustration
We may earn a commission from links on this page.

The Narendra Modi government has built a great Indian internet firewall against Chinese apps due to concerns over data security. But there is a potential gap that the government has so far ignored, which experts warn could prove risky.

India does not have stringent laws to monitor data collected by homegrown fintech companies, many of whom are heavily funded by foreign players—including a bunch of Chinese investors.

If foreign investors hold a substantial stake in a company, they could compel it to part with customer data collected directly or via affiliates, says Probir Roy Chowdhury, partner at Mumbai-based law firm J Sagar Associates.

And Indian fintech players are huge data mines. They collect and crunch users’ data, which helps them offer payment services and sell products ranging from loans to insurance, as well as offer payment services. They end up amassing information like users’ money transfer record, and what they purchase and browse. This also helps fintech firms in assessing the credit-worthiness of a user.

“Given various factors including the growth of the digital economy, lenders have been expanding access to credit at the risk of customers’ data privacy,” says Ayushi Tandon, senior fintech analyst at GlobalData.

Protection of users’ data on these platforms only hinges on hope, as startup experts believe these companies don’t typically share any info other than business-related facts with investors.

“Technically, a shareholder can ask for the data from a startup. But, usually, such demands are not made as only financial statements and overview operational data is provided to investors,” says Harish HV, managing partner at ECube Investment Advisors.

Data law for fintech

With fintech players holding such sensitive data, the authorities have in the past taken steps to protect users’ interest. “The Reserve Bank of India mandates all entities operating payment systems in India, including banks, to mandatorily store all payment data exclusively on servers in India,” says Chowdhury.

In fact, this was the pivotal reason behind the delay in giving Facebook-owned WhatsApp the go-ahead for starting payment service in India.

But experts believe the implementation of strong data protection law is extremely important to protect users’ data.

The Indian government is trying to address these concerns through a new Personal Data Protection law, which is still in the works.

Citing examples of the European Union (EU) and the UK, which have implemented data protection laws to safeguard the personal data of their citizens and companies, Rajiv Biswas, APAC chief economist at IHS Markit, says “India has lagged far behind in its data protection regulations.”

After years of deliberation, the EU passed a law in April 2016 that gives users more control over their data. For instance, companies have to tell users the reason behind collecting a dataset and for what purpose it’s being used. Analysts says it could be as “powerful” as the EU’s General Data Protection Regulation.

“It will further restrict stored data crossing the borders. Also, consumers…will have the knowledge of which all entities hold their data,” says Arushi Chawla, research associate with Counterpoint Research. “This two-way transparency will protect the user’s data in today’s unavoidably connected ecosystem.”

By contrast, the absence of any such law in India is a concern. As Chinese money helps Indian fintech firms not only weather the Covid-19 slump, but also scale up, it’s more important than ever that the Modi government implement a data policy as soon as possible.