The Reserve Bank of India (RBI) seeks dispensation from the Personal Data Protection Law of the country concerning its supervisory functions, policy, and regulations.
Speaking on the condition of anonymity, some people who are familiar with the situation explained that the RBI does not want the classification of ‘sensitive personal data’ for the financial data of the individuals.
In a note by the RBI, they asked the government that the monetary, and supervisory functions of the RBI along with its role as the operator of payment systems may be exempted from the bill’s ambit. It also added that classifying the financial data of the individuals as sensitive personal data will have a dampening effect on the final inclusion efforts made by India.
This exemption is in line with the International standards, where the protection laws declares the central banks immune to their purview. The financial data is not classified as sensitive personal data. Only health data, religious beliefs, political opinion, sexual orientation, union membership, and biometric information are kept sensitive. Extra security is required for the processing. This can be seen in countries like Europe, Germany, France, Italy, and United Kingdom.
RBI has also added an exemption as generated by the Bank of England from the personal data protection act in the UK along with another exemption given by the central bank of Malaysia, that states “We would request that the monetary, regulatory and supervisory functions of RBI, as well as its role as the operator of payment systems, may be exempt from the purview of the Bill.”
The RBI acts as a regulator and supervisor, which is why it ordinally has to deal with loads of data related to banks other financial institutions. The data includes information on the clients of banks, senior bank employees, which is vital to ensure the safety and smooth running of the system, it is also necessary for fraud prevention and ensuring compliance. This information has been provided by one of the anonymous bank employees.
“Sectoral regulators should be given the power to classify personal data as critical.”- said the banking regulator suggesting that the central government should not be given this power to classify personal data critical.
The note given by the RBI also states that the classification of financial data as sensitive personal data “would translate to an increase in costs for providing services to customers. Financial inclusion efforts rely on lower service charges for offering basic banking services. The increase in costs would compel banks to increase the charges associated with offering banking services.”
Rahul Matthan- author of Privacy 3.0 and a partner-lawyer at the Trilegal law firm made a statement “What the bill does is flesh out that right in terms of the actual actions that need to be done. Even if the PDP (personal data protection) bill does not apply to them, they can still be held liable under the Puttuswamy judgment.”
As per Clause 33(2), the Centre is empowered to classify the personal data as critical and the processing should be done exclusively within India. To this, the RBI argues “This will take away Reserve Bank’s power to say what data can be stored and processed in India.”
The clauses may be revised to remove the regulatory bodies like the RBI Act, Payment and Settlement System Act, the Banking Regulation Act from revoking the reach of the data protection law, states the RBI note.
