However, only a few users are adequately informed about the data and privacy policies of fin-tech platforms, partly because of general ignorance when it comes to reading the terms and conditions, and partly also because the policies, in a good number of cases, do not clearly outline how the data is being used, how to stop sharing data and what is the mechanism of grievance redressal.
In India, Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011, commonly referred to as SPD/I Rules, (part of the IT Act, 2000) stipulate how Internet firms must manage the personal data of their users. Among other things, it calls upon them to clearly provide information on what data points are collected, why they are collected, whether the data is shared with third parties, and the safeguards against pilferage.
In an audit of sorts, the CIS study revealed that while 75 per cent of the firms clearly mention all categories of personal information collected from users, 62.5 percent (30 of 48 firms) do not provide details in their policy documents, on how a user can opt out of information sharing. Moreover, about 41 per cent do not even mention the option to withdraw consent.
Data collected is typically a requisite for Internet firms to be able to offer their services. For instance, it is essential to link a bank account if one wants to operate an online wallet. However, data is also used to create profiles, based on which the same company targets users for other services or value-added products. The problem arises when permission for such activity is not actively sought or, in some cases, the data is supplied to other third-party entities without consent.
In this regard, the CIS study found that at least 17 firms did not enumerate the purpose(s) of data collected. For grievance redressal, except for eight firms, none listed out a clear mechanism of how consumers can take up the issue with the company if their data is compromised or misused.
The CIS analysis revealed that a good number of firms fall behind the standard outlines as per SPD/I Rules. Even though SPD/I Rules are the current standard, Personal Data Protection Bill, 2018, which is awaiting the government’t nod, aims to give more power to users by introducing requirements like explicit consent in the case of personal data. The bill is likely to be taken up in the parliament after June.
Data protection and privacy was also the central theme in the Aadhaar debate, where certain sections of society argued that the blatant use of Aadhaar data by corporates, and less than adequate safeguards in the Aadhaar system, left huge vulnerabilities open. The Supreme Court ultimately ruled that corporates, fin-tech firm included, cannot mandatorily ask users their Aadhaar.