Is your personal data lying with fin-tech companies really all that safe?

A recent study of privacy policies of 48 fin-tech firms operating in India reveal that many fall behind stipulated best practices, putting your PAN, bank account and other details at risk

With fintech services growing steadily in India, so also have concerns around data privacy and protection. Unlike data gathered by social media firms and ad networks, user information shared with fintech platforms, which includes bank accounts, PAN numbers and financial information, is highly sensitive.

Even as a robust online financial services sector has emerged on the back of higher smartphone adoption and Internet penetration, data protection laws, along with an average user’s understanding of those laws and the associated powers to take corrective action, have been a notch behind.

By one estimate, India has over 100 fin-tech businesses, broadly categorised as payment gateways and gateway aggregators, mobile payment apps and wallets, digital payments banks, and digital lending platforms, including peer-to-peer lending services. The scale of the industry is grasped from the fact that Rs 1,42,034 crore was transacted over UPI in April alone, while Indians shopped for goods and services worth $15 billion on e-commerce sites last year.

However, only a few users are adequately informed about the data and privacy policies of fin-tech platforms, partly because of general ignorance when it comes to reading the terms and conditions, and partly also because the policies, in a good number of cases, do not clearly outline how the data is being used, how to stop sharing data and what is the mechanism of grievance redressal.

The findings are based on an extensive study conducted by the Centre of Internet and Society (CIS) which looked at the privacy policy notices of 48 fin-tech companies, including Paytm, Google Pay, Phonepe, PayU, BillDesk, Airtel Payments Bank, PolicyBazaar and BankBazaar.

In India, Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011, commonly referred to as SPD/I Rules, (part of the IT Act, 2000) stipulate how Internet firms must manage the personal data of their users. Among other things, it calls upon them to clearly provide information on what data points are collected, why they are collected, whether the data is shared with third parties, and the safeguards against pilferage.

In an audit of sorts, the CIS study revealed that while 75 per cent of the firms clearly mention all categories of personal information collected from users, 62.5 percent (30 of 48 firms) do not provide details in their policy documents, on how a user can opt out of information sharing. Moreover, about 41 per cent do not even mention the option to withdraw consent.

Data collected is typically a requisite for Internet firms to be able to offer their services. For instance, it is essential to link a bank account if one wants to operate an online wallet. However, data is also used to create profiles, based on which the same company targets users for other services or value-added products. The problem arises when permission for such activity is not actively sought or, in some cases, the data is supplied to other third-party entities without consent.

In this regard, the CIS study found that at least 17 firms did not enumerate the purpose(s) of data collected. For grievance redressal, except for eight firms, none listed out a clear mechanism of how consumers can take up the issue with the company if their data is compromised or misused.

The CIS analysis revealed that a good number of firms fall behind the standard outlines as per SPD/I Rules. Even though SPD/I Rules are the current standard, Personal Data Protection Bill, 2018, which is awaiting the government’t nod, aims to give more power to users by introducing requirements like explicit consent in the case of personal data. The bill is likely to be taken up in the parliament after June.

Data protection and privacy was also the central theme in the Aadhaar debate, where certain sections of society argued that the blatant use of Aadhaar data by corporates, and less than adequate safeguards in the Aadhaar system, left huge vulnerabilities open. The Supreme Court ultimately ruled that corporates, fin-tech firm included, cannot mandatorily ask users their Aadhaar.