The Ministry of Electronics and Information Technology (MeitY) has proposed that the Reserve Bank of India (RBI) come up with regulations to oversee collection, usage and sharing of data by payment service providers, even as the government is expediting discussions on the draft Personal Data Protection Bill.
‘Sensitive data’
This follows concerns raised by the National Cyber Security Coordinator (NCSC) over collection and storage of “sensitive personal data” by payment service providers via applications such as Google Tez, WhatsApp and Paytm, a senior official of the ministry told The Hindu .
During a review meeting on digital payments in October, the NCSC pointed out that there was no agreement between the National Payments Corporation of India (NPCI), the banks and the applications that provided payment services. Additionally, there is no liability of NPCI and the payment service providers, the NCSC said. “Noting that there is a need for regulation on data flow of financial transaction, they also pointed out that there is no provision to protect the interest of the consumer against the pilferage, leakage and sharing of data, which is of sensitive nature,” the official said.
All aspects
The NCSC recommended that there was a need to scrutinise all aspects of a relation – legal, technical and financial, between all the stakeholders in the payments ecosystem. “Payments service providers must comply with legal framework as well as regulations prescribed by the regulator,” the NCSC recommended.
“The Ministry of Electronics and IT (MeitY) supports NCSC’s recommendation and has suggested that RBI should lay down regulations, that would bind the collection, usage and sharing of data, by participants in the payments arena,” the official said.
In April, this year, the RBI directed all payments service providers to ensure that the data relating to payment systems operated by them were stored only in India. This came into effect in October 2018.
In July this year, a panel headed by Justice B.N. Srikrishna submitted the draft personal data protection bill 2018. The draft bill proposed that critical personal data of Indian citizens be processed in a data centre located within the country. Additionally, it also recommended penalties on the data processor for any violation of the data protection law, besides talking about “explicit consent” and individual rights such as right to be forgotten, right of correction, updation, and data portability.
Published - December 05, 2018 12:00 am IST