Introduction
The Personal Data Protection Act (hereinafter referred to as the “DPDPA” or “the Act”) 2023, alters how India looks at data privacy and compliance frameworks. One of the most talked about provisions of the Act is per-transaction, or granular, consent, which requires that a user must provide explicit consent for each and every transaction taking place on a digital payment platform. Although this provision aims at reinforcing the principles of user control and informed consent, it has raised concerns about its practicality and the impact it may have on the tech-finance ecosystem.
Providers of digital payment services, including Google Pay and Phone Pe, as well as the National Payments Corporation of India (hereinafter referred to as the “NPCI”) have applied for exemptions from this rule claiming it may severely disrupt transaction flow and user experience. These stakeholders contend that the undue burden of this level of consent may result in a ‘consent fatigue’ which in turn decreases the efficiency and ease that comes with digital payments, stunting the growth of India’s fintech industry. A compliance paradox has emerged in politics, which stems from the need to balance compliance requirements with business considerations.
With the industry consultations underway, it is of utmost importance that fintech firms evaluate the compliance burden of the provision, identify the legal risks it poses, and devise ways of mitigating the risks of non-compliance. This blog will provide an overview of the requirements for the legislative framework, emphasize the disruptive operational impacts, and outline an adaptation strategy for digital payment providers aimed at ensuring compliance with the Act’s per-transaction consent framework.
Regulatory Context And Industry Representations
The DPDPA was enacted to empower individuals with actionable control over their data including establishing clear accountability for data fiduciary. Section 6 of the Act specifies that consent must be given freely, be informed, specific, no conditions attached, and unambiguous. Furthermore, it must be accompanied with a clear affirmative action from the data principal. Such consent must also be auditable and revocable with ease.
In the case of digital payment methods, especially within the context of low-value and high-frequency transactions, this requirement is paradoxical from an operational viewpoint. Take for example a scenario where users have to provide explicit consent for every UPI payment or every auto-debit service. This friction is counter to the user experience model of digital payments ecosystems. This has led NPCI and other fintech service providers to seek either a blanket regulatory pause on low-value or recurring transactions or implement layered, dynamic consents that offer a middle ground to compliance and convenience.
The sector has compared it with other frameworks like the General Data Protection Regulation (hereinafter referred to as “GDPR”) for the EU that allows layered consent mechanisms, and Singapore’s Personal Data Protection Act (hereinafter referred to as “PDPA”) that recognizes deemed consent. These comparisons have contributed to arguing that a strict per-transaction consent framework is neither practical nor in line with global best practices.
Operational Disruptions and Privacy Risks
Fintech companies are particularly worried about how per-transaction consent will disrupt their operational workflows. Since digital payments are made with speed in mind, adding mandatory consent prompts before every transaction will result in considerably decreased transactions and transaction failures. This will damage user experience and transaction volume across the entire ecosystem.
There are also serious compliance risks that come with a lack consent mechanisms. With no clear regulatory exclusions, fintechs would have to design their systems to track every consent, adding extensive backend work for consent lifecycle management and adding revocation mechanisms. Additionally, payment platforms that lack consent management frameworks will be exposed to enforcement actions from the Data Protection Board for non-compliance claims made by users.
Fintech platforms, merchants, and users would be pulled into legal battles if standing instructions for loan repayments, subscription payments, or recurring utility payments are treated as fresh transactions that need renewed consent as each time. This would open a new area of risk by allowing recurring transaction failures.
Compliance Strategies For Fintechs
In the absence of formal carveouts, fintech companies need to take a compliance-oriented approach that balances with how the operations would function on the ground. The first step towards this objective is the creation of layered consent frameworks. Rather than requiring explicit consent for each micro-interaction, consent can initially be obtained at the onboarding stage for the baseline consent that is necessary which is for broad payment processing. Following that, layered consents can be context-specific and triggered in cases of high-value interactions or interactions involving sensitive personal data.
Fintech companies need to ensure that they are working towards building Dynamic Consent Manager frameworks. This spans the complete range of consent APIs to synced with NPCI consent management frameworks. Dynamic consent management also implies the ability to effectively log consent in real time and maintain non-tamperable audit trails of consent. Fintech platforms are thus able to assure compliant frameworks while easing the friction that would arise from repetitive consents through the automation of obtaining consent.
Another recommendation on the practical side focuses on the deployment of fallback notice frameworks. Rather than requiring explicit consent for all the micro interactions and transactions, the platforms can issue clear and simple notifications which are post transaction and confirm consent on behalf of the user and give them the option to leave. This kind of methodology would possibly be in compliance with the prescribed requirements of the DPDPA while making sure that user experience is not compromised.
In addition to the above, fintech companies ought to conduct privacy impact assessments (hereinafter referred to as “PIAs”) to outline the transaction flow, pinpoint data processing touchpoints, and assess compliance risk. This will enable them to put in place data minimization controls and design consent frameworks that are commensurate to the risk data associated with various transactions.
Most importantly, regulatory engagement is crucial. Fintechs ought to join industry consultations with NPCI, MeitY, and other concerned bodies to push for workable compliance frameworks, including possible moratoriums or waivers for some classes of transactions.
Legislative Landscape and Global Parallels
India is not the first to grapple with the balance between compliance with data privacy regulations and operational efficiency. In the European Union, GDPR requires consent to be given, but allows for multi-layered consent that minimizes interruption. Likewise, Singapore’s PDPA allows deemed consent for payment servicing in cases where consent for every transaction would be impractical.
The United Kingdom’s Information Commissioner’s Office (hereinafter referred to as “ICO”) has also pointed out the importance of context in consent and its management for cases where consent is built into the operational framework of the service with the possibility to withdraw consent at any time. These approaches demonstrate that the consent balancing framework user rights and operational needs, is achievable and beneficial. For India, fintech agility with user privacy protections would be achieved by adopting such approaches. Without them, India risks the abrupt and unintended consequence of a regulatory framework that deters the adoption of digital payments, which would be in direct contradiction to the government’s aim of a cashless economy.
AMLEGALS Remarks
The most notable concern for privacy regulators around per-transaction consent under DPDPA demonstrates the implementation gap for privacy legislation. It appears to be legally compliant, but poses significant operational challenges for businesses. NPCI and leading fintechs certainly have valid points that warrant regulatory attention, but the responsibility to prep for compliance lies i the fintechs.
It is advisable that fintech companies, in this case, adopt a more active compliance stance by implementing layered consent frameworks, developing consent manager systems, executing fallback notice mechanisms, and performing privacy risk evaluations frequently. Alongside, fintechs must continue to engage with other stakeholders and regulators to develop a more reasonable consent framework that respects user privacy without undermining transaction fluidity.
There are no clear instructions from the government, neither is there a formal notice of operational exemptions. But for those early acting fintechs, embracing consent governance as a competitive edge will be the most advantageous strategy, particularly for those looking to foster user confidence and regulatory alignment in a fluid environment.
– Team AMLEGALS
For any further queries or feedback, feel free to reach out to laksha.bhavnani@amlegals.com or hiteashi.desai@amlegals.com