Author: Arun Kumar Gupta, University of Lucknow

In December 2023, a major digital wallet company faced a data breach affecting over 3 million users, exposing sensitive financial information. With over 400 million users of UPI and digital wallets handling transactions worth ₹125 lakh crores annually, protecting personal financial data has become critical. Mobile banking offers convenience and financial inclusion but raises significant privacy challenges.

Background

India’s digital payment growth accelerated after demonetization (2016) and the launch of UPI. COVID-19 further boosted usage, making mobile banking a daily necessity.

• Digital Personal Data Protection Act, 2023: Governs data collection, consent, and processing.

• RBI Guidelines: Focus on payment security, data localization, and cybersecurity.

• IT Act, 2000: Covers data breaches and penalties.Recent regulatory developments include stricter digital lending rules and the establishment of the Data Protection Board.

Challenges in Compliance:

• Consent and Purpose Limitation: Financial apps collect extensive data for multiple purposes, making granular consent difficult.

• Data Localization & Cross-Border Transfers: RBI rules require domestic storage; international operations create compliance challenges.

• Technological Challenges: AI-driven fraud detection and personalized services conflict with data minimization principles.

• Justice K.S. Puttaswamy (2017): Privacy is a fundamental right, including financial data.

• Shreya Singhal (2015): Digital rights and government regulation apply to financial platforms.

• Consent Fatigue: Users accept terms without understanding them.

• Data Breach Response: Notification timelines are unclear for large-scale breaches.

• Third-Party Integrations: Partnerships increase privacy risks.

• Regulatory Fragmentation: Overlapping RBI, IT Act, and Data Protection Act requirements create compliance challenges.

• Legal Reforms: Sector-specific privacy rules under RBI; harmonized enforcement; risk-based consent models.

• Technological Solutions: Privacy-preserving technologies, user-friendly privacy dashboards, automated compliance tools.

• Industry Practices: Privacy impact assessments, data minimization, standard breach response protocols.

• Consumer Awareness: Financial privacy literacy campaigns and specialized dispute resolution.

Mobile banking and wallets have transformed India’s financial landscape, but data privacy risks are significant. Strengthened laws, coordinated regulation, and technology-driven solutions are needed to protect citizens while fostering innovation. Robust privacy protections will maintain trust in India’s digital financial ecosystem.

Statutes

•  Banking Regulation Act, No. 10 of 1949, Acts of Parliament (India).

•  Digital Personal Data Protection Act, No. 22 of 2023, Acts of Parliament (India).

•  Information Technology Act, No. 21 of 2000, Acts of Parliament (India).

•  Payment and Settlement Systems Act, No. 51 of 2007, Acts of Parliament (India).

RBI Guidelines

•  Reserve Bank of India, Directions for Storage of Payment System Data (Apr. 6, 2018).

•  Reserve Bank of India, Guidelines on Regulation of Payment Aggregators and Payment Gateways (Mar. 17, 2020).

•  Reserve Bank of India, Master Direction on Digital Payment Security Controls (Feb. 18, 2021).

Case Laws

•  Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors., (2017) 10 SCC 1 (India).

•  Shreya Singhal v. Union of India, (2015) 5 SCC 1 (India).

Reports

•  NASSCOM, Report on Data Privacy (2023).

•  Reserve Bank of India, Report on Digital Payment Security (2023).