Data privacy in the banking sector:striking a balance

Reported by: |Updated: May 30, 2017

Manisha Shroff
Nikita Nehriya
Praneetha Vasan

With the increased intervention of technology in the banking sector globally, the need for sophisticated laws to protect customer information has gained significant attention. While several countries have enacted comprehensive legislations to protect customer’s sensitive information, some countries are still in the process of introducing legislations to keep up with the changing pace of technology. In India, banks are regulated by the Reserve Bank of India (RBI) and the RBI through various notifications, circulars, directions and guidelines from time to time, obligates banks to maintain customer confidentiality and protect the privacy of customers’ data.

The government of India also introduced the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 with an aim of creating a robust legislation, which would protect customer’s sensitive personal data by only allowing banks to release data when the customer has explicitly consented to such disclosure. The Rules also permit banks to only collect sensitive personal information for lawful purposes connected with the function or activity of banks and when the collection of the information is necessary for such purpose.


However, while providing the necessary protection to customers there is also a need to ensure that banks are not victimized for no fault of theirs by not being able to recover their debts from defaulting customers. To meet this end, the Credit Information Companies Act, 2005 (CIC Act) was introduced in India in 2005. Credit Information Companies (CICs) are independent third party organizations that provide credit information to banks and financial institutions and asses credit worthiness of individuals based on their past repayment and default records. Banks can, through such information, determine whether they should provide credit facilities to the client. A CIC is required to furnish information to its members and has to maintain principles of privacy enumerated under Section 20 of the CIC Act. No information received under the CIC Act by the CIC shall be disclosed to any person other than the specified user, or by the specified user to any other unauthorized person unless permitted or required by law. A borrower is also guaranteed certain amount of protection under the CIC Act. A borrower seeking credit may request for the credit institution to provide a copy of the information obtained from the CIC, and in case of any error in the information provided, he can request the CIC to update or correct the information.


Despite these protections being available under Indian law, it appears through judicial pronouncements that there is a clear lack of enforcement. The need for a comprehensive legislation, which would regulate banks with respect to data privacy, was evidenced in the case of Punjab National Bank v Rupa Mahajan Pahwa (IV (2015) CPJ 620 (NC)), in which Punjab National Bank had issued a duplicate passbook of a joint savings bank account held between the petitioner and her husband, to an unauthorized person. The Delhi State Consumer Disputes Redressal Commission, while awarding compensation to the petitioner, held that there was a deficiency on the part of the bank in issuing the passbook and passing on some other information, which was not to be disclosed to another person. Another case where the Court held that the Bank had been negligent in operating sensitive data and hence awarded compensation to the customer is Umashankar Shivasubramanian v. ICICI Bank. In this case, the customer received an email from ICICI Bank requesting for certain information. Since, ICICI Bank had a practice of sending routine email to its customers, the customer responded to the email with his details. Post this, some money was debited from his account to another accountholder with ICICI Bank and this money was withdrawn immediately from the account. The bank claimed that they had not sent the email in question and it was a case of phishing and hence they were not liable. The Adjudicating Officer before the Judicature of Chennai, however, held that the bank had failed to put in place a fool proof internet banking system with adequate levels of authentication and validation and know your customer norms had also been violated. The case is, however, still pending before the Cyber Appellate Tribunal. The above two cases are a clear indication of the poor enforcement mechanism of the prevailing data protection laws.


Recently, with the introduction of the Insolvency and Bankruptcy Code, 2016 (the Code), a new concept of the Information Utilities (IU) was brought into the picture and subsequently notified with effect from 1 April 2017. An IUs under the Code is an infrastructure facility which, like the CIC, is to create a financial information database of all entities availing credit in the country with the aim to enable better decision making by creditors and to ensure discipline among debtors. To ensure data privacy, IUs are required to store all the information received in a facility located in India and should have high quality data storage systems to avoid loss/ corruption of data. The information stored with an IU can only be accessed by certain specific categories of persons, which includes inter alia any user who submitted the information, National Company Law Tribunal, insolvency professionals and the Insolvency and Bankruptcy Board of India. With the introduction of the IUs, it can be seen that the Indian legislature is making an effort to ensure creditor as well as sensitive data protection. However, as mentioned earlier, since enforcement of data protection has been tenuous in the past, the working of IUs needs to be carefully monitored.

Compared to data privacy laws in other countries, it can be seen that India is lagging quite far behind. With the approval of the General Data Protection Regulation (GDPR) in the European Union (EU) which is scheduled to come into force in May 2018, the data privacy framework of EU remains amongst the finest in the world. The GDPR seeks to ensure that personal data can only be gathered legally under strict conditions, for a legitimate purpose. There are also provisions which entail that any breach of privacy would have to be notified by the data controller to the supervising authority within 72 hours.

Many view that even in comparison to other Asian countries such as South Korea, which in 2016 strengthened its data privacy laws by imposing stricter penal provisions for violations, and Singapore, which protects privacy under the Personal Data Protection Act, India lags behind. Considering that India is amongst the fastest growing financial markets with an astounding number of consumers, sustainable and appropriate measures must be given effect to attain a balance between the interests of financial institutions, and the rights and privacy of the customers.

  • Manisha Shroff is partner, Nikita Nehriya, senior associate and Praneetha Vasan, associate, at Khaitan & Co, one of the oldest law firms in India