Sebi mulls data privacy policy
The Securities and Exchange Board of India (Sebi) will be coming up with a special policy to ensure data privacy for investors.
Sources say the regulator is working on standard procedures for sharing and storing of investor data among market intermediaries and third parties. The move comes at a time when the clamour for strict data privacy laws is growing louder with other regulatory agencies, including the Reserve Bank of India, making efforts to address concerns.
The proposed framework will focus on ensuring privacy of investor data. The development assumes significance as the amount of sensitive data collected by market intermediaries has gone up significantly in the recent past. The policy will also set a strict protocol for sharing of investor data and address concerns raised by overseas investors, said people with knowledge of the development.
“The central government is already working on an overarching data protection law, which would apply to all the institutions. However, there are also specific sectoral requirements for which the respective regulators can come up with regulations and guidelines. Further, the markets also witness cross-border flow of information as foreign institutions are a vital part of the market ecosystem. In such a scenario, our data laws should also be in line with the laws in other jurisdictions, especially that of Europe,” said Prasanth Sugathan, legal director, Software Freedom Law Centre, India.
Last year, Sebi had made submission of Aadhaar details mandatory for all investors. Brokerages have been collecting Aadhaar details along with fingerprints for verification since then. Further, Sebi is planning to entrust additional responsibilities on brokers through measures such as ‘product suitability’ framework and ‘affordability index’. In these frameworks, brokerages will be assigned the responsibility to evaluate the financial status of their clients by assessing their bank accounts and income tax filings. A lot of this is highly sensitive data.
Further, most of the brokerages have a diversified business profile as they provide services such as mutual fund distribution, margin financing, and insurance broking. In such a scenario, there is a need for laws to specify how the investor data is shared, what sort of consent has to be taken from the clients, and also what are the exceptions for the consent.
“The current data privacy guidelines look sketchy as there are no specified procedures in many of the scenarios. Further, several of these rules are not in tune with the current technological advancements. Any potential leak could impact millions of investors,” said a source.
Another key area of concern remains how the data of foreign portfolio investors (FPIs) is stored. Several new data privacy laws have come into effect in the developed countries across the world. The European Union (EU) has adopted a new framework called General Data Protection Regulation (GDPR). Indian laws have to be in sync with such laws since the EU is the second-largest source of FPI flows for India after the US.
“The current Indian rules are not in sync with the global data privacy laws. This could lead to conflicting situations where custodians are not sure whether to follow the Indian norms or follow the local norms of the FPI. In such scenarios, Sebi should provide some leeway to the custodians since they are trying to abide by statutory requirements,” said Tejesh Chitlangi, partner, IC Universal Legal.
For instance, the GDPR law has brought the concept of ‘right to be forgotten’ where an individual has the right to request erasure of personal data. However, there are no corresponding provisions in the Indian law to facilitate such a right.
The Indian market regulator had revamped the FPI regulations in 2014 giving custodians the mandate to collect and verify the know-your-customer (KYC) documentation of the offshore investors. Currently, several stakeholders, including Sebi, brokerages, and stock exchanges, have partial access to the KYC data. “The current data privacy guidelines look sketchy as there are no specified procedures in many of the scenarios. Further, several of these rules are not in tune with the current technological advancements. Any potential leak could impact millions of investors,” said a source.
Another key area of concern remains how the data of foreign portfolio investors (FPIs) is stored. Several new data privacy laws have come into effect in the developed countries across the world. The European Union (EU) has adopted a new framework called General Data Protection Regulation (GDPR). Indian laws have to be in sync with such laws since the EU is the second-largest source of FPI flows for India after the US.
“The current Indian rules are not in sync with the global data privacy laws. This could lead to conflicting situations where custodians are not sure whether to follow the Indian norms or follow the local norms of the FPI. In such scenarios, Sebi should provide some leeway to the custodians since they are trying to abide by statutory requirements,” said Tejesh Chitlangi, partner, IC Universal Legal.
For instance, the GDPR law has brought the concept of ‘right to be forgotten’ where an individual has the right to request erasure of personal data. However, there are no corresponding provisions in the Indian law to facilitate such a right.
The Indian market regulator had revamped the FPI regulations in 2014 giving custodians the mandate to collect and verify the know-your-customer (KYC) documentation of the offshore investors. Currently, several stakeholders, including Sebi, brokerages, and stock exchanges, have partial access to the KYC data.