~Shreya Ramann*
Abstract
The rapid pace of innovation has resulted in an associated increase in regulation of technology. In this context, a coordinated approach between regulators is critical to avoid conflicts between multiple digital frameworks. This article assesses the impact of the IT Ministry's proposed Digital Personal Data Protection Bill, 2022 on the roll-out of the RBI's Indian Central Bank Digital Currency (CBDC. It argues that a harmonious approach must be adopted to ensure that privacy regulations support, rather than hinder, the use and operation of a CBDC regime.
Introduction
India’s digital ecosystem is evolving rapidly, with a range of new technologies and policies being developed in parallel, each with wide-reaching implications. A critical development is the recent release of the Digital Personal Data Protection Bill, 2022 (DP Bill) by the Ministry of Electronics and Information Technology (MEITY), which reflects India’s new approach to data governance. While not yet in its final version, it provides a clear indication of the principles and compliances that can be expected when it is passed. Separately, the Reserve Bank of India (RBI) has released a Concept Note on the introduction of a Central Bank Digital Currency (CBDC) i.e. the Digital Rupee. It subsequently launched a pilot programme wherein Digital Rupee tokens are issued by the RBI and distributed by intermediaries like banks, who provide wallet services and conduct user-facing functions such as due diligence and grievance redressal. While the Digital Rupee pilots are currently only intended to test the new technology, they provide a clear picture of the future of digital currency in India.
These developments cannot be analysed in isolation, as both regimes are directly connected. CBDC payments are digitally recorded and, as a result, will generate huge amounts of user data. This will include financial and transaction data which will inevitably be governed by the DP Bill. The RBI’s Concept Note recognises this and specifically addresses the ways in which the Digital Rupee can ensure privacy and data protection. While a privacy-promoting Indian CBDC is important, it is also critical to examine how privacy regulations may impact the functioning of the Digital Rupee. Such an analysis can inform the further development of both frameworks to ensure a data protection regime that supports, rather than hinders, a new digital currency ecosystem.
Applicability
The DP Bill applies to the processing of digital personal data, either collected online or collected offline and digitized.[1] It will therefore govern all personal data generated from Digital Rupee transactions and wallet, including the details of the user, transaction details, financial and account details etc. That said, there may be exceptions based on how the Digital Rupee is designed. For instance, the RBI is considering various privacy measures for the Digital Rupee, including tiered anonymity [2]. This mechanism requires users to be identifiable only above a certain transaction limit. Provided that the anonymisation techniques conform to prescribed standards, all data that is generated in relation to Digital rupee transactions that fall below the prescribed limit would be anonymous and would fall outside the purview of the DP Bill.
The DP Bill also applies to the processing of digital personal data outside the territory of India in relation to goods or services offered to data principals in India [3]. On this basis, it may apply to cross-border transactions where foreign entities process CBDC transactions involving users in India. The applicability of the DP Bill to cross-border payments will remain unclear until the RBI tells us how the Digital Rupee will be used internationally. For instance, if the RBI permits individuals in India to hold and transact in foreign CBDCs, foreign central banks that process these transactions will be made subject to the DP Bill.
Identifying Data Fiduciaries
A pivotal question in this analysis is the identification of the data fiduciary in relation to the data generated from the use of the Digital Rupee. Data fiduciaries under the DP Bill are entities that decide the purpose and means of data processing.[4] They are subject to various compliances such as obtaining consent[5], implementing security measures[6], and responding to requests for data access and erasure.[7] Since it is integral to the functioning of the economy, Digital Rupee is likely to be considered vital national infrastructure, similar to India’s banking system. As such, any entity that is considered a data fiduciary is likely to be classified as a Significant Data Fiduciary[8] and made subject to heightened compliances like appointing a Data Protection Officer[9] and an independent data auditor[10], and conducting periodic data protection impact assessments[11].
The CBDC architecture adopted by the RBI may impact the the classification of a data fiduciary. The Concept Note contemplates various models of operations and specifies the most suitable model as one where the RBI only records wholesale bank-level transaction data on its ledger, while banks only record granular retail transaction [12]. In such a situation, banks are likely to be classified as data fiduciaries since the RBI will hold aggregated data and will not have access to any user-related personal data. Another model described in the Concept Note involves both the RBI and intermediaries recording retail transactions on their ledgers, since this provides more security to the end-user and protects them against bank insolvency and financial crises[13]. This is a more popular model and is being adopted by most central banks. Depending on which model is ultimately adopted, one could argue that a Digital Rupee is issued by the RBI and banks only collect and process user data on its behalf. It is likely that the RBI will prescribe the broad purposes for which banks can process this data, in which case it may be considered a data fiduciary and the banks would merely be data processors.[14] This classification has serious implications since data fiduciary obligations would place a host of new user-centric responsibilities on the RBI which it is presently not equipped to take on. Significant financial and human capital resources would need to be invested into expanding the RBI’s present capacity to be able to meet the compliance requirements of a data fiduciary.
Obtaining Consent
The identified data fiduciary will need to obtain consent from the user before they process any personal data. Banks presently obtain consent during onboarding, similar to other financial services, and it would therefore be easy for them to do so in the case of the Digital Rupee as well. However, if the RBI is the data fiduciary, it will need to develop means for banks to collect consent on its behalf, since it does not intend to have a direct relationship with the end-user. Even if it does not directly collect consent, the RBI will be responsible for managing the consent, including any consent withdrawals.
However, consent may not be required if data can be collected through the deemed consent provision of the DP Bill.[15] The identified data fiduciary may choose to rely on deemed consent where data is reasonably expected to be provided[16]. It may be argued that when a person transacts using the Digital Rupee, there is a reasonable expectation that transaction data will be collected. Deemed consent can also be relied on for the provision of any service or benefit by the State[17], and therefore may be applied to any personal data collected through RBI-issued digital currencies. Deemed consent has the potential to dilute the privacy protections around Digital Rupee use by eliminating the need for explicit consent, and for this reason, any reliance on this provision for Digital Rupee transaction data must be justified and well thought through.
Cross-border transactions
The RBI is considering the use of CBDCs to create a more efficient international payment ecosystem[18]. It recently entered into an agreement with the Central Bank of UAE for a proof-of-concept for interoperable cross-border CBDC transactions between the two countries[19]. Cross-border CBDC payments are likely to involve continuous and large-scale transfers of transaction data between India and other nations. The DP Bill allows data transfers to a specific set of countries[20], by either notifying permitted nations or notifying a blacklist of nations to whom data cannot be sent to[R16] . Once it has been notified, any alteration in this list has the potential to cripple the operations of individuals and entities who make or receive CBDC payments from a de-notified country. In particular, the operations of MNCs and group companies will be severely disrupted. In this context, the process of amending this list must be subject to rigorous checks, since any changes would affect the Indian economy and businesses in particular.
The DP Bill also gives the government the power to completely exempt instruments of the State from the ambit of the DP Bill in the interest of sovereignty and integrity[21] . When used indiscriminately, such an exemption could give rise to concerns around state surveillance. This may affect India’s participation in cross-border CBDC linkages which involve multi-jurisdictional data transfer. Jurisdictions like the EU require countries to meet certain standards prior to permitted data transfers, with safeguards against government surveillance being one such standard. Providing the government with wide powers over CBDC data, without any data protection obligations, may restrict India’s eligibility to receive foreign data - thereby restricting its participation in the global CBDC ecosystem.
Way Forward
It is clear that an analysis of these two regimes throws up more questions than answers, with many more likely to arise as we unravel their nuances. One advantage that policymakers have is that both the DP Bill and Digital Rupee are in the development stage. The MEITY and the RBI therefore have the opportunity to consider such questions and harmonise their policy-making efforts to ensure that India has a privacy-safe CBDC, along with a robust privacy law that supports emerging technologies.
*Shreya Ramann is a lawyer and public policy professional. She is currently a consultant at Trilegal as part of the technology, media, and telecommunications practice group.
References [1] Section 4, DP Bill [2] Section 4.3.5, RBI Concept Note [3] Section 4(2), DP Bill [4] Section 2(5), DP Bill [5] Section 6(2), DP Bill [6] Section 9(4), DP Bill [7] Section 12 and Section 13, DP Bill [8] Section 11, DP Bill [9] Section 11(2)(a), DP Bill [10] Section 11(2)(b), DP Bill [11] Section 11(2)(c), DP Bill [12] See Section 4.3.2 (Indirect Model), RBI Concept Note [13] See Section 4.3.2 (Hybrid Model), RBI Concept Note [14] Section 2(7), DP Bill [15] Section 8, DP Bill [16] Section 8(1), DP Bill [17] Section 8(2), DP Bill [18] Section 3.3.4, RBI Concept Note [19] https://newsonair.gov.in/News?title=RBI-and-Central-Bank-of-UAE-sign-MoU-to-promote-innovation-in-financial-products-and-services&id=457553 [20] Section 17, DP Bill [21] Section 18(2), DP Bill [22] Article 45(2)(a), General Data Protection Regulation (GDPR)