User Insights on Digital Financial Data Sharing in India — A Research Report by Silence Laboratories

Published in

Silence Laboratories

34 min readJun 25, 2024

Silence Laboratories conducted a survey on 200 respondent in order to gauge user perception, attitudes, and preferences about Digital Data Sharing in the context of the Indian financial services ecosystem.

Context

Policy Context

Overview of Regulatory Milestones in India

The Right to Information Act (2005): This Act empowers Indian citizens to access information held by public authorities. While not directly focused on financial data sharing, the Act sets a precedent for user rights to access information, which can be extended to their financial data held by institutions.
The Information Technology Act (2000) and Information Technology (Amendment) Act (2008): These Acts establish a legal framework for electronic transactions and data protection in India. They outline regulations around data collection, storage, and disclosure, and mandate the appointment of a Data Security Officer (DSO) by organizations handling sensitive personal data. However, these Acts have been criticized for their limited scope and lack of specific guidelines on user consent and data breach notification requirements.
The Aadhaar Act (2016): This Act established a national unique identification program in India, assigning a unique identification number (UID) to Indian residents, potentially making it easier for financial institutions to verify identities and share customer data with each other. However, this also raises concerns about increased data sharing without proper safeguards. The Aadhaar system centralizes a massive amount of personal data, making it a prime target for cyberattacks. There is also a prevalent lack of clarity among Aadhaar-enrolled citizens about how their Aadhaar data is being stored and used. While the Aadhaar Act itself doesn’t directly focus on data protection, its implementation and concerns around data security and privacy have significantly contributed to the discussions leading up to the DPDPA Act.
Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors (2017): This landmark Supreme Court judgement explicitly recognized the right to privacy as a fundamental right under Article 21 of the Indian Constitution. This judgement has significant implications for data protection in India, as it empowers users with greater control over their personal information.
Digital Personal Data Protection Act (2023): This Act establishes a comprehensive framework for data protection in India. The Act created a Data Protection Authority (DPA) to oversee data governance, mandates user consent for data collection and processing, and outlines obligations for data fiduciaries (organizations collecting and processing data) on data security, breach notification, and user rights. While the Act focuses on user consent and data minimization, concerns have been raised regarding its potential impact on innovation and data localization requirements.

Key Opportunities and Challenges Presented by the Digital Personal Data Protection Act of 2023

India’s digital data landscape is undergoing a significant transformation with the recent introduction of the Digital Personal Data Protection Act (DPDPA) of 2023. This legislation aims to establish a framework for handling digital personal data, including user data shared for financial purposes.

The DPDPA enforces stricter user consent for data processing. Financial institutions that rely on user data for credit scoring, fraud prevention, or personalized financial products will need to obtain clear, verifiable consent from users before collecting or processing their data. This empowers users with greater control over their financial information and fosters trust within the financial ecosystem.

However, the DPDPA’s approach to consent has limitations. The Act doesn’t explicitly define “meaningful consent,” leaving room for ambiguity in how financial institutions obtain user consent. Vague or pre-checked consent boxes could still disadvantage users, potentially hindering their ability to make informed choices about data sharing.

The Digital Personal Data Protection Act (DPDPA) of 2023 represents a significant shift from previous data privacy legislation in India. Unlike the 2019 PDP Bill, the DPDPA loosens restrictions on transferring data across borders, allowing it to flow freely to certain government-approved countries. However, this freedom comes with the caveat that the specific criteria for approval remain undisclosed by the Data Protection Board. This lack of transparency around international data transfers creates uncertainty for Indian users. If data is transferred to countries with weaker data protection laws, users risk losing control over their information and facing potential misuse. This could be particularly concerning for financial data, as it is highly sensitive and could be exploited for financial crimes like identity theft.

Some experts see a fundamental misunderstanding in the DPDPA’s stated objectives. By prioritizing individual control over data privacy over information security, they argue, the Act conflates the concept of informational privacy with a narrower focus. This raises questions about whether the DPDPA adequately fulfills the original purpose envisioned in the Right to Privacy verdict of the Supreme Court. Even with user consent, data breaches can still occur. If the DPDPA prioritizes user control over robust security measures, data security practices by financial institutions might be weakened. This could make financial data more vulnerable to hacking attempts, leading to financial losses for users.

Another area of concern is the DPDPA’s applicability to offline data. Currently, the Act only regulates digitally collected information. This creates a gap, as financial institutions often collect personal information through physical forms or interactions. Without clear guidelines for handling offline data, the DPDPA’s effectiveness in protecting user privacy across all touchpoints remains limited.

The Act’s exemptions for government agencies also raise concerns. While the government argues these exemptions are necessary for national security and investigations, they could potentially be misused to access user data without proper oversight. This lack of transparency could discourage users from sharing financial information electronically, hindering efforts to promote financial inclusion.

The DPDPA’s provisions on cross-border information sharing within the fintech sector present a double-edged sword. On the one hand, it facilitates smoother international transactions and allows financial institutions to perform robust KYC (Know Your Customer) checks, mitigating the risk of fraud and money laundering. This can foster trust and stability in cross-border fintech activities. However, concerns remain. Stringent data localization requirements, if implemented under the DPDPA, could create friction for international fintech companies. Additionally, clear mechanisms for secure data transfer and robust data protection standards across borders will be crucial to ensure user privacy isn’t compromised while enabling the benefits of cross-border information sharing in the dynamic world of fintech.

Looking beyond the DPDPA, user awareness remains a critical factor in data security. While the Act mandates informing users about their data rights, the onus also falls on financial institutions to educate users about data collection practices and potential risks. Promoting financial literacy and educating users about data security best practices will be crucial in building trust and encouraging responsible data sharing habits.

The DPDPA thus represents a positive step towards regulating data privacy in India, particularly for financial data. However, for it to be truly effective, the Act’s provisions on user consent, applicability to offline data, and government exemptions need further refinement. Additionally, fostering user awareness about data security practices will be essential to ensure the success of the DPDPA and promote a secure digital financial ecosystem in India.

Overview of Global Regulatory Context

The digital age has ushered in an era of unprecedented data collection, storage, and sharing. As our lives become increasingly intertwined with the online world, concerns about data privacy and security have risen dramatically. To address these concerns, various countries and regions have implemented regulations aimed at protecting user data and fostering trust in the digital ecosystem. Some notable regulations from around the world are as follows:

General Data Protection Regulation (GDPR): A landmark regulation, the GDPR (2016) has become a gold standard for data privacy globally. Implemented in May 2018, it aims to give control to individuals over their personal data and simplifies the regulatory environment for international business by unifying the regulation within the EU. It grants individuals extensive rights over their personal data, including the right to access, rectify, erase, and restrict processing. It also mandates clear and informed consent for data collection and robust data security measures by organizations. The GDPR applies to any organization processing the personal data of individuals residing in the EEA, regardless of the organization’s location. It strengthens individual rights regarding access, rectification, erasure, restriction of processing, and portability of their data. Organizations must have a lawful basis for processing data, obtain clear and unambiguous consent, and implement appropriate technical and organizational measures to ensure data security. The GDPR also introduces mandatory breach notification requirements and imposes significant fines for non-compliance.

California Consumer Privacy Act (CCPA): Following the GDPR’s lead, California enacted the CCPA in 2018. The law which came into force on January 1, 2020, empowers users with the right to know what personal information is being collected, used, and sold by businesses, and to opt-out of such sales. Consumers hold the right to request deletion of their information and avoid service discrimination for exercising these rights. This law primarily applies to businesses exceeding specific thresholds for data collection or revenue generation. While not as comprehensive as the GDPR, the CCPA has spurred similar legislation in other US states. The CCPA has been further expanded by the California Privacy Rights Act (CPRA) which takes effect in 2023, granting additional rights such as data correction and limitations on data use.

Asia-Pacific Economic Cooperation (APEC) Privacy Framework: This non-binding framework (2004) establishes voluntary principles for data privacy protection. It focuses on transparency, accountability, individual participation, and security measures, encouraging member economies to develop their own data privacy laws. While not as prescriptive as regulations like the EU GDPR, the APEC Framework promotes a flexible approach, allowing economies to implement these principles within their existing legal structures. This fosters cross-border data flows within the region while encouraging consumer trust in the digital economy.

Singapore’s Personal Data Protection Act (PDPA): The PDPA (2012) emphasizes fair and transparent collection and use of personal data. It grants individuals rights to access and correct their data, and to withdraw consent. The PDPA balances individual control over their information with organizational needs. Businesses must obtain consent and ensure reasonable data security practices. Individuals have rights to access and correct their data, as well as opt out of marketing communications.

China’s Personal Information Protection Law (PIPL): The PIPL (2021) emphasizes national security and control over personal data. It grants individuals some rights but prioritizes government interests. It regulates how organizations collect, use, store, and transfer personal information. The law emphasizes transparency, purpose limitation, and data security. Individuals gain rights to access and correct their data, as well as withdraw consent. PIPL applies to both domestic and foreign entities handling Chinese citizens’ data, even outside China. Stricter rules govern data transfers and hefty fines punish violations.

Japan’s Act on the Protection of Personal Information (APPI): The APPI (2003, amended in 2015 & 2020) emphasizes individual control over personal data and data security. It’s considered robust but is still undergoing further revisions. It regulates how businesses handle personal data. Originally focused on consent and security measures, it underwent significant amendments in 2020. These changes brought APPI closer to the EU’s GDPR, strengthening individual rights. Now, individuals have more control over their data, with mandatory breach notifications and stricter requirements for transferring data outside Japan. Businesses also face increased penalties for non-compliance.

South Korea’s Personal Information Protection Act (PIPA): South Korea boasts a robust data privacy framework anchored by its Personal Information Protection Act (PIPA), enacted in 2011. PIPA governs the collection, use, and disclosure of personal data by both public and private entities. Known for its strictness, PIPA mandates clear consent for data collection and outlines specific purposes for data use. Individuals have extensive rights to access, rectify, erase, and restrict processing of their data. Following amendments in 2020 and 2023, PIPA now grants individuals the right to data portability and object to automated decision-making. The 2023 amendments also clarified regulations around using pseudonymized data. South Korea’s data privacy landscape extends beyond PIPA, with supplementary laws like the Act on the Use and Protection of Credit Information specifically addressing data handling in certain sectors.

UK General Data Protection Regulation (UK GDPR): Following Brexit, the UK adopted a near-identical version of the EU GDPR (2018). It grants individuals extensive rights over their data and imposes strict data security obligations on organizations. The UK GDPR largely mirrors the provisions of the EU GDPR, including rights of access, rectification, erasure, and restriction of processing. Since May 25, 2018, both the EU GDPR and the UK DPA (Data Protection Act) have been in effect. However the UK introduced its own UK GDPR on January 1, 2021, in wake of Brexit. The UK GDPR essentially aligns the EU GDPR with the UK’s legal framework and can include some additional requirements or exemptions compared to the original GDPR.

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA): Canada’s data privacy landscape is governed by a mix of federal and provincial laws. The primary federal legislation is the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to commercial transactions across provincial and national borders. PIPEDA emphasizes obtaining consent for personal data collection and outlines principles for its use and disclosure. However, Quebec has its own, more stringent law — Act 25. It requires stronger data security measures and grants individuals broader rights to access and control their information. New federal legislation, the Consumer Privacy Protection Act (CPPA), is expected to come into effect in 2023. The CPPA will strengthen PIPEDA by introducing new rights for individuals, such as data portability and the right to object to automated decision-making. It’s important to note that provincial laws may add further requirements, making compliance a complex issue for businesses operating in Canada.

Brazil’s General Data Protection Law (LGPD): Taking effect in 2020, the LGPD is heavily influenced by the GDPR. It grants individuals similar rights over their data and mandates strong data security practices. It also requires data localization for certain types of data. The LGPD safeguards personal data, granting individuals rights to access, correction, and deletion. It enforces clear consent for data processing. The LGPD establishes a Data Protection Authority (ANPD) to oversee compliance and enforce penalties for violations, which can include hefty fines.

Thailand’s Personal Data Protection Act (PDPA): Thailand’s primary data privacy legislation is the Personal Data Protection Act (PDPA), enacted in 2019 and fully enforced in 2022. Similar to the EU’s GDPR, the PDPA emphasizes transparency and individual control over personal data. Key aspects include requiring clear consent for data collection, limiting data use to specified purposes, and granting individuals rights to access, rectify, and erase their data. The PDPA establishes a Personal Data Protection Committee (PDPC) to oversee compliance and enforce penalties for violations, including hefty fines. While influenced by the GDPR, the PDPA has some unique features. For example, consent requirements may differ for sensitive data, and organizations exceeding a certain data processing threshold need to appoint a data protection officer.

Key Similarities Across Regulations

Despite regional differences, some core principles emerge across various data privacy regulations:

User Consent: Most regulations emphasize user consent for data collection and processing. This empowers individuals to decide how their data is used.

Data Security: Regulations mandate organizations to implement appropriate technical and organizational measures to safeguard personal data from unauthorized access, breaches, and other risks.

Data Subject Rights: Individuals often have rights to access their data, request rectification of errors, and demand erasure in certain cases.

Key Differences Across Regulations

Scope and Stringency: The level of detail and strictness in regulations varies. The GDPR sets a high bar, while frameworks like APEC offer less specific guidance.

Data Localization: Some regulations, like Brazil’s LGPD, mandate data localization, requiring data to be stored within the country’s borders. This can create challenges for global businesses.

Government Exemptions: Some regulations grant exemptions for government agencies regarding data access for national security or law enforcement purposes. This raises concerns about potential misuse of user data.

Potential Geopolitical Implications

Data sharing policies and international relations are deeply intertwined, influencing each other in complex ways. Data, particularly when it concerns critical infrastructure, economic activity, or citizen information, can be a powerful political tool. Stringent data sharing policies by a nation can be seen as a sign of distrust towards other countries, potentially creating friction or hindering collaboration on issues like cyber security or global health initiatives. Conversely, free-flowing data exchange, facilitated by more relaxed data sharing policies, can foster closer ties between nations by enabling smoother economic partnerships, research collaborations, and even joint law enforcement efforts. However, such openness can also raise concerns about national security and potential exploitation by foreign powers. International relations also play a significant role in shaping data sharing policies. Political alliances or trade agreements can lead to more open data exchange between partner nations. Conversely, geopolitical tensions or disputes over data privacy practices can lead to stricter data localization requirements or limitations on cross-border data flows. As the world becomes increasingly interconnected and reliant on digital technologies, navigating the balance between data sharing for mutual benefit and safeguarding national interests will be a critical challenge in international relations.

Strict data localization requirements, like those considered in India, can be seen as a sign of national wariness. The ongoing debate around the CLOUD Act in the US, which allows US law enforcement to access data stored by American companies even if it’s located on foreign soil, has strained relations with European nations concerned about user privacy. Conversely, collaborative data sharing has yielded success stories. International cooperation facilitated by data exchange has been instrumental in tackling global health threats like the Ebola outbreak in West Africa. Similarly, the Five Eyes alliance, an intelligence-sharing agreement between the US, UK, Canada, Australia, and New Zealand, allows for smoother cross-border investigations and counter-terrorism efforts. However, such data-sharing arrangements raise concerns about potential misuse and a lack of transparency. Clarification, systematization, and standardization of data collection, consent elicitation, data storage, and data sharing procedures and mechanisms will hence go a long way in enabling international cooperation and mutual understanding.

The Evolving Landscape

The regulatory landscape is constantly evolving. New technologies like artificial intelligence and the Internet of Things (IoT) pose fresh challenges to data privacy. Additionally, concerns regarding cross-border data flows and the dominance of tech giants necessitate international cooperation to establish a more unified approach to data privacy.

As technology continues to advance and user concerns evolve, data privacy regulations will need to adapt. Striking a balance between protecting user rights, fostering innovation, and facilitating international data flows remains a key challenge for policymakers worldwide. This global overview provides a starting point for understanding the complex and ever-changing landscape of data sharing, security, and privacy regulations.

Socioeconomic context

India is experiencing a rapid digital transformation, with internet penetration surging past 50% in 2023. This digital revolution is fundamentally altering the socioeconomic landscape. Mobile phone subscriptions have surpassed 1.2 billion, driving a booming mobile payments industry and the rise of e-commerce platforms. However, this digital inclusion comes with a caveat — a growing data privacy divide. With a large population still unfamiliar with complex data privacy terms, a significant knowledge gap exists between the data users share and the potential consequences. Only 38% of households in India are digitally literate, as reported on the website of Ministry of Labour & Employment, Government of India.

Numerous surveys have revealed that the majority Indian internet users aren’t aware of the extent of data collection by online platforms. This lack of awareness makes it difficult for users to provide truly informed consent. Furthermore, the dominance of a few large technology companies creates a situation where users often have limited bargaining power and are forced to accept pre-checked consent boxes without fully understanding what data they’re surrendering. This lack of granular control over data sharing can have serious economic consequences. Data breaches expose sensitive financial information, leading to identity theft and financial losses. Discriminatory algorithms, fueled by biased data sets, can perpetuate social inequalities and hinder access to crucial services. As India strives towards a truly digital economy, fostering user awareness about data privacy and empowering individuals with fine-grained control over their information will be critical for building trust and ensuring inclusive economic growth.

Digitalization presents a transformative opportunity for development, but risks widening the gap between rich and poor nations. Critical services like healthcare, education, energy, and agriculture increasingly rely on connectivity and data. However, for developing countries to flourish, they need access to affordable, secure digital infrastructure and platforms.

While Artificial Intelligence and the data revolution are accelerating digital capabilities for many, they also exacerbate the digital divide, leaving low-income countries further behind. Without internet access and the skills to use digital tools effectively, billions remain excluded from the modern world.

Fortunately, multi-party international efforts are underway to bridge this gap. The World Bank’s “Digital Economy for Africa” (DE4A) program exemplifies such efforts, aiming to ensure digital inclusion for every individual, business, and government in Africa by 2030. Through DE4A, internet access in Africa has increased from 26% in 2019 to 36% in 2022, demonstrating the program’s effectiveness.

The challenge remains significant. In 2023, an estimated 2.6 billion people, or roughly a third of the global population, lacked internet access. While internet penetration in high-income countries exceeds 90%, only a quarter of people in low-income countries enjoy the same privilege. Furthermore, a staggering 850 million people globally lack any form of identification, further hindering their ability to participate in the digital economy. The international community must redouble its efforts to help developing nations catch up, accelerate digital adoption, and ensure everyone can reap the benefits of a connected world.

However, unlocking the full potential of digitalization necessitates a balanced approach that acknowledges both risks and opportunities. As the world embraces digital solutions, safeguards are crucial to foster trust. Data protection frameworks, robust cybersecurity laws, and strong institutions are essential for developing secure and interconnected digital ecosystems that can verify identities, facilitate secure and efficient financial transactions, and enable responsible data exchange. By recognizing the challenges and implementing effective solutions, the world can leverage the power of digitalization to achieve inclusive and sustainable development.

The global digital economy thrives on the constant exchange of data. Cross-border data flows underpin international trade, facilitate research collaboration, and enable global supply chains to function efficiently. However, concerns around data privacy are increasingly hindering this economic potential. The Cambridge Analytica scandal, where user data from Facebook was improperly accessed for political targeting, highlighted the potential for misuse of personal information. Stricter data privacy regulations, like the EU’s General Data Protection Regulation (GDPR), have emerged in response, mandating user consent and empowering individuals with control over their data. While these regulations are crucial for protecting user privacy, they can also create friction in the global data ecosystem. Companies face complex compliance challenges when operating across different jurisdictions with varying data privacy laws. This can stifle innovation and hinder international collaboration. The challenge lies in striking a balance between fostering a vibrant data-driven economy and ensuring user privacy. Standardized global frameworks for data governance, coupled with user education initiatives, will be essential for navigating this new digital terrain. The future of the global economy hinges on empowering users with informed consent and granular control over their data, while still facilitating the cross-border flows that fuel innovation and economic growth.

Context of the Financial Sector

The Indian financial sector is undergoing a digital revolution, fueled by the proliferation of mobile wallets, online banking platforms, and investment apps. This digital transformation hinges on the effective utilization of user data, which offers immense potential for personalized financial services, improved risk assessment, and innovative product development. However, leveraging user data responsibly requires navigating a complex landscape of regulations and global trends, while prioritizing user privacy and building trust. This literature review explores these critical aspects, examining existing regulations in India, delving into global trends in financial data sharing, and analyzing the user perspective on data privacy.

Global Trends in Financial Data Sharing:

Open Banking: Open Banking refers to the practice of financial institutions allowing third-party developers to access user financial data, with user consent, to develop innovative financial products and services. This trend has gained significant traction globally, with initiatives like the Open Banking Implementation Entity (OBIE) in the UK and the European Union’s Payment Services Directive 2 (PSD2) leading the way. Open Banking holds immense potential for financial inclusion by fostering competition and promoting innovative financial solutions. However, it also raises concerns about data security and the need for robust regulatory frameworks to govern data sharing practices between traditional financial institutions and third-party providers.
Data Analytics and Artificial Intelligence (AI): The ability to leverage user data for advanced analytics and AI-powered solutions is transforming the financial services landscape. Financial institutions are increasingly utilizing data to personalize customer experiences, optimize risk management models, and develop data-driven financial products. While these advancements offer significant benefits, ethical considerations around data bias, algorithmic fairness, and the potential for discriminatory practices need to be addressed.
Focus on User Privacy: As data breaches and privacy scandals continue to grab headlines, user privacy concerns are taking center stage. Global regulations like the General Data Protection Regulation (GDPR) in the European Union (EU) and the California Consumer Privacy Act (CCPA) in the US have significantly heightened user awareness and empowered them with greater control over their personal information. These trends are forcing financial institutions globally to prioritize user privacy by implementing robust data security measures, obtaining informed consent, and offering users clear options to manage their data sharing preferences.

Brief Review of Literature on User Perspectives on Data Privacy

Academic Research

Research by various academics and organizations highlights user concerns surrounding data sharing practices in the financial sector. Users often lack transparency around how their data is collected, stored, and used. They value granular control over what data is shared and for what purposes. Furthermore, concerns about data security breaches and the potential for misuse of personal information are prevalent. However, many users are also willing to share data for demonstrably personalized benefits, highlighting the importance of clear communication and building trust.

In a 2018 study published in Industrial Management & Data Systems, Zhou et al. identified trust as a key moderator between user satisfaction and their continued use of e-finance platforms.

Similarly, Ghosh et al. (2021) found that trust plays a significant role in driving financial inclusion, with trust impacting account ownership and usage across various demographics in their paper in the Journal of Behavioral and Experimental Finance.

The type of trust can also differ based on user behavior. Meng et al. (2019) observed in their study that appeared in Strategic Innovative Marketing and Tourism that users in the sharing economy prioritize interpersonal trust when acting as resource users, but rely more on institutional trust when acting as resource providers.

Hah et al. (2019) took a unique approach in their publication in the Journal of Medical Internet Research, using daily internet banking habits as a proxy to understand health information sharing. Their findings suggest that managing financial information online can encourage users to share more personal health data.

Konstantinidis et al. (2021) proposed a method for strict control over user data in relational databases. It introduces “consent constraints” that users can define to specify exactly how their data can be used. A trusted service provider enforces these constraints by filtering queries that violate user consent. This approach offers a more formal and automated way to manage data usage compared to traditional “opt-in/opt-out” methods.

Chatzigiannis et al. (2023) explored building a digital version of a nation’s currency (Central Bank Digital Currency or CBDC) with built-in privacy features. The study examines how these privacy-protecting technologies can be applied not just to CBDCs but also to other areas of finance that use digital tokens, such as international payments, immediate settlements, and even credit card transactions.

Park et al. (2023) in their study in IEEE Access tackle balancing data privacy with its value for businesses. It proposes a system for sharing personal data that gets user consent while adhering to privacy regulations. The system design considers both business needs and user privacy frameworks, and includes checks to ensure data is used according to consent. The paper also demonstrates a working prototype of this system.

Organizational Studies and Industry Reports

A new report by PwC India reveals a concerning lack of compliance with India’s recently implemented Digital Personal Data Protection Act (DPDP Act) among Indian businesses. The study, titled “Readiness of India Inc. for the Digital Personal Data Protection Act, 2023: A PwC Analysis,” analyzed the websites of 100 companies and found that only 9% obtain user consent that meets the legal requirements of being free, specific, and informed. In most cases, consent is bundled together for various purposes, making it difficult for users to understand exactly how their data will be used. While 48% of organizations offer an option to withdraw consent, the report highlights a concerning asymmetry — withdrawing consent is apparently a more cumbersome process compared to granting it initially. Additionally, only 2% of companies provide privacy notices and consent options in multiple regional languages, potentially limiting user understanding in a diverse country like India. Another troubling finding concerns data sharing with third parties. A significant 43% of organizations fail to clearly explain the purpose for which personal data is shared with external data processors. The DPDP Act mandates the appointment of a Data Protection Officer (DPO) to oversee data protection strategies and ensure compliance. While 74% of companies have listed contact details for data processing queries, just 54% have proactively provided the contact of their DPO and 41% specify user rights to access, correct or erase data. PwC suggests that these companies with designated DPO contacts are more likely to have a functioning privacy framework, giving them a head start in complying with the DPDP Act. The remaining organizations, relying on generic customer care emails for data protection inquiries, might have customized privacy notices but likely lack a comprehensive framework to ensure compliance. While 90% of the analysed company websites had privacy notices, a basic first step, only a tenth of them obtained clear and informed consent for data collection. Breach notification mechanisms were on only 4% of sites. Notably, the banking, FinTech, and insurance sectors, already heavily regulated by the Reserve Bank of India, showed better preparedness for the DPDP due to existing data processing practices. This suggests these sectors may be more likely to implement the Act’s control measures effectively.

A survey conducted by INC magazine found that a staggering 60% of small businesses shut down within just six months of experiencing a data breach or cyberattack. This alarming statistic highlights a critical issue: data protection, even with regulations in place, isn’t a top priority for businesses. This finding shows that data security is not merely an ethical prerogative but a vital organ of any data-based business.

A 2018 KPMG report titled “Me, My Life, My Wallet” dives into the evolving priorities of consumers in India and around the world, highlighting financial security, identity, data, and privacy as top concerns. The report examines the past two decades, a period marked by significant milestones that have shaped India’s spending habits. These milestones include the country’s population surpassing one billion, the arrival of Facebook, the demonetization initiative, and the implementation of the Goods and Services Tax (GST). One striking finding from recent years is that more than half of those surveyed prioritize their cell phones over their wallets, underscoring the growing importance of mobile technology in everyday life. Another pertinent finding was the fact that users around the world seemed to attach high levels of trust to banks, particularly with regards to their financial data — Indian and Chinese users led in this.

An on-site poll conducted by EY at the esteemed global financial services networking event Sibos 2019 in London on the topic digital payments involving a diverse group of stakeholders from the global financial services ecosystem suggested a near cashless future (96% believe digital payments will dominate by 2030) with convenience (39%) and crime prevention (36%) as top benefits. It however discovered that concerns exist around financial inclusion (36% saw it as the biggest drawback) especially in developing regions (100% of respondents there saw it as negative). Data security is another worry (20% for cyber risk). The survey highlighted the need for robust cybersecurity measures by financial institutions (52% believe they can do more) to build trust for wider adoption. Consumer buy-in was seen as critical (36%) but varied by region. While Europeans dominantly believed that user adoption was key, the majority of Asians felt that industry bodies and governments need to address trust and security concerns on priority. On the whole, the report suggested a future dominated by cashless transactions, but highlighted the need to address regional variations, security concerns, and financial inclusion for a smooth transition.

A significant number of Indian consumers, according to a recent Accenture study, are willing to trade personal information for financial perks. The study, which surveyed nearly 2,000 Indian consumers as part of a global sample of 47,000, found that over 80% would share details like location data and lifestyle habits with their bank for rapid loan approval while over 75% would do so for personalized offers even when three-quarters of respondents claimed to be very cautious about the privacy of their personal data.

According to the second edition of the MMA-EY consumer data survey 2022 titled “Leveraging Consumer Data for Marketing”, conducted jointly by MMA India and EY among 170 CEOs and CMOs across sectors, only 55% of Indian marketers have achieved a strong integration between their 1P and 3P (third-party) data sources. This limited integration, often attributed to restricted employee access (reported by 55% of respondents), hinders the ability to leverage a holistic view of their customer base. The survey identified limited employee access to data as a significant barrier to data integration. This suggests potential issues with internal data silos or restricted access controls, hindering employees from utilizing the full potential of available data. On the brighter side, a strong majority (84%) of respondents expressed confidence in their data protection practices, implying well-established rules and protocols for safeguarding consumer information. The report also highlighted a positive trend in cross-fishing regulations, with 38% of organizations now having established rules for sharing consumer data across brands within their portfolio. This represented a notable increase from the previous year’s figures. Thus, while 1P (first-party) consumer data ownership and management strategies were outlined by most respondents, the report revealed key areas for improvement regarding data integration, access, and regulations.

A recent CGAP study examined user understanding and adoption of Account Aggregators (AAs) in India, a key player in open finance. The survey included nearly 2,000 smartphone users, reflecting the dominance of smartphones for accessing financial services (74% of Indian households have smartphone access). Survey results indicated a high level of financial inclusion with nearly all respondents using digital payments and 90% actively using digital financial services like Google Pay and PhonePe.. Despite user comfort with digital finance, awareness of AAs remains low. Only 12% were familiar with the concept, with lower awareness in rural areas, among women, and those with less education. While 20% expressed willingness to share data for benefits, this openness varied by demographics.. Over 70% expressed discomfort using a third-party to share financial data online. Interestingly, AAs were designed to strengthen user control through consent processes, but the concept of a third-party may be discouraging initial participation. Among those who applied for a loan in the past year, only 10% reported using AAs to share data (2% of the total sample). CGAP’s study inferred that initial implementation of AAs has gained traction from a financial service provider perspective, indicating a strong foundation for future growth. The report’s conclusion was that while the current usage may be slightly higher due to recent growth, there’s significant opportunity for FSPs to leverage AAs for a wider range of products and services. The authors of the study emphasized that building user awareness and trust, particularly among traditionally excluded segments, will be crucial to ensuring the benefits of open finance reach a broader population.

Gaps in the Literature and Future Research Directions

The Impact of Regulations: While existing and proposed regulations aim to address data privacy concerns, there is limited research exploring the actual impact of these regulations on user behavior and data sharing practices in the Indian financial sector. Future research can examine how regulations shape user trust and how financial institutions are adapting their data governance practices to comply with evolving regulations.
User Education and Awareness: User concerns about data sharing often stem from a lack of understanding of how their data is used and protected. Future research can explore effective strategies for user education and awareness campaigns. This can include developing user-friendly resources that explain data collection practices, highlight the benefits of data sharing, and educate users about their rights and control mechanisms.
The Role of Fintech: With the rapid growth of Fintech companies in India, there is a need to explore how these companies are integrating user data into their financial services. Research can explore the data sharing practices of Fintech companies, user perceptions of data privacy in this context, and the potential regulatory frameworks needed to govern Fintech data governance effectively.

The future of data sharing in Indian financial institutions hinges on finding a balance between innovation, user privacy, and responsible data governance. Existing regulations and global trends provide a valuable foundation for this balance. However, continued research is essential to understand the evolving user perspective on data privacy, the impact of regulations, and the role of Fintech companies in the data sharing ecosystem. By prioritizing transparency, user control, and robust data security measures, Indian financial institutions can build trust with users and unlock the full potential of data-driven financial services for a more inclusive and efficient financial future.

Primary Findings

Only 4.5% of surveyed users said that they do not remember whether or not they had ever digitally shared any of their financial information with financial institutions for availing their services. This shows that Indian users are in general aware and conscious about data sharing, indicating that most foundational data literacy has been near-completely achieved among digitally equipped population.

Just under 15% of surveyed users said that they had never digitally shared any financial information for availing their services. This testifies the penetration of digital financial services in India.

Only 28.5% of respondents cited any technological deterrent as the primary reason for not using digital financial services. The majority (41%) deemed security concerns to be the primary reason for not using digital financial services while 24.5% held privacy concerns to be the strongest inhibitor.

This is in line with security distrust and privacy protection being the clear first and second most potent enablers of fintech usage as well as the first and second most important concerns echoed across a number of questions of the survey. The correlation here is also high as in most users who are most concerned about security, ranking it as a top concern in various questions, highly consistently mention it as a key enabler (and its lack as a key deterrent) to their usage of digital financial services.

About half of the respondents cited enhanced security as the primary potential motivator for them to explore the realm of FinTech. Transparency and Trust-building policies and measures were cited as the primary motivator for the same by just over a fifth of respondents. Enhanced personalization features and enhanced user interface both held primacy as motivators for venturing into FinTech for 10% of users each while enhanced accessibility was the foremost driver for a mere 6% of surveyed users. This offers a key action insight — the aspects on which fintech companies are currently overwhelmingly focusing their innovation and promotion efforts are not the ones that would likely bring prospective users into the fintech environment. Security and Transparency, in that order, are clear and overwhelming first and second most prevalent decisive points of inhibition and motivation for Indian users. Fintech firms must shift their focus from adding new features and fine experiential utilities towards the less conspicuous but more foundational aspects of security and transparency in both their communication and their development efforts.

Less than 8% individuals couldn’t recall anything specific about giving consent. Roughly 85% of this group of individuals had also responded with ‘low’ or ‘very low’ to the question about how clear and understandable the consent notices provided by financial institutions were. Interestingly, only 50% of these individuals had responded with ‘low’ or ‘very low’ to the question asking them to state the degree of control that they think they have over the data they share. This indicates that a lot of users who likely don’t pay attention to consent elicitation, consent provision, and data sharing have a misplaced sense of control over their data sharing despite most such individuals deeming the consent notices they went through as unclear and difficult to comprehend. This in turn points towards a significantly prevalent false sense of control among those with low awareness and consciousness of privacy issues and actions.

70% of users have users had most recently used one of three account aggregators — PhonePe, Paytm, and CRED. The next four — Groww, Saafe, Onemoney, and CAMS wound up another 25%. This suggests that in its current state, the Indian Account Aggregators market is oligopolistic.

1 in 5 survey respondents reportedly found consent notices provided by financial institutions to not be at least fairly clear and understandable in general. About 8% reportedly found them to be low or very low in lucidity.

About 25% of survey respondents chose to add (optionally) that parties with whom their data might be shared was a key concern for them that felt should have been unambiguously communicated in the consent notice. 20% of respondents remarked the same about the type of data collected. 5% of respondents made additional unstimulated remarks about the language of the consent form being convoluted and difficult to comprehend.

Roughly 3 in 4 individuals participating in the survey indicated that they believed they had a high or very high degree of control over data sharing. Only 8% indicated a belief that their degree of control was low or very low. The responses here were strongly correlated with the set of responses to the question on clarity and comprehension of consent notices.

Respondents were asked to recall which of the following terms of data sharing were present in the consent notice of their most recent digital financial transaction and separately asked which ones were they able to control or modify — Purpose of data collection, Duration of data storage, Frequency of data access or refresh, Specific data points collected, Parties with whom data might be shared, Options for revoking consent.

For each of the following terms of data sharing — duration of data storage, frequency of data access or refresh, specific data points collected, and parties with whom data might be shared, less than half of the surveyed users reported being able to control or modify them. 3 in 5 users were able to modify the purpose of data collection, the most commonly modifiable and widely controllable aspect of data sharing as per our survey.

About 2 out of 9 users reportedly weren’t able to modify options for revoking consent while about 2 out of 90 weren’t able to control or modify any of the aforementioned terms of data sharing including options for revoking consent. Over 85% of users who had the option for revoking consent also had control over all the other levers of data sharing terms but less than half of those who had control over all the other levers stated that they enjoyed the option to revoke consent.

For three of these these five terms of data sharing (purpose of data collection, frequency of data access or refresh, and parties with whom data might be shared), the number of users who reported the term being present in the consent notice was about 80–90% of the number of users who reported being able to control/modify the same in the consent notice.

For duration of data storage and options for revoking consent, the number of users who reported having the option in the consent notice and the number of users who reported being able to control/modify it was exactly the same. In fact, for both these parameters, there was a near perfect (99%+) overlap of the exact respondents. Interestingly, for specification of data points collected, the number of respondents who reported being able to control or modify this term in their respective consent notices, exceeded that of those who reported it being present in their consent notice.

The term ‘parties with whom data might be shared’ had the highest relative divergence of respondents between presence of the term and modifiability of the term in the consent notice of all consent terms. About 20% of the respondents who said the term was present in their consent notice reported not being able to modify it and about 8% of those who reported being able to modify it had not reported its presence in their consent notice.

Only 36% users thought that financial institutions seek to collect contact lists, SMS, and email from us while 71% users believed that details about their bank account, transaction, loans, and investment were collected by financial institutions.

About 22% of respondents believed that third-party marketers and sellers selling unrelated stuff gain access to their financial data once they share the same with financial institutions.

Only 9.5% of surveyed respondents felt confident that financial institutions only collect as much information as required. About 72% of surveyed users felt that financial institutions were significantly overstepping their genuine specific operational need when collecting information. About half of them (36% of the total) felt that this data collection was far more than required.

While 11% of surveyed users are fine with any and all data being shared with their financial institution, a whopping 41% wanted full granularity, some 43.44% were fine with document-level granularity, and only 4.5% wish to decide it on a case by case basis. This shows that granularity of control is a more fundamental user need than dynamism of control.

Only 3 out of 10 users have ever (even once) exercised the option to revoke consent. This is not surprising given the fact that just over 2 in 10 users found the ‘Revoke Consent’ option readily accessible.

Only a third of the users who had used the option of revoking consent had done it through an in-built feature in the app or website. Half of the users contacted the organization via call and the rest used email, app chat, or website-based contact form to get the same done.

Among the four aspects of consent experience — Clarity & Transparency, Ease of Navigation, Control & Flexibility, and Trustworthiness & Security, dissatisfaction rate was the highest for Control & Flexibility (10.8%) and satisfaction rate was the lowest for the same. Satisfaction rate was the highest for Ease of Navigation (75%) and the dissatisfaction rate was the lowest for the same (6%). Overall, the satisfaction rates for each parameters were fairly close, with the maximum relative deviation between any two aspects being under 16%, given that the satisfaction rate was the lowest for Control & Flexibility standing at 64.8%. Neutrality rate was the highest for Clarity & Transparency, with about 27% of the respondents reportedly being neither satisfied nor dissatisfied with it. Trustworthiness and Security led both extremes, having the maximum share of highly satisfied users (34.2%) as well as tying with Clarity and Transparency in having the maximum share of highly dissatisfied users (4.2%).

36% of respondents in the survey reported having no negative experience post-consent provision for data collection till that point. 43.5%, 36.5%, and 34% users respectively stated that they had experienced financial data theft or unauthorized access attempts, spam or unwanted marketing, and discrimination or unfair treatment, on the basis of their financial data. The intersection between those who received spam/unwanted marketing and those who reported experiencing discrimination/unfair treatment was moderately high while the intersection between those who experienced spam/unwanted marketing and those who experienced financial data theft attempts and unauthorized access was very high.

65% of respondents claimed to have been assured or very assured of the privacy of their data where no formal consent mechanism to obtain and share data existed as compared to a 71% assurance rate with the status quo. This reflects both a generally moderately high degree of overall confidence in data privacy among Indians and a moderately high impact of formal consent mechanisms in furthering prevalence of assurance of privacy in data sharing.

Further, the percentage of respondents who reported having low or very low levels of surety of privacy almost halved given the provision of a formal consent mechanism.

27.7%, 26.7%, 26.2%, and 19.4% users found privacy in context of financial data to be best defined as “mandating specific and clear consent for any specific data usage”, “having strong security measures in place to protect data from unauthorized access”, “use of data strictly only for the specified purpose and nothing else”, and “full control over who can access my data” respectively.

11.2% users were privacy absolutists, being hesitant to share any financial data. 41.8% of users were functional minimalists and wanted only the essential data to be collected about their finances. Another 39.8% users were comfortable sharing some extra data for personalized services but only if its benefits were significant and conspicuous. 7.2% were carefree, being indifferent to sharing their data irrespective of whether or not it would afford them any benefits.

For over half the users, financial losses due to cybercrime incidents like hacking, theft, and scam was the top concern. 20% and 15% of respondents respectively cited disagreement about data usage and lack of privacy as their top concerns.

71% of surveyed users were confident that their data privacy was assured if they allowed financial institutions to fetch their data with their consent. Out of these 20% chose to remark that this was because they discreetly read and understood the terms and conditions while 15% remarked that it was because they only chose to transact with selected financial institutions which they thoroughly trusted. Another 20% said that this was because they were very decidedly conservative in sharing their data, choosing not to share some data no matter what service they get.

Roughly two-thirds of the survey respondents were willing to share additional sensitive data with their financial institution if assured of delivery of better services and value while less than 10% were decidedly unwilling to share any additional sensitive data in exchange for assured enhancement of services and value. In conjugation with other insights, this indicates a robust positive outlook for the development of a well-structured, transparent, secure, and harmonious fintech data ecosystem in India.

When asked for additional comments, about 35% of users emphasized the need for security or sought clarity and reassurance in terms of security. Some 60% of these (21% of the total) also emphasized the need for fine data sharing control, accounting for roughly 70% of those expressed a desire for finer data sharing control in their additional comments. While 40% of the survey respondents cited any privacy concern in the additional comments section and 30% of the total cited a desire for finer data sharing control in their comments, only 5% of the respondents mentioned the word ‘consent’ therein.