An Analysis of Data Protection and Privacy Laws in the Banking Sector in India

The enactment of Digital Personal Data Protection (DPDP) Act, 2023 has changed the era of data privacy in India and more in particular in the banking sector. Under the Data Fiduciary model, Banks have an obligation to seek the explicit agreement of people to getting their personal data collected or processed. The Act also brings into play the concept of deemed consent in that data can be processed even where there has been no explicit agreement in some situations e.g. to comply with the law or to meet an emergency situation. To achieve accountability, the Act requires the banks to employ Data Protection Officers, perform recurring audits on data and have an improved grievance redressal system to the data principals. Another important condition is that any violation of the privacy of information or illegal sharing of that information should be reported to the Data Protection Board of India and the affected person as soon as possible. The 2023 Master Direction issued by the Reserve Bank of India (RBI) on outsourcing of IT services places stringent accountability on banks, ensuring that third-party vendors adhere to data protection standards. With the expansion of digital banking, the protection of customer data has become more critical than ever. This article evaluates the growing necessity for robust legal frameworks to safeguard customer records within India's banking system. It further examines whether existing legislations including the Information Technology Act of 2000, RBI’s cybersecurity policies, and the Digital Personal Data Protection (DPDP) Act are sufficient.