ai15i2019 No Fintech company meets every single privacy requirement under IT Act: CIS report| The News Minute
Advertisement
Pay Premium
for just 5 Yoars &
Get Life Cover
till 85 Years. \)
Perea
‘8C apply Will36592018-19
Pri
y
No Fintech company meets every single privacy
requirement under IT Act: CIS report
‘The study shows that privacy policies companies such as Paytm, Jio Payments Bank,
Airtel Payments Bank, Amazon Pay, Bhim are not accessible from the main website.
Shilpa $ Ranipeta
Monday, June 10, 2019 - 18:13
hp: inatheneweminul.comdaricainontach-company-meel-every-sngl-pivay requirement undev-acteepor-1039087amp 0e115i2019 No Fintech company meets every single privacy requirement under IT Act: CIS report] The News Minute
Advertisement
‘A study by the Centre for Internet and Society on privacy and security policies of
Fintech companies in India has shown that no company met every single
requirements under the Section 43A Rules of the IT Act. A study of privacy policies of
48 companies has also shown that privacy policies of major entities such as Paytm, Jio
Payments Bank, Airtel Payments Bank, Amazon Pay, Bhim are not accessible from the
main website of the company.
The privacy policies were assessed based on the privacy policy requirements
mandated by the Sensitive Personal Data or Information (SPD/1) Rules.
Afintech company is one that combines financial services and products with
technology. The companies categorised as Fintech in this study are payment gateways,
payment gateway aggregators, mobile and online wallets, digital payments banks,
peer-to-peer lending platforms and miscellaneous entities that share features of the
above categorisation.
Advertisement
ES
-ntps:hwwwzthenewsminute.convartce/no-intach-company-mests-every-single privacy requirement underi-act-clereport-1083667amp 20e115i2019
No Fintech company meets every single privacy requirement under IT Act: CIS report| The News Minute
AWE
Ne
Advertisement
Rule 4 of the SPD/I Rules mandates that a company that handles information should
have a privacy policy that ensures it is dealing with the information provided by users
as per the SPD/I Rules, It is also required that the privacy policy is published on the
website of the company and is ‘clear and easily accessible’. However, the SPD/I Rules
doesn't specify what would constitute a ‘clear and easily accessible’ privacy policy.
In this research, CIS has studied accessibility as how many times a person has to click
to access the privacy policy, ifit is readily available on the homepage, if the company
states its practices for privacy in language that can be understood by someone fluent
in English and does not require prior legal or technical knowledge to be understood.
Here are some observations from the research:
Accessibility:
The study found that 38 companies have a privacy policy accessible on the main
website of the company, 38 also have the privacy policy included in terms and
conditions of all documents of the company that collects personal information.
However, policies of only 20 companies can be understood by someone without legal
and technical knowledge and 16 can be partially understood. Privacy policies of
RazorPay, Oxigen, Airtel Payments Bank, Capital Float, Freecharge, BHIM couldn't be
understood by someone without legal and technical knowledge.
“For some of the companies the privacy policy had to be located in the terms of service
or under separate categories such as ‘legal agreements’, ‘key policies’, ‘security’,
further making the privacy police more inaccessible. We anticipate that unless the
user is specifically looking for the privacy policy, it is unlikely for the privacy policy to
be perused in the usual course of a user’s usage of the services of the fintech provider,”
the report states.
The study found that while most fintech companies in the sample explicitly specified
personal information that was being collected, fewer privacy policies contained
categorical provisions segregating the sensitive personal information that was being
collected. However, it was unclear what each category specifically entailed.
ES
-ntps:hwwwzthenewsminute.convartce/no-intach-company-mests-every-single privacy requirement underi-act-clereport-1083667amp anoe115i2019
No Fintech company meets every single privacy requirement under IT Act: CIS report| The News Minute
of the listing of information,” the report states.
Option to not provide information and withdrawal of consent:
Interpretation Rule 5(7) states that the company should inform users even before
collecting information that they have an option to not provide the data or information.
‘The rule als
option to subsequently withdraw consent from the use of the data or information
specifies that the individual must also be informed that he/she has an
collected by the data controller.
However, Privacy Policies of 30 companies do not specify that the user has the option
to not provide information. ‘These include companies such as PayU, CitrusPay, Jio
Money, Airtel Payments Bank, Paytm, Fino Paytech, Capital Float, Walnut, ete.
Only 17 companies specify that the user has the option to subsequently withdraw
consent.
Registering grievances
‘The study showed that only 16 of companies mention the existence of grievance
officer in their privacy policies
Rule 5(9) of the SPD/I Rules state that companies are required to have a grievance
redress mechanism in place vis-a-vis the user's privacy practices.
“Phirty-two companies failed to not just provide a redressal mechanism but also failed
to mention the existence of a grievance officer specific to the resolution of issues that
-vis the data controller's privacy practices,” the report
users may encounter vi
states.
Language barrier
All companies, except PhonePe, had a privacy policy only in one language — English.
PhonePe provided a privacy policy in both English and Hindi.
“With the growth of the digital economy, a multitude of Indians are using online 46
services, and it is imperative that privacy policies be accessible and understandable to
all users of the service. In the context of the fintech sector, accessibility to privacy
nalisiec talac an addad cianifieanca aivan tha fintach ea avnwad nromica af
ES
-ntps:hwwwzthenewsminute.convartce/no-intach-company-mests-every-single privacy requirement underi-act-clereport-1083667amp anoe115i2019 No Fintech company meets every single privacy requirement under IT Act: CIS report| The News Minute
AWE
‘The research showed that few consumers, if
ny, read online privacy policies, despite
expressing concern about their online privacy. And pri
technical and not comprehensible by a regular user.
ry policies are often very
Advertisement
eo grammarly
Instant Grammar Ch
x
v
Trending
‘Game Over' review: Taapsee Pannu's thriller is a
game changer
Friday, 14 June 2019 - 12:49:08
Opinion: Why anyone who is anti-caste must
stand with Pa Ranjith
‘Thursday, 13 June 2019 - 12:04:42
ES
hips: wuwthenewsminule.comlartcteine“inloch-company-eels-ovary-single-prvacy-requirement-un
sno