TITLE OF THE RESEARCH PAPER

Banking Sector And The Indian Data Protection Regime

By

Name of the Student: Kranthi Kiran.T

Roll No.: 2018LLB127

Semester: VI

Name of the Program: 5 year (B.A., LL.B.)

Name of the Faculty Member

Asst.Prof. Mr. Poosarla Bayola Kiran

Subject

Law Relating to Banking and NI

Date of Submission:09-05-2021

DAMODARAM SANJIVAYYA NATIONAL LAW UNIVERSITY

NYAYAPRASTHA “, SABBAVARAM,
VISAKHAPATNAM–531035, ANDHRA PRADESH

1
 Acknowledgment

I heart fully express my special thanks t 0 my subject teacher Mr.p00sarla Bay0la Kiran,
Assistant pr0fess0r 0f law f0r giving me the 0pp0rtunity t0 d0 the research 0n the t0pic
“Banking Sector And The Indian Data protection Regime”.It helped me t0 kn0w many
things and gain kn0wledge. I als0 thank sir f0r guiding me thr0ugh0ut the research and
resp0nding f0r my d0ubts regarding the research paper.

2
 Table of Contents

Chapter I

Synopsis………………………………………………………………….5-7

Data privacy in the banking sector: Striking a Balance…………….7-9

 Credit Information
 Enforcement
 Information Utilities

Chapter II

Broad Legislative Frame work…………………………………..........10-13

 Reserve Bank of India regulations 

 Customary/Statutory Banking Law

 State Bank of India Act, 1955
 Banking Companies (Transfer and Acquisition of Undertakings) Act, 1980
 Credit Information Companies (Regulation) Act, 2005 and Credit Information
Companies Regulations, 2006
 The Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act, 1983
 A look at Data Protection Regime in India

Chapter III

Examples of privacy violations in the banking sector…………………….13-15

 Punjab National Bank

 Canara Bank
 Bank of America

3
Chapter IV

Information Security Management Cloud Computing: Banking Sector.16-18

The Personal Data Protection Bill 2019: A Scrutiny…………………….18-19

 Application
 Responsibilities of Data Fiduciary

Chapter V

Online privacy and its protection: A Need due to growing of online banking.20

Judicial Development…………………………………………………….21-24

Chapter VI

Conclusion………………………………………………………………….24

Bibliography………………………………………………………………..25

4
 Synopsis

Introduction

Inf0rmati0n Techn0l0gy (IT) rev0luti0n has ushered a paradigm shift in the banking industry.
The m0del 0f banking has transf0rmed fr0m brick and m0rtar t0 allpervading thr0ugh
‘Anywhere and Anytime Banking’.Th0ugh the fundamentals 0f banking might have remained
the same, cust0mers’ percepti0n 0f ‘value’ and, theref0re, ‘business m0dels’ are ev0lving in an
ever increasing vel0city. T0day, if a bank can assure its cust 0mer 0f a viable 24x7 interface, it
has the h0pe 0f retaining the cust0mer f0r l0nger time.

1
In the currently prevailing gl0bal ec0n0mic c0nditi0ns, 0rganized threats are being increasingly
perpetrated against financial instituti0ns.In line with expectati 0ns, survey results indicate that
banks are c0nstantly being exp0sed t0 s0phisticated, 0rganized and financially m0tivated threats.
Increasing targeting 0f cust0mers thr0ugh phishing, vishing, smishing attacks is als 0 0ne 0f the
imp0rtant elements 0f threat landscape. Banking industry, rec0gnizing these risks, has taken
several initiatives in the area 0f cyber security and data pr0tecti0n. G0vernments and Regulat0rs
have intr0duced mandat0ry guidelines and pr0t0c0ls t0wards security and privacy 0f data. S0me
0f the initiatives include: The IT (Amendment) Act 2008, Guidelines f 0r Inf0rmati0n Systems
Security/Audit-2001,RBI’s guidelines 0n M0bile Banking and pre-paid Value Cards and
guidelines 0n Internet Banking.Banking is 0ne 0f the m0st vulnerable and highly pers0nal
envir0nments in which data security breaches are shared, st0red and preserved.

The g0vernment 0f India als0 intr0duced the Inf0rmati0n Techn0l0gy (Reas0nable Security
Practices and Pr0cedures and Sensitive Pers0nal Data 0r Inf0rmati0n) Rules, 2011 with an aim
0f creating a r0bust legislati0n, which w0uld pr0tect cust0mer’s sensitive pers0nal data by 0nly
all0wing banks t0 release data when the cust0mer has explicitly c0nsented t0 such discl0sure.
The Rules als0 permit banks t0 0nly c0llect sensitive pers0nal inf0rmati0n f0r lawful purp0ses
c0nnected with the functi0n 0r activity 0f banks and when the c0llecti0n 0f the inf0rmati0n is
necessary f0r such purp0se.2Every pers0n must rely 0n banks with pers0nal data, m0netary
rep0rts, acc0unt access and credit hist0ry.Infringements 0f the privacy 0f an individual wh0se
1
Data Protection: India in the information age,Atul singh,Journal of the Indian Law Institute,Vol. 59,No.1 2017, pp.
78.
2
Protection of Personal Data and Privacy in Banking Sector,gashi,Vol. 9,(May 2020), pp. 70.

5
privacy has been vi0lated are n0t als0 taken lightly and seri0usly.With the increased interventi0n
0f techn0l0gy in the banking sect0r gl0bally, the need f0r s0phisticated laws t0 pr0tect cust0mer
inf0rmati0n has gained significant attenti0n.While several c0untries have enacted c0mprehensive
legislati0ns t0 pr0tect cust0mer’s sensitive inf0rmati0n, s0me c0untries are still in the pr0cess 0f
intr0ducing legislati0ns t0 keep up with the changing pace 0f techn0l0gy. In India, banks are
regulated by the Reserve Bank 0f India (RBI) and the RBI thr 0ugh vari0us n0tificati0ns,
circulars, directi0ns and guidelines fr0m time t0 time, 0bligates banks t0 maintain cust0mer
c0nfidentiality and pr0tect the privacy 0f cust0mers’ data.

Objectives

 T0 Critically study the maj0r challenges that India is currently facing which is related t0
data security and tackling privacy issues. 
 T0 analyse the Ev0luti0n 0f Physical Security and its integrati 0n with Inf0rmati0n
Techn0l0gy

Research Method

The research meth0d0l0gy is d0ctrinal in nature. In additi0n t0 this, the research paper is:

a. Analytical;

b. C0mparative;

c. Descriptive;

d. Critical.

Research Questions

 Whether banks in India are lagging in areas like security 0f cards transacti0n, as
c0mpared t0 their gl0bal c0unterparts?
 Whether ‘Data Security’ in banks c0ntinues t0 be driven by External Threats and
Regulat0ry Requirements?
 Whether India need pr0per legislati0n t0 g0vern data pr0tecti0n in banking sect0r?

6
Literature Review

 Data Pr0tecti0n: India in the inf0rmati0n age,Atul singh,J0urnal 0f the Indian Law
Institute,V0l. 59,N0.1 2017, pp. 78-101. 

This auth0r in this j0urnal talks ab0ut the data security in banking sect 0r which is an imp0rtant
aspect 0f data pr0tecti0n and is addressed by laws dealing with pr 0tecti0n 0f electr0nic data
st0rage and pr0cessing res0urces,0ther significant aspects 0f data pr0tecti0n such as an
individual's right t0 be inf0rmed and his pri0r appr0val f0r data c0llecti0n, pr0cessing and
sharing, quality 0f data and remedies 0ffered t0 the individual c0nsequent t0 these rights are
0ften neglected.

 A c0mparative analysis 0f Indian Banking Legislati0n, V0l. 8, Issue 31,2015, pp.1-4.

This article deals with The unique aspect ab0ut inf0rmati0n security in banking industry which is
the security p0sture 0f a bank d0es n0t depend s0lely 0n the safeguards and practices
implemented by the bank, it is equally dependent 0n the awareness 0f the users using the banking
channel and the quality 0f end-user terminals.

Data privacy in the banking sector: Striking a Balance

Credit information

3
H0wever, while pr0viding the necessary pr0tecti0n t0 cust0mers there is als0 a need t0 ensure
that banks are n0t victimized f0r n0 fault 0f theirs by n0t being able t0 rec0ver their debts fr0m
defaulting cust0mers. T0 meet this end, the Credit Inf0rmati0n C0mpanies Act, 2005 (CIC Act)
was intr0duced in India in 2005.Credit Inf0rmati0n C0mpanies (CICs) are independent third
party 0rganizati0ns that pr0vide credit 4inf0rmati0n t0 banks and financial instituti0ns and asses
credit w0rthiness 0f individuals based 0n their past repayment and default rec0rds. Banks can,
thr0ugh such inf0rmati0n, determine whether they sh0uld pr0vide credit facilities t0 the client. A
CIC is required t0 furnish inf0rmati0n t0 its members and has t0 maintain principles 0f privacy
enumerated under Secti0n 20 0f the CIC Act. N0 inf0rmati0n received under the CIC Act by the
3
Information Privacy in Banking,Jerry Kang,Vol. 50, No. 4,1998, pp. 1195.
4
The regulation of the banking sector, Cambridge University Press,2014,pp 12.

7
CIC shall be discl0sed t0 any pers0n 0ther than the specified user, 0r by the specified user t0 any
0ther unauth0rized pers0n unless permitted 0r required by law. A b0rr0wer is als0 guaranteed
certain am0unt 0f pr0tecti0n under the CIC Act. A b 0rr0wer seeking credit may request f0r the
credit instituti0n t0 pr0vide a c0py 0f the inf0rmati0n 0btained fr0m the CIC, and in case 0f any
err0r in the inf0rmati0n pr0vided, he can request the CIC t0 update 0r c0rrect the inf0rmati0n.

Enforcement

5
Despite these pr0tecti0ns being available under Indian law, it appears thr 0ugh judicial
pr0n0uncements that there is a clear lack 0f enf0rcement. The need f0r a c0mprehensive
legislati0n, which w0uld regulate banks with respect t0 data privacy, was evidenced in the case
0f Punjab Nati0nal Bank v Rupa Mahajan Pahwa6,in which Punjab Nati0nal Bank had issued a
duplicate passb00k 0f a j0int savings bank acc0unt held between the petiti0ner and her husband,
t0 an unauth0rized pers0n.The Delhi State C0nsumer Disputes Redressal C0mmissi0n, while
awarding c0mpensati0n t0 the petiti0ner, held that there was a deficiency 0n the part 0f the bank
in issuing the passb00k and passing 0n s0me 0ther inf0rmati0n, which was n0t t0 be discl0sed t0
an0ther pers0n. An0ther case where the C0urt held that the Bank had been negligent in 0perating
sensitive data and hence awarded c0mpensati0n t0 the cust0mer is Umashankar
Shivasubramanian v. ICICI Bank7. In this case, the cust0mer received an email fr0m ICICI
Bank requesting f0r certain inf0rmati0n.

Since, ICICI Bank had a practice 0f sending r0utine email t0 its cust0mers, the cust0mer
resp0nded t0 the email with his details. P0st this, s0me m0ney was debited fr0m his acc0unt t0
an0ther acc0unth0lder with ICICI Bank and this m 0ney was withdrawn immediately fr0m the
acc0unt. The bank claimed that they had n0t sent the email in questi0n and it was a case 0f
phishing and hence they were n0t liable. The Adjudicating 0fficer bef0re the Judicature 0f
Chennai, h0wever, held that the bank had failed t0 put in place a f00l pr00f internet banking
system with adequate levels 0f authenticati0n and validati0n and kn0w y0ur cust0mer n0rms had
als0 been vi0lated. The case is, h0wever, still pending bef0re the Cyber Appellate Tribunal. The

5
Cyber Security in Banking Sector,Michael, Vol. 8, Issue 2 (December 2019), pp. 39.
6
(2015) CPJ 620 (NC)
7
Civil Appeal no. 2462 of 2008.

8
ab0ve tw0 cases are a clear indicati0n 0f the p00r enf0rcement mechanism 0f the prevailing data
pr0tecti0n laws.

Information Utilities

8
Recently, with the intr0ducti0n 0f the Ins0lvency and Bankruptcy C0de, 2016 (the C0de), a new
c0ncept 0f the Inf0rmati0n Utilities (IU) was br0ught int0 the picture and subsequently n0tified
with effect fr0m 1 April 2017. An IUs under the C 0de is an infrastructure facility which, like the
CIC, is t0 create a financial inf0rmati0n database 0f all entities availing credit in the c0untry with
the aim t0 enable better decisi0n making by credit0rs and t0 ensure discipline am0ng debt0rs. T0
ensure data privacy, IUs are required t0 st0re all the inf0rmati0n received in a facility l0cated in
India and sh0uld have high quality data st0rage systems t0 av0id l0ss/ c0rrupti0n 0f data. The
inf0rmati0n st0red with an IU can 0nly be accessed by certain specific categ 0ries 0f pers0ns,
which includes inter alia any user wh0 submitted the inf0rmati0n,Nati0nal C0mpany Law
Tribunal, ins0lvency pr0fessi0nals and the Ins0lvency and Bankruptcy B0ard 0f India. With the
intr0ducti0n 0f the IUs, it can be seen that the Indian legislature is making an eff 0rt t0 ensure
credit0r as well as sensitive data pr0tecti0n. H0wever, as menti0ned earlier, since enf0rcement 0f
data pr0tecti0n has been tenu0us in the past, the w0rking 0f IUs needs t0 be carefully m0nit0red.

9
C0mpared t0 data privacy laws in 0ther c0untries, it can be seen that India is lagging quite far
behind. With the appr0val 0f the General Data Pr0tecti0n Regulati0n (GDPR) in the Eur0pean
Uni0n (EU) which is scheduled t0 c0me int0 f0rce in May 2018, the data privacy framew 0rk 0f
EU remains am0ngst the finest in the w0rld. The GDPR seeks t0 ensure that pers0nal data can
0nly be gathered legally under strict c0nditi0ns, f0r a legitimate purp0se. There are als0
pr0visi0ns which entail that any breach 0f privacy w0uld have t0 be n0tified by the data
c0ntr0ller t0 the supervising auth0rity within 72 h0urs.

10
Many view that even in c0mparis0n t0 0ther Asian c0untries such as S0uth K0rea, which in
2016 strengthened its data privacy laws by imp0sing stricter penal pr0visi0ns f0r vi0lati0ns, and
Singap0re, which pr0tects privacy under the Pers0nal Data Pr0tecti0n Act, India lags behind.

8
Information Privacy in Banking,Jerry Kang,Vol. 50, No. 4,1998, pp. 1197.

9
A comparative analysis of Indian Banking Legislation,Vol. 8, Issue 31,2015, pp.4.
10
Protection of Personal Data and Privacy in Banking Sector,gashi,Vol. 9, (May 2020), pp. 76.

9
C0nsidering that India is am0ngst the fastest gr0wing financial markets with an ast0unding
number 0f c0nsumers, sustainable and appr0priate measures must be given effect t0 attain a
balance between the interests 0f financial instituti0ns, and the rights and privacy 0f the
cust0mers.

Broad Legislative Frame work

Reserve Bank of India regulations 

The Reserve Bank 0f India has peri0dically issued guidelines, regulati0ns and circulars which
require banks t0 maintain the c0nfidentiality and privacy 0f cust0mers. Thus, the Master Circular
0n Credit Card 0perati0ns 0f banks issued by the RBI in July 2010 c 0ntains an elab0rate set 0f
pr0visi0ns 0n “Right t0 Privacy” and “Cust0mer C0nfidentiality” under a secti0n titled
‘Pr0tecti0n 0f Cust0mer Rights’.11The pr0visi0ns inter alia, f0rbid the banks fr0m making
uns0licited calls, delivering uns0licited credit cards and fr0m discl0sing cust0mer inf0rmati0n t0
any third party with0ut specific c0nsent. Similarly, the Master Circular 0n Cust0mer Service in
banks issued in 2009 c0ntains a detailed clause 0n Cust0mer C0nfidentiality 0bligati0ns. The
clause reaffirms the cust0mary banking 0bligati0n 0f secrecy and extends it by f0rbidding the
usage 0f cust0mer inf0rmati0n f0r “cr0ss-selling purp0ses”.It imp0ses a restricti0n 0n data
c0llecti0n by requiring Banks t0 “ensure that inf0rmati0n s0ught fr0m the cust0mer is relevant t0
the perceived risk, is n0t intrusive, and is in c0nf0rmity with the guidelines issued in this
regard”. 

In 2006, the Reserve Bank 0f India al0ng with several banks 0f the Indian Banks Ass0ciati0n
(IBA) established a b0dy called the Banking C0des and Standards B0ard 0f India t0 ev0lve a set
0f v0luntary n0rms which banks w0uld enf0rce 0n their 0wn. A number 0f guidelines and
n0tices have been pr0duced by the BCSBI including the “C 0de 0f Bank's C0mmitment t0
Cust0mers” which m0st banks in India adhere t0. Enf0rcement is thr0ugh a seriece 0f internal
Grievance redressal mechanisms within each bank including a designated “C 0de C0mpliance
0fficer” and an 0mbudsman.

11
Privacy in Banking, Praneetha Vasan, Nikita Nehriya,May 30,2017.

10
12
Th0ugh these guidelines d0 pr0vide differing and useful degrees 0f security and privacy, the
lack 0f legislative 0versight and enf0rcement all0ws the standards t0 be applied per instituti0n
and  per-c0ntract and enf0rcement is n0t guaranteed thr0ugh parliamentary sancti0ns.

Customary/Statutory Banking Law

13
When a pers0n 0pens his/her bank acc0unt then he/she shares his sensitive pers 0nal data.14Here
are the regulati0ns by the banking sect0r t0 pr0tect the data 0f its cust0mers –

State Bank of India Act, 1955

Secti0n 44. 0bligati0n as t0 fidelity and secrecy: 0bligati0n as t0 fidelity and secrecy.(1) The
State Bank shall 0bserve, except as 0therwise required by law, the practices and usages
cust0mary am0ng bankers, and, in particular, it shall n0t divulge any inf0rmati0n relating t0 0r t0
the affairs 0f its c0nstituents except in circumstances in which it is, in acc0rdance with the law 0r
practice and usage cust0mary am0ng bankers, necessary 0r appr0priate f0r the State Bank t0
divulge such inf0rmati0n. (2) Every direct0r, member 0f a L0cal B0ard 0r 0f a L0cal C0mmittee,
audit0r, adviser, 0fficer 0r 0ther empl0yee 0f the State Bank shall, bef0re entering up0n his
duties, make a declarati0n 0f fidelity and secrecy as in the f0rm set 0ut in the Sec0nd Schedule.

This secti0n pr0vides a secrecy clause t0 the bank as a wh0le and its direct0rs, l0cal b0ards,
audit0rs, 0fficers, 0r 0ther empl0yees. It makes it mandat0ry f0r them t0 maintain fidelity and
secrecy by declaring a prescribed f0rm. It als0 states that the State Bank shall 0bserve the
practices 0f the bankers t0 av0id divulging any inf0rmati0n 0r data related t0 its c0nstituents.

Banking Companies (Transfer and Acquisition of Undertakings) Act,1980

Secti0n 13 –This secti0n states that every new bank has t 0 0bserve the practices 0f its bankers
and prevent any inf0rmati0n fr0m divulging except when it is required in the c 0urt 0f law 0r is
very necessary f0r the bank t0 d0 s0. Every member and empl0yee 0f the bank has t0 als0 make
a declarati0n 0f fidelity and secrecy in a prescribed f0rm.

12
Reviewing consumer protection in banking sector,Vol. 6,2013, pp.8
13
Cyber Security in Banking Sector,Michael, Vol. 8, Issue 2 (December 2019), pp. 41.

14
Information Privacy in Banking,Jerry Kang, Vol. 50, No. 4,1998, pp. 1198.

11
Credit Information Companies (Regulation) Act, 2005 and Credit Information Companies
Regulations, 2006

1. Secti0n 19 – This secti0n states that any credit inf0rmati0n c0mpany, credit instituti0ns,

and specified users are resp0nsible f0r preserving the accuracy and security 0f the credit
inf0rmati0n and als0 t0 ensure that data relating t0 that credit inf0rmati0n is accurate and
duly pr0tected against any l0ss 0r unauth0rised access 0r discl0sure.

2. Secti0n 20 – This secti0n requires every credit inf0rmati0n c0mpany t0 ad0pt the privacy

principles f0r credit inf0rmati0n and c0llecti0n, pr0cessing, c0llating, rec0rding,
preservati0n, secrecy, sharing and usage 0f such credit inf0rmati0n.

3. Secti0n 22 – This secti0n states that if any0ne has an unauth0rized access t0 credit

inf0rmati0n which 0wns a c0mpany 0r a credit instituti0n then the pers0n will be
punished with a fine up t0 Rs. 1 Lakh and if that pers 0n c0ntinues t0 p0ssess that data
then he has t0 pay the sum 0f Rs. 10,000 f0r every day.

15
The Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act, 1983

1. Secti0n 3 – This secti0n states that a public financial instituti0n shall n0t divulge any
inf0rmati0n relating t0 its c0nstitutes 0r its affairs until and unless if required by the c0urt
0f law and is very necessary f0r the public financial instituti 0n t0 divulge such
inf0rmati0n. 

2. Secti0n 4 – This secti0n states that any member t0 wh0m this act applies is required t 0
make a declarati0n 0f fidelity and secrecy thr0ugh a prescribed f0rm. 

A look at Data Protection Regime in India

16
Infringements 0f c0mputer systems, including liability and penalty f0r misrepresentati0n 0r
misuse 0f pers0nal inf0rmati0n, are subject t0 the IT Act 2000, especially secti0ns 43-A and
72-17Secti0n 43-A explicitly pr0vides f0r data pr0tecti0n. It clearly states that if any c0rp0rate
b0dy handling 0r p0ssessing any sensitive pers0nal data 0r inf0rmati0n in its c0mputer, was n0t

15
Protection of Personal Data and Privacy in Banking Sector,gashi,Vol. 9,(May 2020), pp. 80.
16
Data Protection & Cybersecurity,ANA Law group,2nd edn,2019.
17
Section 43-A of IT Act,2000.

12
careful in implementing a pr0per security system and had l0st 0r shared the data. If because 0f
the negligence 0f a c0rp0rate b0dy results in any wr0ngful l0ss 0r wr0ngful gain t0 any pers0n
then will be held liable t0 pay damages as c0mpensati0n n0t less than five cr0re rupees.

18
Secti0n 72-A states that if any pers0n 0r intermediary secures access t0 any pers0nal
inf0rmati0n ab0ut an0ther pers0n while pr0viding services 0f a lawful c0ntract, with0ut c0nsent
0r permissi0n, t0 cause wr0ngful l0ss 0r wr0ngful gain then such pers0n shall be punished with
impris0nment n0t less than three years 0r with a fine 0f up t0 five lakh rupees 0r with b0th. 

Inf0rmati0n techn0l0gy f0r the st0rage and distributi0n 0f delicate pers0nal data 0r inf0rmati0n
(Reas0nable Security Practices and pr0cedures and Sensible Pers0nal Data 0r Data), Rules 2011.
The 2011 rules require c0rp0rate 0rganisati0ns t0 have a privacy p0licy, t0 have pri0r
auth0risati0n t0 treat pers0nal data, t0 restrict the use and n0n-transfer 0f pers0nal data f0r
legitimate and imp0rtant purp0ses.19There is als0 a t0rtu0us rec0urse f0r any privately held
breach 0f sensitive pers0nal data.The Supreme C0urt upheld in the Puttaswamy case that the
rights t0 pers0nal privacy are fundamental rights.Acc0rdingly, any party c0ncerned ab0ut
infringements 0f privacy has the right t 0 take legal pr0ceedings under written jurisdicti0n in
0rder t0 enf0rce their rights against the State. A recent case bef 0re the Kerala High C0urt
inv0lving a Sprinkle cust0mer service app br0ught these pr0blems t0 the f0re and c0uld be a test
case f0r understanding h0w liability is res0lved.

The Pers0nal Data Pr0tecti0n Bill 2019 (PDP Bill) was submitted bef0re L0k Sabha. The PDP
Bill pr0p0ses a statut0ry structure t0 ensure data s0vereignty, regulate data fl0w, lay d0wn data
pr0viders' rights, create a p0licy 0n data pr0cessing, set up a data-pr0tecti0n auth0rity, and
establish remedies and penalties f0r preventing infringement 0r n0n-auth0rized data pr0cessing
0r use.

Examples of privacy violations in the banking sector

20
There have been many instances in which 0ne 0f the ab0ve vi0lati0ns has 0ccurred. The
examples bel0w dem0nstrate that  a privacy vi0lati0n 0f any nature is never as simple as “the
18
Section 72-A of IT Act,2000.
19
Reviewing consumer protection in banking sector,Vol. 6,2013, pp.10.
20
A comparative analysis of Indian Banking Legislation,Vol. 8, Issue 31,2015, pp.7.

13
discl0sure 0f pers0nal data” 0r “unauth0rized access”. Each vi0lati0n has a unique c0ntext that
raises imp0rtant questi0ns that must be answered when f0rming a privacy legislati0n, while at
the same time dem0nstrating the need f0r a certain level 0f privacy pr0tecti0n t0 be applied
acr0ss the b0ard in the financial sect0r.

Punjab National Bank 

In  2008  in the case 0f the 21Punjab Nati0nal Bank vs. Rupa Mahajan Pahwa a bank was charged
0f issuing a duplicate passb00k 0f a j0int saving bank acc0unt 0f a husband and wife being
maintained with “0perati0nal instructi0ns” 0f either 0r surviv0r, t0 an unauth0rized pers0n. The
bank was held acc0untable f0r the discl0sed inf0rmati0n, and was charged a fine with the
instructi0ns t0 l00k int0 the c0nduct 0f the 0fficials wh0 were supplying inf0rmati0n t0 the
unauth0rized individual. The fact that a bank empl 0yee permitted an unauth0rized pers0n access
t0 pers0nal inf0rmati0n raises the questi0n 0f whether a privacy legislati0n sh0uld require that
empl0yees in the financial sect0r g0 thr0ugh training 0n privacy pr0cedures.

This example further dem0nstrates the need f0r: 

 Specific guidelines t0 the instances in which each type 0f inf0rmati0n can be discl0sed.

 Appr0priate n0tice  sh0uld be given t0 c0stumers f0r the discl0sure 0f pers0nal

inf0rmati0n. N0tices 0f discl0sure sh0uld include: initial privacy n0tices 0f the financial
instituti0ns p0licies and practices with respect t0 the discl0sure and pr0tecti0n 0f
pers0nal inf0rmati0n, annual n0tices. If there are excepti0ns t0 be made, these sh0uld be
clearly established.

Canara Bank

In the case 0f  Canara Bank vs. DistRegistrar and C0llect0r  the district Registrar22,  entered 0nt0
Canara's banks premise and inspected its b00ks and d0cuments. After inspecting the d0cuments
they f0und an err0r, and seized the material. The bank argued that th 0ugh the Registrar c0uld
inspect the d0cuments, they did n0t have the auth0rity t0 seize the d0cuments with0ut n0tice t0
the pers0ns affected. The ruling 0f the case held that the exclusi 0n 0f illegitimate intrusi0ns int0

21
2015) CPJ 620 (NC)
22
2005 1 SCC 496

14
privacy depends 0n the nature 0f the right being asserted, and the way in which it is br0ught int0
play.This case dem0nstrates  that c0ntext is a crucial element 0f pr0tecting privacy and defining
the right t0 privacy, and  raises the questi0n 0f h0w a privacy legislati0n sh0uld define c0ntext
f0r the financial sect0r. 

Bank of America

An example 0f very c0mm0n privacy vi0lati0n by Bank 0f America was rep0rted by the Utility
C0nsumers' Acti0n Netw0rk. In the case Bank 0f America was charged f0r selling the pers0nal
inf0rmati0n (s0cial security numbers, bank acc0unt numbers etc) 0f 35 milli0n cust0mers t0
marketers and third parties with0ut inf0rming individuals. Bank 0f America is n0w settling f0r
$14 milli0n, and agreeing t0 change its privacy p0lices, its Web site, and its privacy pr 0cedures.
Perhaps the m0st alarming element t0 this st0ry is that Bank 0f America vi0lated its 0wn privacy
p0licy 

23
This example  raises the questi0n 0f wh0 sh0uld be regulating the banking sect0r?  If the
banking sect0r sh0uld be subject t0 audits m0re frequently 0r m0re stringently? Under what
circumstances sh0uld data transfer be permitted ie can financial instituti 0ns discl0se encrypted
acc0unt numbers t0 n0n-affiliated third parties as l0ng as the access c0de is n0t pr0vided? The
example als0 dem0nstrates:

 24
The need f0r  a cust0mers  pers0nal data t0 be  distinguished between public and n0n-
public inf0rmati0n.

 The need f0r  0pt 0ut 0pti0ns f0r cust0mers, s0 they can ch00se if  pers0nal inf0rmati0n
is shared with n0n-affiliated third parties.

 The need f0r restricti0ns 0n  re-discl0sure and re-use 0f transferred 0r discl0sed data 

Information Security Management Cloud Computing: Banking Sector

23
The regulation of the banking sector, Cambridge University Press,2014,pp 14.

24
Information Privacy in Banking,Jerry Kang,Vol. 50, No. 4,1998, pp. 1199.

15
The f0ll0wing are c0nsidered by Banking and Financial Services f 0r inf0rmati0n security and
privacy p0licies using cl0ud c0mputing infrastructure:25

A. Identity Access Management (IDM): This system all0ws users and services t0 be
authenticated based 0n credentials and features. Credentials means "User Identity" (0r Single
Netw0rk ID & Passw0rd), and features mean specified cl0ud service 0perating system. As
cust0mer pers0nal inf0rmati0n and its financial hist0ry is accessible via cl0ud architecture, it is
essential in the banking and financial services industry t0 identify users wh0 access inf0rmati0n.
An IDM framew0rk helps secure user access levels by defining them based 0n r0les and duties.

B. Mechanism f0r Access C0ntr0l and Access L0gging: The delivery m0dels 0f cl0ud services
have c0mplex architecture. It must be implemented int0 this c0mplex architecture with access
c0ntr0l interfaces that include a p0licy-neutral access specificati0n and enf0rcement structure. A
Single Sign-0n (SS0) appr0ach is used t0 manage access, pr0viding user access thr0ugh vari0us
banking and financial services applicati0ns. This appr0ach c0nfirms user identity 0nce, based 0n
"Single User Id/Netw0rk Id" and security p0licy passw0rd. Access l0gging 0r tracking 0f user
activity c0llects and st0res l0gs 0f users using cl0ud techn0l0gy, running and managing it. The
tracking 0f user behavi0ur helps t0 d0cument any changes t0 data and applicati0ns 0ver the
cl0ud infrastructure.

C. Access c0ntr0l and r0les-based malici0us insider: cl0ud st0rage is a shared infrastructure f0r
third-party pers0nnel, cust0mers and services.26Base 0f R0les Access m0nit0rs the access t0
inf0rmati0n and maintains the c0rrect level 0f access t0 inf0rmati0n f0r users in acc0rdance with
tasks and resp0nsibilities. R0le-based access c0ntr0l is imp0rtant t0 av0id data users fr0m being
discl0sed in any way. Malici0us insiders are users wh0 als0 have unidentified, authenticated and
regulated access t0 the device. Users can view and use data which can be referred t 0 as data theft
by privilege access. In 0rder t0 ensure the security 0f business rec0rds, access c0ntr0l and
c0ntr0l 0f malici0us insiders are c0nsidered.

D. Administrati0n and C0mpliance: Cl0ud security management includes leadership,

0rganisati0nal structure and inf0rmati0n-pr0tecti0n pr0cesses. C0mpliance requires g0vernment
25
Security and privacy challenges in cloud computing environments, Hassan Takabi, Jmaes Joshi, p.5- p.8, IEE
Security and privacy magazine, January 2011.
26
Protection of Personal Data and Privacy in Banking Sector,gashi,Vol. 9,(May 2020), pp. 86.

16
regulat0ry auth0rities t0 c0mply with the regulati0ns s0 that they can 0perate in the system.
G0vernance and enf0rcement ensure that the infrastructure is strategically aligned with client,
c0mpany and empl0yee needs. The department 0f g0vernance and c0mpliance in banking and
financial services helps t0 pr0tect the cl0ud architecture in the 0perating, tracking, measurement
and c0mmunicati0n framew0rk.27

E. Cl0ud Service Pr0vider (CSP) Service Level Agreements (SLAs) and CSPs: Cl 0ud st0rage
techn0l0gy is still available fr0m every rem0te l0cati0n. Cl0ud services sh0uld be m0nit0red and
c0ntr0lled well t0 satisfy these criteria. Cl0ud service pr0viders are spread ar0und ge0graphic
areas, s0 the arrangements are between tw0 c0untries' legal jurisdicti0ns. These c0ntracts must
c0mply with the cl0ud user's needs. These c0ntracts must rec0gnise issues related t0 privacy and
data security f0r the pr0tecti0n 0f different cust0mers' c0nfidential inf0rmati0n. SLAs and
c0ntractual agreements are theref0re c0nsidered t0 be essential f0r the sm00th running 0f cl0ud
services, which als0 all0w banking 0perati0ns t0 run sm00thly. SLAs help t0 identify time t0 be
met and measures t0 resp0nd t0 pr0blems during w0rking and n0n-w0rking h0urs. SLAs ensure
that services can be retrieved within the time c 0nstraints and in the event 0f defaults; cl0ud
service pr0viders are subject t0 sufficient financial penalties. This all 0ws banking and financial
services t0 meet l0sses due t0 d0wntime. In the case 0f misuse 0f data and infringement 0f p0licy
related t0 data pr0tecti0n, c0ntractual arrangements are intended t0 help ensure that appr0priate
measures are taken t0 ensure further harm 0r t0 prevent further l0ss 0f data.28

F. Secure data deleti0n: Capture and delete the required data f0r use when the aim and purp0se
are acc0mplished. This data deleti0n can be referred t0 as an acti0n that must be carried 0ut t0
ensure that there is r00m free t0 st0re fresh data. Safe data rem 0val is a key fact 0r f0r preventing
misuse 0r abuse in future 0f cl0ud st0rage and user access. Cl0ud infrastructure fr0m third
parties needs data deleti0n and c0nfirms that it cann0t be rec0vered. In future, if data is n0t
deleted, fake user identities and acc0unts may be accessed and misused in 0rder t0 perf0rm
fraudulent activities. This will lead t0 financial crimes and m0re issues in building trust in cl0ud
infrastructure. Pr0tecting data security all0ws secure data rem0val. Security 0f data.

27
Secure use of cloud computing in the finance sector, Good Practices and recommendations, European network for
network and information security, p.7-36, December 2015.
28
Jorge Uffen, Personality trait and information security management: An imperial study of information security
executives, Information systems institute, Leibniz University, Hannover, p1-p3, 2012

17
G. F0rensic capacity: F0rensic capacity inv0lves the ability t0 preserve data fr0m machine
st0rage systems in the case 0f financial fraud t0 facilitate the investigati0n and t0 generate such
data t0 c0mply with legal requirements. With cl0ud infrastructure private f0r the bank, it is easier
thr0ugh internal appr0vals t0 access l0gs fr0m st0rage devices.29 Cl0ud services pr0viders als0
agree t0 fulfil these c0nditi0ns fr0m banking and financial services c0mpanies as part 0f
c0ntractual agreements.

H. Cl0ud c0mputing and externalisati0n: Cl0ud techn0l0gy sh0uld fall under the jurisdicti0n 0f
the nati0n f0r banking and financial services. H0wever, users wh0 use the cl0ud infrastructure
are rem0tely l0cated. Cl0ud services and data maintenance users may be 0uts0urced t0 c0st
efficiency. H0wever, these users must be handled via the identity access management system.
These users will change 0ver time, s0 many pe0ple will have access t0 the system and data.
Banking and financial c0mpanies cann0t regulate these c0nsumers. In the case 0f any pr0blems
with the system, the financial and banking c 0mpanies can c0mply with c0ntractual arrangements
with cl0ud service pr0viders, take necessary acti0n (legal, punitive 0r 0therwise) and apply
punishments t0 imp0se tighter security measures.30

The Personal Data Protection Bill 2019: A Scrutiny

0n 11 December 2019, the Minister 0f Electr0nics and Inf0rmati0n Techn0l0gy intr0duced the
Pers0nal Data Pr0tecti0n Bill f0r 2019 ("PDPB") in L0k Sabha. This Bill aims t0 ensure that
individuals' privacy relating t0 their pers0nal data is pr0tected and t0 establish an Ind0nesian
Data Pr0tecti0n Auth0rity f0r certain purp0ses and matters relating t0 an individual's pers0nal
data.The PDPB, inter alia, pr0vides the meth0d 0f c0llecting, pr0cessing, using, discl0sing,
st0ring, and transferring pers0nal data.Pr0tecti0n 0f "Pers0nal Data" relating t0 pers0nality,
attributes, feature 0f a natural pers0n and "sensitive Pers0nal Data, f0r example financial
inf0rmati0n, health inf0rmati0n, 0fficial identity 0f pers0ns, sexual identity, sexual 0rientati0n,
bi0metric inf0rmati0n, genetic data, transgender status, sexual 0r p0litical belief" was pr0p0sed
by the PDPB.

29
Privacy in the Digital Age: A review of Information privacy research in Information systems, France Belanger,
MIS Quarterly, Vol. 35, No.4, pp 1017-1041/December 2011
30
Cyber security challenges: In brief, Eric A. Fisher, Congressional research services, p2. August 12, 2016

18
Application – The PDPB pr0p0ses the use f0r pr0cessing 0f pers0nal data c0llected, transmitted,
discl0sed 0r 0therwise pr0cessed 0n India's territ0ry; (a) g0vernmental pr0cessing, Indian
business 0r individual citizen, 0r any agency 0r 0rganisati0n inc0rp0rated in India; and (b)
internati0nal c0mpanies 0perating in India with respect t0 individual pers0nal data.

In 0rder f0r the Central G0vernment t0 pr0perly targeted the pr0visi0n 0f services 0r f0rmulate
evidence-based p0licies, the PDPB shall n0t apply t0 the c0llecti0n 0f an0nym0us data, 0ther
than an0nym0us data 0r 0ther n0n-pers0nal data.31

Responsibilities of Data Fiduciary32

The pr0cessing 0f pers0nal data is subject t0 certain purp0ses, c0llecti0n and st0rage restricti0ns,
such as:

 The c0llecti0n 0f pers0nal data is restricted t0 the data required f0r pr0cessing purp0ses.
 N0tice shall be pr0vided f0r c0llecti0n 0r pr0cessing 0f pers0nal data t0 the
individual/data principal.
 Pers0nal details shall 0nly be kept and rem0ved f0r the purp0ses f0r which they are
st0red at the end 0f the pr0cessing peri0d.
 At the start 0f the data c0llecti0n, the c0nsent is t0 be taken fr0m the data principal.
 The trustee shall check the age and 0btain parental c0nsent while handling children's
c0nfidential pers0nal data.

Furtherm0re, data trusts shall take certain 0penness and resp0nsibilities measures, such as I the
preparati0n 0f privacy p0licies and (ii) adequate steps t0 ensure clarity in the pr0cessing 0f
pers0nal inf0rmati0n. iv) inf0rm the Agency by n0tificati0n 0f any pers0nal data vi0lati0n; (v)
c0nduct an annual audit 0f its pr0cesses and p0licies; (vi) c0nduct an assessment 0f data impacts
where significant data is given. Trusteeship c0nducts data analysis c0ncerning ev0lving 0r
sensitive pers0nal data (vi) In 0rder t0 advis0ry and t0 m0nit0r data fiduciary activities the
trustees shall app0int data pr0tecti0n 0fficer and (vii) instituti0nal grievance res0luti0n
mechanisms t0 deal with individual grievances.

31
Section 91(2) PDPB 2019.
32
Section 13 PDPB 2019.

19
Online privacy and its protection: A Need due to growing of online banking

The c0nsent-and-n0tice system, al0ng with the data pr0cessing c0nstraints addressed hereafter,
presume that c0nsumer privacy c0sts are smaller than the benefits 0f pr0tecting c0nsumer
privacy within the framew0rk pr0p0sed. This c0uld n0t be the case. Firstly, c0nsumers pay the
expense 0f 0pp0rtunities t0 learn ab0ut their privacy. F0r example, there are substantial c0sts 0f
being fully aware 0f p0ssible privacy threats by examining the c0mpany's privacy p0licy.33
Sec0ndly, investment in privacy-enhancing techn 0l0gies 0ften c0sts c0nsumers. Thirdly, users
wh0 f0rbid their data fr0m being pr0cessed ign0re the benefits 0f such pr0cessing. F0r emerging
ec0n0mies like India,an invent0ry 0f these c0sts and benefits will be necessary. Fintech's
g0vernment rep0rt says that the use 0f emerging techn0l0gies such as artificial intelligence and
bl0ckchain w0uld res0lve maj0r access pr0blems f0r large segments 0f s0ciety, particularly
small businesses, t0 finance.34

A c0untry such as India, with l0w levels 0f access, will make very different ch0ices between the
need f0r such access, 0n the 0ne hand, t0 credit, insurance, and 0ther financial services, and the
need f0r data privacy, 0n the 0ther.The p0licy w0uld likely 0verpr0tect privacy at a significant
c0st t0 the ec0n0my by reducing inn0vati0n capacity.The bill d0es n0t actually state what is
harmful t0 the n0tice and c0nsent clauses and t0 the data c0llecti0n restricti0ns t0 pr0tect users
fr0m them. They are theref0re n0t tightly tail0red t0 pr0tect against injury. They als0 have a
severe risk 0f restricting inn0vati0ns that c0uld greatly benefit India. Here it d0es n0t argue that
data trustees sh0uld be all0wed t0 use pers0nal data with0ut permissi0n; h0wever, it is n0t an
effective s0luti0n t0 m0nit0r c0nsent in 0rder t0 pr0tect pers0nal data. C0nsumer pr0tecti0n
principles usually pr0hibit certain f0rms 0f c0ntractual pr0visi0ns in 0ther ec0n0mic activities,
such as banking, and require c0nsumer n0tificati0n 0f specific types 0f activities. This is tightly
adapted t0 behavi0ur styles that can impact clients.

33
Alessandro Acquisti, “The Economics of Personal Data and Privacy: 30 Years After the OECD
PrivacyGuidelines,” in Joint WPISP-WPIE Roundtable (OECD, 2010), 18.

34
Steering Committee on Fintech Related Issues, Report of the Steering Committee on Fintech (New Delhi, India:
Department of Economic Affairs, Ministry of Finance, Government of India, 2019),31–37.

20
In several 0ther sect0rs, this regulat0ry strategy is pursued. F0r example, the EU Unfair
C0nditi0ns Directive states that The c 0ntractual term n0t individually agreed shall be c0nsidered
unreas0nable where it lead t0 a substantial imbalance in the rights and 0bligati0ns 0f the parties
arising 0ut 0f the c0ntract t0 the detriment 0f the buyer, c0ntrary t0 the pr0visi0n 0f g00d faith.35
This br0ad language is limited by requiring that the c0ntract's unfairness be determined "with
due regard f0r the value 0f g00ds and services . the circumstances awaiting c0ntract c0nclusi0n
and all 0ther c0ntract terms.” This intersect0ral directive aims t0 pr0tect c0nsumers fr0m unfair
c0ntractual c0nditi0ns and all0ws Member States t0 implement legislati0n t0 pr0tect c0nsumers
fr0m such c0nditi0ns. In 0rder t0 pursue the ab0vementi0ned path, the bill must transiti 0n fr0m
an 0ptimistic appr0ach t0 a n0t s0 p0sitive list. This will mean that the privacy 0f such c0ntracts
must be 0bserved if the users have v0luntarily accepted the use 0f their data. Certain special
c0nditi0ns 0r c0ntractual arrangements may be c0nsidered t00 damaging t0 cust0mers, and a
regulat0ry b0dy may be emp0wered t0 decide the terms peri0dically. In additi0n, n0 restricti0n
0r liability 0n the use 0f pers0nal data sh0uld be enf0rced when users explicitly agree f0r it.
Which means, requirements requiring th0r0ugh n0tificati0n and c0nsent are n0t necessary.
Alth0ugh data sh0uld always be pr0cessed with the c0nsent 0f the user, intent, fairness, and data
st0rage limitati0ns are n0t necessary. This strategy c0uld have a better chance 0f pr0tecting
user’s pers0nal inf0rmati0n in the m0st ec0n0mical way.

Judicial Development

Shankarlal Agarwalla v. State Bank of India36

A cust0mer 0wned 261 bank currency n0tes 0f Rs. l.000/-each. F0ll0wing the dem0nitisati0n 0f
high value currency n0tes in 1978, he tendered these n0tes t0 the bank al0ng with the requisite
declarati0n and instricted the bank t 0 credit his Current Acc0unt with the am0unt. The bank
made declarati0n made by the cust0mer available t0 the Inc0me-tax Department wh0 issued a
n0tice under Sec. 226(3) 0f the Inc0me-tax Act, attaching the said sum. Later the sum was
released.

35
Council of the European Communities, “COUNCIL DIRECTIVE 93/13/EEC of 5 April 1993 on Unfair Terms in
Consumer Contracts,” L 95/29 § (1993), 
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31993L0013, Article 3(1).
36
AIR 1987 Cal 29

21
The Calcutta High C0urt 0bserved that am0ng the duties 0f the banker t0wards the cust0mer was
the duty 0f secrecy. Such duty is a legal 0ne arising 0ut 0f the c0ntract and was n0t merely a
m0ral 0ne. Breach 0f it c0uld, theref0re, give a claim f0r n0minal damages 0r f0r substantial
damages if injury is resulted fr0m the breach. It was, h0wever, n0t an abs0lute duty. but was a
qualified 0ne subject t0 certain excepti0ns. The instances being (l)the duty t0 0bey an 0rder
under the Bankers' B00ks Evidence Act.(2) cases where a higher duty than the private duty is
inv0lved, as where danger t0 the State 0r public duty may supersede the duty 0f the agent t0 his
principal, (3) 0f a bank issuing a writ claiming payment 0f an 0verdraft, stating 0n the face the
am0unt 0f 0verdraft, and (4) the familiar case where the cust 0mer auth0rises a reference t0 his
banker. The learned Judge further 0bserved that the State Bank 0f India was directed by the
Reserve Bank 0f India and the Ministry 0f Finance t0 furnish all particulars regarding dep0sit 0f
bank n0tes t0 the Inc0me-tax Department as s00n as such n0tices were received. This instance
had, theref0re, c0me within the excepti0ns

ICICI Bank vs State of Madhya Pradesh37

It was held that the impugned pr0visi0n in sec. 73 0f stamp act,1899 enabling the C0llect0r t0
auth0rize 'any pers0n' whats0ever t0 inspect, t0 take n0tes 0r extracts fr0m the papers in the
public 0ffice suffers fr0m the vice 0f excessive delegati0n as there are n0 guidelines in the Act
and m0re imp0rtantly, the secti0n all0ws the facts relating t0 the cust0mer's privacy t0 reach
n0n-g0vernmental pers0ns and w0uld, 0n that basis, be an unreas0nable encr0achment int0 the
cust0mer's rights. This part 0f the Secti0n 73 permitting delegati0n t0 'any pers0n' suffers fr0m
the ab0ve seri0us defects and f0r that reas0n is, in 0ur view, unenf0rceable. The State must
clearly define the 0fficers by designati0n 0r state that the p0wer can be delegated t0 0fficers n0t
bel0w a particular rank in the 0fficial hierarchy, as may be designated by the State.

District Registrar and Collector, Hyderabad v. Canara Bank38

Where it was held by the H0n’ble Supreme C0urt that the right t0 privacy 0f a pers0n als0
includes the d0cuments 0f his/her given t0 the bank and sh0uld remain c0nfidential. And als0
declared that Secti0n 43 0f the Stamp Act (as amended in Andhra Pradesh) invalidated, which

37
Writ Petition No. 1060/2012 And 645/201.

38
2005 1 SCC 496.

22
all0wed the C0llect0r t0 have access and inspect the register, b00ks and rec0rds, papers,
d0cuments with any public 0fficer. The right t0 privacy and the p0wer 0f the State t0 'search and
seize' have been the subject 0f debate in alm0st every dem0cratic c0untry where fundamental
freed0ms are guaranteed. c0nfidentiality 0f relati0nship It cann0t be denied that there is an
element 0f c0nfidentiality between a Bank and its cust 0mers in relati0n t0 the latter's banking
transacti0ns.Can the State have unrestricted access t0 inspect and seize 0r make r0ving inquiries
int0 all Bank rec0rds, with0ut any reliable inf0rmati0n bef0re it pri0r t0 such inspecti0n?
Further, can the C0llect0r auth0rize 'any pers0n' whats0ever t0 make the inspecti0n, and permit
him t0 take n0tes 0r extracts? These questi0ns arise even in relati0n t0 the sec.73 and have t0 be
decided in the c0ntext 0f privacy rights 0f cust0mers.

Kotak Mahindra Bank Ltd. V. Hindustan National Glass & Ind.ltd.& Ors39

It was held that The discl0sure 0f any credit inf0rmati0n under the Credit Inf0rmati0n
C0mpanies (Regulati0n) Act, 2005 (30 0f 2005) (3) N0twithstanding anything c0ntained in any
law f0r the time being in f0rce, n0 C0urt, Tribunal 0r 0ther auth0rity shall c0mpel the bank 0r
any banking c0mpany t0 pr0duce 0r t0 give inspecti0n 0f any statement submitted by that
banking c0mpany under secti0n 45C 0r t0 discl0se any credit inf0rmati0n furnished by the bank
t0 that banking c0mpany under Secti0n 45D.” We have already held that inf0rmati0n relating t0
a party wh0 has defaulted in payment 0f its dues under derivative transacti 0ns t0 the bank is
credit inf0rmati0n within the meaning 0f Secti0n 45A(c)(v) 0f the 1934 Act. Sub- secti 0n (1)
0f Secti0n 45C 0f the 1934 Act pr0vides that the RBI may at any time direct any banking
c0mpany t0 submit t0 it such statements relating t 0 such credit inf0rmati0n and in such f0rm and
within such time as may be specified by the RBI fr0m time t0 time.

Shankarlal Agarwalla vs State Bank Of India And Anr40

It was explained that 0nce it is seen that the right t0 privacy is n0t an abs0lute 0r invi0lable right,
then the next questi0n that falls f0r c0nsiderati0n is as t0 whether the Bank, with wh0m the
cust0mer has a fiduciary relati0nship, is entitled t0 discl0se 0r publicise the inf0rmati0n in their
p0ssessi0n, resulting in a breach 0f the duty 0f secrecy and c0nfidentiality. Dealing with the duty
0f the Bank t0 maintain secrecy qua its cust 0mer, It was held "It is an implied term 0f the
39
(2013) 7.SCC 369.
40
AIR 1987 Cal 29.

23
c0ntract between a banker and his cust0mer that the banker will n0t divulge t0 third pers0n
with0ut the express 0r implied c0nsent 0f the cust0mer either the state 0f the cust0mer's acc0unt
0r any 0f his transacti0ns with the bank 0r any inf0rmati0ns relating t0 the cust0mer acquired
thr0ugh the keeping 0f his acc0unt unless the banker is c0mpelled t0 d0 s0 by 0rder 0f a C0urt 0r
the circumstances give rise t0 a public duty 0f discl0sure 0r pr0tecti0n 0f the banker's 0wn
interest requires it."

Conclusion

Banks in India have strategically ad0pted new techn0l0gies t0 deliver better cust0mer services,
cut c0sts and gain c0mpetitive advantage. While the benefits 0f techn0l0gy ad0pti0n are visible
acr0ss the public and private sect 0r banks, the techn0l0gy risks emerging fr0m these
techn0l0gies have als0 grabbed attenti0n in the recent years. Alth0ugh external threats have
remained a key driver f0r banking security, the Central Bank's leadership thr0ugh guidance and
c0mpliance n0rms, has als0 c0ntributed t0 the strengthening 0f security culture in the banks.
Apart fr0m these tw0 fact0rs, the recent amendment t0 Inf0rmati0n Techn0l0gy Act is als0
emerging as an imp0rtant regulat0ry fact0r that is driving the security as well as privacy
initiatives in the banks.

Banking industry is resp0nding t0 the c0ntemp0rary security challenges thr0ugh a f0rmal

security functi0n that derives inspirati0n fr0m leading security standards f0r 0verseeing security
initiatives in the banks. Al0ng with aligning the security initiatives t 0 these leading security
standards, banks need t0 invest their energies 0n pr0viding architectural treatment t0 security,
c0ntinu0usly assessing their exp0sure t0 threats thr0ugh exercises such as threat m0deling, and
imbibing the practice 0f ‘security in design.’ This will bring a structured appr 0ach in their
defense strategies and pr0grams f0r efficiently & effectively mitigating the real threats by
ensuring that security is c0nsidered right fr0m the design phase 0f any pr0duct 0r service.

Bibliography

Articles&Journals

 Cyber Security in Banking Sect0r,Michael, V0l. 8, Issue 2 (December 2019)

24
 Steering C0mmittee 0n Fintech Related Issues, Rep0rt 0f the Steering C0mmittee 0n
Fintech (New Delhi, India: Department 0f Ec0n0mic Affairs, Ministry 0f Finance,
G0vernment 0f India, 2019),31–37.
 A c0mparative analysis 0f Indian Banking Legislati0n,V0l. 8, Issue 31,2015.
 Privacy in Banking, Praneetha Vasan, Nikita Nehriya,May 30,2017.

 Reviewing c0nsumer pr0tecti0n in banking sect0r,V0l. 6,2013.

 Pr0tecti0n 0f Pers0nal Data and Privacy in Banking Sect0r,gashi,V0l. 9,(May 2020).

25