The government’s directive emphasises the need for compliance with the DPDPA’s provisions
The Ministry of Home Affairs (MHA) has taken a firm stance to halt the unauthorised use of PAN data, marking a significant step in enforcing the provisions of the Digital Personal Data Protection Act (DPDPA), 2023. This move is a direct response to growing concerns about the misuse of Personally Identifiable Information (PII) and aims to bolster data privacy standards in the digital ecosystem.
The government’s directive emphasises the need for compliance with the DPDPA’s provisions, including the use of secure channels for data processing and obtaining explicit user consent. It sets a critical precedent for the tech industry to follow, compelling companies to adopt transparent data practices that reinforce trust in the digital economy.
Highlighting the risks associated with the unauthorised use of PAN data, Sandeep Agrawal, Director and Founder of Teamlease Regtech, noted, “The Ministry of Home Affairs’ directive to halt unauthorised use of PAN data enforces compliance with the Digital Personal Data Protection Act, 2023. The government’s crackdown aims to protect citizens’ Personally Identifiable Information (PII), requiring compliance with the DPDPA 2023, which mandates secure channels and user consent for data processing. The government is setting a clear precedent for data privacy in the tech industry. This compels companies to prioritise transparent data practices and ensures user consent, which are foundational to trust in the digital economy. With PAN cards serving as critical identifiers in financial transactions, unauthorised access could lead to fraud and privacy violations. With penalties as high as ₹500 crore for significant data breaches, the onus is now on fintech and consumer tech firms to strengthen data protection measures, mitigating risks of fraud while aligning with India’s robust data privacy framework.”
As the directive unfolds, regulated fintech entities with existing compliance mechanisms appear better positioned to navigate the changes. Abhishek Saxena, Managing Director and Co-Founder of OmniCard, shared his perspective, stating, “The misuse of critical identification tools like PAN not only erodes trust in fintechs but also exposes end consumers to significant risks. Coupled with the mandatory PAN-Aadhaar linkage, this directive pushes the industry to be ready with a robust framework for digital transformation. For regulated fintechs, particularly those with PPI or PA licences, the impact is less pronounced as stringent compliance protocols are already embedded in their operations. This crackdown primarily targets unregulated entities that bypass these standards, creating opportunities to optimise the sector and foster trust among consumers and regulators alike. For lending firms and similar fintechs, this may present short-term challenges in adapting processes. However, in the long run, this will help achieve a more equitable playing field.”
The government’s heightened vigilance, backed by hefty penalties of up to ₹500 crore for breaches, signals a transformative era for data privacy in India. By holding both regulated and unregulated entities accountable, the directive ensures a level playing field while prioritising consumer trust. For the financial and tech sectors, this is both a challenge and an opportunity to realign operations with India’s robust data privacy framework.
