The Narendra Modi government has built a great Indian internet firewall against Chinese apps due to concerns over data security. But there is a potential gap that the government has so far ignored, which experts warn could prove risky.

India does not have stringent laws to monitor data collected by homegrown fintech companies, many of whom are heavily funded by foreign players – including a bunch of Chinese investors.

If foreign investors hold a substantial stake in a company, they could compel it to part with customer data collected directly or via affiliates, said Probir Roy Chowdhury, partner at Mumbai-based law firm J Sagar Associates.

And Indian fintech players are huge data mines. They collect and crunch users’ data, which helps them to sell products ranging from loans to insurance as well as offer payment services. They end up amassing information like users’ money transfer record and what they purchase and browse. This also helps fintech firms in assessing the credit-worthiness of a user.

“Given various factors including the growth of the digital economy, lenders have been expanding access to credit at the risk of customers’ data privacy,” says Ayushi Tandon, senior fintech analyst at GlobalData.

Protection of users’ data on these platforms only hinges on hope, as startup experts believe these companies don’t typically share any info other than business-related facts with investors.

“Technically, a shareholder can ask for the data from a startup,” said Harish HV, managing partner at ECube Investment Advisors. “But, usually, such demands are not made as only financial statements and overview operational data is provided to investors.”

Data law for fintech

With fintech players holding such sensitive data, the authorities have in the past taken some steps to protect users’ interest. “The Reserve Bank of India mandates all entities operating payment systems in India, including banks, to mandatorily store all payment data exclusively on servers in India,” said Chowdhury.

In fact, this was the pivotal reason behind the delay in giving Facebook-owned WhatsApp a go-ahead for starting payment service in India.

But experts believe the implementation of strong data protection law is extremely important to protect users’ data. The Indian government is trying to address these concerns through a new Personal Data Protection law, which is still in the works.

Citing examples of the European Union and the United Kingdom, which have implemented data protection laws to safeguard the personal data of its citizens and companies, Rajiv Biswas, APAC chief economist, IHS Markit said, “India has lagged far behind in its data protection regulations.”

After years of deliberation, in April 2016, the EU passed a law, which gives more control to users over their data. For instance, companies have to tell users the reason behind collecting a data set and for what purpose it is being used.

Analysts state that the absence of any such law in India is a concern but the new draft, when enacted into law, could be as “powerful” as the EU’s General Data Protection Regulation.

“It will further restrict stored data crossing the borders. Also, consumers on the hand will have the knowledge of which all entities hold their data,” says Arushi Chawla, a research associate with Counterpoint Research. “This two-way transparency will protect the user’s data in today’s unavoidably connected ecosystem.”

The general consensus now is that while Chinese money helps Indian fintech space to not only weather the Covid-19 slump but also scale up, it has become more important than ever that the Modi government implements the new data policy as early as possible.

This article first appeared on Quartz.