There are many services in the FINTECH arena where the service provider tries to assist the account holder to make payments of pending bills. For this purpose the service provider takes the permission to view the SMS of the account holder and periodically reads the SMS.
Under DPDPA, this permission is mandatory and is covered under the DPDPA consent regulations. This consent is purpose specific and has to be considered as closed once the purpose is served.
I recently have come across such “Bill Alerts” from CRED on the CRED application linked to my mobile number. These bills were not related to me and had I mistakenly clicked “Pay Now”, the payment could have been effected.
I therefore consider the message as an “Attempt to induce me to make payment to a third party” which is an offence under ITA 2000 and BNS.
last time, CRED had indicated that the message could have been picked up from my SMS store and I also presumed that the mistake might have been at the HESCOM side in wrongly linking my mobile with another account.
I am now given to understand that the mobile number associated with the account in HESCOM is not my mobile. However, I have received the CRED alert again today. I am not able to view the corresponding SMS in my SMS inbox.
Under the circumstance, I feel that CRED has picked up the bill from a source other than my SMS inbox.
If so, the mistake lies with CRED and not HESCOM. If this is true, I owe an apology to HESCOM and I am duty bound to apologize. I am yet to get the confirmation but my advance apologies to HESCOM if the mistake lies with CRED.
We can now surmise that CRED has my account as well as the account of the individual whose bills are coming to my CRED account. Perhaps CRED has mis configured the accounts or their technical system is sending bills of one client to another. Alternatively, it is possible that HESCOM has corrected its mistake but there is a Cache maintained by CRED where the bills related to another account are getting diverted to my account.
I have raised a query with CRED now and am expecting a reply.
Once DPDPA 2023 penalties kick in, these are mistakes for which RS 250 crore penalties may be applicable. Until then remedy is under ITA 2000 which is even more serious. I hope corporate entities do understand their responsibilities when they take “Data Access permissions” particularly if they are not capable of managing the data collected.
While I have used the example of CRED here because it is out of my personal experience. this could be happening with others also including Banks.
Looking forward to get more information on this case.
