Today’s Economic Times carries an article “Banking Access at Risk if you seek to delete Credit Data” is an argument for exempting Credit Information Companies from the rigours of the Data Protection Act.
Naavi.org has been in the forefront of raising a complaint about CIBIL which collected enormous amount of data under its special status and transferred its share holding to a foreign company placing personal information worth lakhs of crores of rupees in the hands of a foreign company without any consent from the data principals.
Naavi.org has detailed its concerns in the following articles
1: Is TransUnion-CIBIL guilty of Accessing Critical Personal Data through surreptitious means?
2.CBI Enquiry is required for finding the truth behind TransUnion taking over CIBIL
The essence of these articles is that the value of data assets owned by CIBIL was transferred to a different company and outside India in a form which can be called “Data Laundering”.
Today’s article in ET threatens that if any Indian data principal has the vision of using the DPDPA and asking for deletion of personal data with CIBIL, then they may be denied further loan facilities by the Banks.
The threat is attributed to an IT Ministry official but has a serious flaw in the argument.
At present the CIC (Credit Information Company) comes into a picture as an agent of the lending Bank and not through any direct relationship with the data principal. The Banks may obtain a consent to share the credit information with the CIC. However, if the Bank deny the loan solely because the data principal refuses to permit sharing of his data with the CIC it could come in conflict with the “Right to withdraw Consent” and “Obligation to erase on completion of the consented process”.
The data principal has no direct relationship with the CIC and hence it is the responsibility of the credit giving Bank to get the data with the CIC removed after the closure of the loan when the purpose of the consent is over.
A Bank which has given a loan cannot indefinitely keep the previous loan data that too with a third party processor on the speculation that the person may apply for another loan in future and the information would be useful at that time. This would be a speculative retention of the data.
Further if it is required to keep the information for a reasonable period for tax or other purposes, the consent may be used by the lending Bank to keep the data with itself. Since no processing is involved, there is no case for allowing the CIC to be a personal data storage company on its behalf.
The purpose for which the CICs were established was to prevent a borrower from borrowing from multiple Banks and end up being a defaulter. However it is presently being used as a Big Data Processor who will analyze every EMI and determine the repayment efficiency.
While we can accept the need for such an agency from the point of view of credit discipline, it cannot be allowed to function without a direct consent from the data principals.
Hence the system of Banks taking a consent in their loan applications to share the data with the CICs, it is better if CICs become the specialized Consent Managers under DPDPA for the exclusive purpose of providing consent in the loan application context.
For this purpose they need to be licensed by the DPB and follow the Data Protection discipline that the DPDPA 2023 imposes in the form of Consent and Legitimate use.
One of the requirements of accrediting such consent managers should be the “Fitness criteria” which should include that the CIC should be an Indian Company with Indian promoters and should not be used for data laundering.
Referring to the article, in case a Bank refuses to provide the loan for the sole reason that the consent to share the data with a CIC, then it may be disputed as an unfair condition attached to the service.
The reading of DPDPA 2023 is that personal data can be processed only under Consent or under Legitimate interest or under Exemption. The legitimate interest clause has “Legal obligation” as one excuse so that if the disclosure of personal data is a legal necessity for the Bank, the sharing may be acceptable. However, after the loan is repaid there is no contractual relationship persisting between the Bank and the Customer and hence the Bank cannot refuse to get the data with the CIC erased.
At the time of the new loan application, it may be in order to ask for information about previous loans. In between it may be acceptable as a legitimate interest to retain the data for a reasonable period by the Bank with itself and not with the CIC.
Some of these issues will perhaps go to a Court shortly after the Act becomes fully effective and will get the clarity.
In the meantime FDPPI’s DGPSI adopts a “Consent Management Framework” that ensures that the consent is obtained by the Bank from the data principal to share the data with the CIC at the time of granting of a loan and take it back after the loan is closed.
In the instance when a loan is closed and the Bank or CIC defaults in maintaining the accuracy of information resulting in the lowering of the credit rating of the data principal, the Bank has to be take on the liability under DPDPA. CIC will be liable to the Bank under the contract and also under ITA 2000.
Beyond this general implication of DPDPA, we have to wait and see of MeitY tries to bail out the CICs from their responsibilities in which case a challenge in the Supreme Court is inevitable.
Naavi
