Is TransUnion-CIBIL guilty of Accessing Critical Personal Data through surreptitious means?

Indian consumers of Credit Card services have been frequently expressing their dissatisfaction against the role of CIBIL as a credit rating agency.

It is often accused of cheating the public by not providing the free credit report which they are supposed to provide once a year, are accused of inefficiency in not updating the customer data and on occasions receiving false data from the Banks due to error or design.

The travails of the credit subjects have been well captured in the article “How CIBIL Can mess-up your credit score” in

I would not go into discussion of this more except to say that this happens fairly regularly and reflects the callous manner in which the service is managed.

But I would like to point out that the life for CIBIL will not remain as comfortable as it is now in the coming days where PDPA (Personal Data Protection Act) will become a law and a Data Protection Authority would be set up in India. Then CIBIL and the other Personal Credit rating agencies in India will be answerable to the Data Protection regulations which will include civil and criminal liabilities.

CIBILĀ  or Credit Information Bureau (India) Limited) came into existence on August 2000, entered consumer operations in 2004 and into commercial credit operations in 2006.

Initially, CIBIL was perceived to be a Company started by RBI with equity contributions from different Banks as indicated in the above share holding pattern. (Reference

However, current information indicates that 92.1% of its shares are now held by TransUnion. Transunion is a US based Company. The ownership of TransUnion CIBIL is therefore in the hands of a foreign company. This company now holds about 550 million India’s credit data which is “Sensitive Personal Information” under ITA 2000 and will be “Critical Personal Information” under the PDPA. Hence this company will come under the Data Localization rules.

Further, this company has so far collected personal data not from the data subjects but from the Banks. There was initially no consent from the data subject. Subsequently since the Credit Information Companies (Regulation) Act, 2005, was notified on 23rd June 2005, the presumption is that Banks are sharing the personal data under permission from RBI. But this is not the correct legal position. TransUnion is a commercial entity which has about 2400 members from the Banking and FinTech companies in India and collecting a fat fee from them for every credit score reference they receive.

TransUnion CIBIL is therefore an entity that is a MNC which has taken over an Indian company along with a highly valuable critical personal data worth billions of rupees and is making a huge profit.

The manner in which the TransUnion has acquired access to the critical personal data of Indian citizens is through a clever manipulation of take over of a company along with its data assets. This is “Data Laundering”

How was this allowed to happen is a matter which needs investigation. Who gave the permission? Was it the Finance Ministry headed by Mr P Chidambaram? Who was the RBI Governor who allowed this set up? all needs to be verified.

Is there a scent of a scam?… I request Dr Subramanyam Swamy/Pgurus to take a look.

From the case referred to above, it is clear that TU-CIBIL is guilty of

a) Not keeping the personal data properly updated and accurate

b) UsingĀ  an automated decision making process to make profiling decisions about the individuals

c) Not obtaining explicit consent from the data subjects for the profiling

d) Not informing the data subjects that their personal data is being collected from third parties for profiling and generating the Credit Score

e) Sharing the credit score which may be incorrect and adversely affect the reputation of the individuals.

f) Transferring the critical personal data across the border for processing without explicit consent…etc

The apparent violations of the company are extremely serious and need immediate action from the Government of India first under Information Technology Act to check if they are practicing “Reasonable Security Practice” and “Due Diligence”. An immediate audit from CERT-IN is warranted.

RBI has powers under the Credit Information Companies (eRegulation) Act, 2005, was notified on 23rd June 2005, to regulate such credit rating agencies. It would be interesting to note if RBI has ever conducted an audit of CIBIL or like PNB, left it to the God’s wish that the security of information takes care of itself. Perhaps the current RBI administration may answer this.

When PDPA becomes effective, the data collected prior to the implementation date will become illegal and has to be destroyed. This means that unless TransUnion CIBIL obtains “Explicit Consent” on or after the date of PDPA notification, it cannot be allowed to continue in business.

I warn the CIBIL users to take note that if the Government takes action against CIBIL as they should do their business continuity may be adversely affected. They need to therefore secure themselves against such contingent event.

I am looking forward to receiving a counter from CIBIL regarding the above and if received, would be happy to publish it here. If no response comes from them, it would be presumed that the inference drawn here are perhaps true.

Those in Nasscom and DSCI who have been championing the opposition to the Data Localization also need to comment on whether TransUnion should be allowed to transfer the data outside India and what action is to be taken to ensure that the data already transferred out is erased in the servers in US or elsewhere.


Comments Welcome

This entry was posted in Cyber Law and tagged , , , . Bookmark the permalink.

1 Response to Is TransUnion-CIBIL guilty of Accessing Critical Personal Data through surreptitious means?

  1. Sisir says:

    Credit rating agencies of Bank customers is a foreign concept which has been blindly imported and imposed on us, without even studying its relevance and suitability. Interestingly, this concept has been heavily modified to the advantage of bankers while doing so. The very CIC (Regulation) Act violates the confidentiality that banks have to maintain about their customers data.

    The CIC (Regulation) Act has legitimized creation of a platform which is being used by banks to abuse and harass their customers. Nowadays, this platform is being used as a parallel court by many banks, more so by private banks operating in India. Instead of working with their customers in rescheduling, when they deliberately report badly about customers, there is no easy recourse for the customers that works reliably to set this right.

    Moreover, when bankers deliberately ensure that such customers are reported badly to those agencies and ensure that they do not get any other loans, they are already punishing those customers. Why do they take such customers to courts then? The law clearly says that there cannot be two punishments for one wrongful act. And inability to pay itself is not a crime itself unless the motive (mens rea) is established.

    The need of the hour is for SC to review the CIC (Regulation) Act in toto and order its revamp or repeal accordingly. But, leaving the lawyers aside, how many of our Judges understand all this and how many of them would stand upright for the sake of the citizens is the bigger question.

    So even without PDPA, it was already an illegality. Banks being stakeholders of such agencies is another absurdity, enriching them further for every credit report we purchase. With whatever little law I know, this is what I would like to add to this, based on my observations and experiences.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.