Indian consumers of Credit Card services have been frequently expressing their dissatisfaction against the role of CIBIL as a credit rating agency.
It is often accused of cheating the public by not providing the free credit report which they are supposed to provide once a year, are accused of inefficiency in not updating the customer data and on occasions receiving false data from the Banks due to error or design.
The travails of the credit subjects have been well captured in the article “How CIBIL Can mess-up your credit score” in moneylife.in.
I would not go into discussion of this more except to say that this happens fairly regularly and reflects the callous manner in which the service is managed.
But I would like to point out that the life for CIBIL will not remain as comfortable as it is now in the coming days where PDPA (Personal Data Protection Act) will become a law and a Data Protection Authority would be set up in India. Then CIBIL and the other Personal Credit rating agencies in India will be answerable to the Data Protection regulations which will include civil and criminal liabilities.
CIBIL or Credit Information Bureau (India) Limited) came into existence on August 2000, entered consumer operations in 2004 and into commercial credit operations in 2006.
Initially, CIBIL was perceived to be a Company started by RBI with equity contributions from different Banks as indicated in the above share holding pattern. (Reference taxguru.com)
However, current information indicates that 92.1% of its shares are now held by TransUnion. Transunion is a US based Company. The ownership of TransUnion CIBIL is therefore in the hands of a foreign company. This company now holds about 550 million India’s credit data which is “Sensitive Personal Information” under ITA 2000 and will be “Critical Personal Information” under the PDPA. Hence this company will come under the Data Localization rules.
Further, this company has so far collected personal data not from the data subjects but from the Banks. There was initially no consent from the data subject. Subsequently since the Credit Information Companies (Regulation) Act, 2005, was notified on 23rd June 2005, the presumption is that Banks are sharing the personal data under permission from RBI. But this is not the correct legal position. TransUnion is a commercial entity which has about 2400 members from the Banking and FinTech companies in India and collecting a fat fee from them for every credit score reference they receive.
TransUnion CIBIL is therefore an entity that is a MNC which has taken over an Indian company along with a highly valuable critical personal data worth billions of rupees and is making a huge profit.
The manner in which the TransUnion has acquired access to the critical personal data of Indian citizens is through a clever manipulation of take over of a company along with its data assets. This is “Data Laundering”
How was this allowed to happen is a matter which needs investigation. Who gave the permission? Was it the Finance Ministry headed by Mr P Chidambaram? Who was the RBI Governor who allowed this set up? all needs to be verified.
Is there a scent of a scam?… I request Dr Subramanyam Swamy/Pgurus to take a look.
From the case referred to above, it is clear that TU-CIBIL is guilty of
a) Not keeping the personal data properly updated and accurate
b) Using an automated decision making process to make profiling decisions about the individuals
c) Not obtaining explicit consent from the data subjects for the profiling
d) Not informing the data subjects that their personal data is being collected from third parties for profiling and generating the Credit Score
e) Sharing the credit score which may be incorrect and adversely affect the reputation of the individuals.
f) Transferring the critical personal data across the border for processing without explicit consent…etc
The apparent violations of the company are extremely serious and need immediate action from the Government of India first under Information Technology Act to check if they are practicing “Reasonable Security Practice” and “Due Diligence”. An immediate audit from CERT-IN is warranted.
RBI has powers under the Credit Information Companies (eRegulation) Act, 2005, was notified on 23rd June 2005, to regulate such credit rating agencies. It would be interesting to note if RBI has ever conducted an audit of CIBIL or like PNB, left it to the God’s wish that the security of information takes care of itself. Perhaps the current RBI administration may answer this.
When PDPA becomes effective, the data collected prior to the implementation date will become illegal and has to be destroyed. This means that unless TransUnion CIBIL obtains “Explicit Consent” on or after the date of PDPA notification, it cannot be allowed to continue in business.
I warn the CIBIL users to take note that if the Government takes action against CIBIL as they should do their business continuity may be adversely affected. They need to therefore secure themselves against such contingent event.
I am looking forward to receiving a counter from CIBIL regarding the above and if received, would be happy to publish it here. If no response comes from them, it would be presumed that the inference drawn here are perhaps true.
Those in Nasscom and DSCI who have been championing the opposition to the Data Localization also need to comment on whether TransUnion should be allowed to transfer the data outside India and what action is to be taken to ensure that the data already transferred out is erased in the servers in US or elsewhere.