Mistaken Identity lands TransUnion in a $40 million class action suit

TransUnion is a well known company in India. This company silently acquired 92% of the shares of CIBIL which was earlier held by many Banks in CIBIL.

The mystery of this acquisition in which a company owned by several public sector banks by a US based private sector company is a matter of case study. No Sucheta Dalal nor Subramanya Swamy got wind of this acquisition and press and media including Mr Arnab Goswami were in the dark.

In the process, TransUnion CIBIL became the controller of sensitive personal data of 1000 million Indians. The sensitive data consisted of demographic data, financial data and profiling data leading to personal credit rating. The personal credit rating is used by many Fintech companies for automated decision making for decisions on lending, fixing of limits on credit cards etc.

The value of such data which continues to grow and bring in revenue to TransUnion CIBIL is worth exploring.

If we take the dark web value index 2021 as a base these data sets are valued not less than $25 per data set to perhaps even $200 and over. Unfortunately the share holders of these Banks (SBI, Union Bank, IOB, etc) represented in the  diagram showing the share holding pattern in 2001,  never came to know of this lucrative buy out and the watch dog SEBI perhaps also missed its duty to ensure that the minority share holders got their dues. All this perhaps was technically well executed within the law since the only organization which was in the know of the things at that time was the RBI and the Finance Ministry during the last days of P Chidambaram and the early days of Arun Jaitely.

Now an interesting case has come to light in USA where a class action suit filed against the Company for damages of around $40 million has reached the Supreme Court.  The suit was prompted by an incident when a dealer of Nissan automobile was checked for his credit rating using TransUnion in which the report noted that the name of the dealer appeared to partially match two names included in the Federal Government list of people barred from conducting business in US because of national security concerns.

The report had wrongly identified the dealer with some terrorist names ( A similar incident had once identified a major fraud in a Bangladesh Central Bank in the SWIFT system). 8184 others had joined with the dealer and launched a class action suit against TransUnion out of which similar data of 1853 had been released by TransUnion earlier.  Indirectly these 1853 persons were flagged as terror suspects.

A lower court had determined a $40 million damage which was on appeal at the Supreme Court.  The Supreme Court (in a 5-4 ruling) appears to be considering lowering of the damage since not all 8185 of the participants of the class action suit had suffered the real damage like the 1853 persons.

See the full judgement here

The final decision of the Supreme Court will determine the “Value of Damage” caused by a wrong profiling of a data subject. It would be interesting for us to watch the final outcome.

This case could provide a guidance to valuation of damage caused by a wrongful handling of personal data profiling and disclosure and could be a precedence that we may all refer from time to time.


Also Refer:


CBI Enquiry is required for finding the truth behind TransUnion taking over CIBIL

Is TransUnion-CIBIL guilty of Accessing Critical Personal Data through surreptitious means?


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.