- If bank customers request deletion of loan data from the database of a credit information company (CIC), exercising a right under the Digital Personal DataProtection (DPDP) Act, they may no longer be able to continue with the banking system in the future, according to an IT Ministry official.
- The DPDP Act, 2023, was notified in August last year but the rules under the Act that provide guidance for its implementation are yet to be notified.
- In other words, with regard to CICs, if a user decides that they do not want to have to do anything with the banking system, they can approach the Data Protection Board (DPB) to get their personal data deleted. That will be a one-way street though, and such customers will no longer be able to continue with the banking system in future.
- Technology experts and policy lawyers were split on whether CICs can be exempt under the new data law and if people can request complete data deletion for privacy reasons.
- Credit scores are generated by CICs based on the credit history of customers. CICs are licensed by the Reserve Bank of India (RBI) under the Credit Information Companies (Regulation) Act, 2005 (CIC Act).
- Although CICs follow the CIC Act for collecting and storing personal financial information of their users, they will also have to follow the provisions under the DPDP Act.
- The IT ministry is unlikely to give blanket exemptions to any government or non-government bodies when it comes to the implementation of the rules under the DPDP Act.
- All such bodies that seek exemption must approach the DPB and present their case before that body to seek the specified exception, a source said.
- A consultant who has previously worked with a leading credit bureau reveals on the condition of anonymity that a bank may choose not to give a loan to a customer after he/she exercises the right to request deletion of his/her personal credit data from the CIC’s database.
- Credit bureaus such as TransUnion CIBIL, Experian, Equifax, and CRIF High Mark are approved by the RBI to operate in India. TransUnion CIBIL, for example, maintains credit files on 600 million individuals and 32 million businesses.
- Traditionally, CICs use information on an individual’s outstanding loans and history of repayment/defaults, to generate credit scores.
- It is further said that today, the internet has allowed CICs to spread their net wider to seek information and data (credit information) on individuals and third parties who use algorithms and automated processing, supply datasets to CICs – which ironically, are a much better reflection on the credit scores of individuals.
- These data intensive credit profiles include the use of several data sets, in addition to credit information and may include employment details, social media activity, and web browsing history. Such a rich data-intensive credit profile is far more useful to a lender making a ‘grant a loan or not to grant a loan’ / credit extension decision.
- Also, in most cases, the information that is picked up by these third parties is available online. Thus, the issue of consent may not arise.
- Of course, there may be grey areas where the information may fall within the purview of consent requirement for processing of personal information under the DPDP Act.
No Comments