INTRODUCTION
Credit scoring is a statistical method used to predict an individual’s or small business’s ability to repay debt. It provides a numerical measure of creditworthiness, derived from an individual’s repayment history and financial behaviour across various credit accounts and institutions.
A credit score is a numerical representation of an individual’s financial reliability, typically ranging from 300 to 900 in India. A higher credit score generally indicates a lower risk of default, thereby increasing the likelihood of loan approval. Additionally, individuals with good credit scores are more likely to receive favourable loan terms, such as lower interest rates and better repayment conditions. Conversely, a poor credit score can lead to higher interest rates or even loan rejections.
In India, the management of credit information falls to four major credit information companies licensed by the Reserve Bank of India: TransUnion CIBIL Limited (Formerly known as Credit Information Bureau India Limited (hereinafter referred to as “CIBIL”), Experian, Equifax, and CIRF Highmark.
The right to privacy, a cornerstone of individual freedom, is increasingly under threat in the digitally connected world. The Supreme Court of India recently brought this issue to the fore in the case of Surya Prakash v. Union of India and Others [Diary No. – 23982/ 2023], wherein concerns were raised about the practices of the four foreign credit information companies operating in India.
PRIVACY CONCERNS IN CREDIT SCORING
The European Artificial Intelligence Act, 2024 classifies credit scoring as a high-risk activity, necessitating enhanced safeguards. Credit histories, which reveal an individual’s financial trajectory, are among the most sensitive types of personal data. Traditional credit scoring models evaluated borrowers based on metrics such as payment history, outstanding debt, credit duration, and credit utilization.
In contrast, contemporary alternative credit scoring methodologies leverage a broad array of digital data points, including social media activity, telecommunications records, digital transactions, and online behaviour. While these advanced models can enhance predictive accuracy, they raise significant privacy concerns due to their opaque nature and the potential for discriminatory outcomes.
The European Union’s General Data Protection Regulation (hereinafter referred to as “GDPR”) addresses these concerns by mandating transparency in automated decision-making processes. The recent Court of Justice of the European Union (hereinafter referred to as “CJEU”) ruling in the SCHUFA case [C‑634/21] emphasizes the need for transparent disclosures about the logic and methodology behind credit scoring systems.
The CJEU determined that Schufa’s credit scoring, based solely on automated mathematical and statistical procedures without human evaluation, falls under Article 22(1) of the GDPR, which addresses automated decision-making. The ruling clarifies that such automated processes can amount to prohibited profiling and mandates that controllers must provide detailed information about the calculation methods and the factors influencing the score.
In India, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter referred to as “IT Rules”) require explicit consent for the collection and processing of sensitive financial data. The Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDPA”) further emphasizes the protection of data subject’s rights, aligning with global standards while recognizing credit scoring as a permissible data processing activity.
THE CASE AT A GLANCE
The Surya Prakash case (supra) revolves around allegations that four major foreign credit information companies, namely, TransUnion CIBIL, Experian Credit Information Company of India, Equifax Credit Information Services, and CRIF High Mark Credit Information Services are infringing on the right to privacy of Indian citizens by collecting, processing, and storing sensitive financial data without proper consent.
A three-judge bench issued notices to several key stakeholders, including the Ministry of Finance, the Reserve Bank of India, the Ministry of Electronics and Information Technology, and the Ministry of Home Affairs, in the Public Interest Litigation, to take appropriate steps against four foreign credit information companies for the alleged violation of citizen’s financial data privacy.
In addition, the four foreign credit information companies implicated in the petition were also directed to respond to the serious allegations levelled against them.
Contentions of the Petitioner
Central to the plea was the claim that these companies are violating the right to privacy of over a billion Indian citizens by surreptitiously collecting, processing, and monetizing sensitive financial data without obtaining informed consent. The Petitioner submitted that these activities are in direct violation of the Credit Information Companies Regulation Act, 2005 (hereinafter referred to as “CICR Act”), which governs the operations of credit information companies in India.
Moreover, the plea emphasized on the issue of data localization. The Petitioner contended that the storage of sensitive financial data on servers located outside India poses significant risks to the privacy and security of Indian citizen’s data. This claim was particularly pertinent given India’s evolving stance on data localization, which seeks to ensure that data generated within the country is stored on local servers to protect national security and citizen’s privacy.
The Petitioner alleged that credit information companies have played a role in creating a “parallel underworld economy.” These companies generate credit scores and credit histories for customers of Indian banks and financial institutions. This, the Petitioner argued, leads to financial discrimination, marginalizing individuals with lower credit scores and limiting their economic opportunities.
The Petitioner further alleged that these companies have established unethical, mutually beneficial business relationships with financial service platforms such as Bank Bazaar, Paisa Bazaar, My Loan Care, Loan Adda, and Credit Mantri. The Petitioner also contended that these relationships worsen the exploitation of sensitive financial data, as the companies profit from selling repackaged customer information to lending institutions and the public.
The Petitioner outlined several breaches of the CICR Act by the credit information companies. The CICR Act is designed to oversee the operations of these companies, ensuring the responsible collection, storage, and processing of consumer data with respect to privacy and data security. The Petitioner alleged that these companies have violated fundamental privacy principles by mishandling personal data without proper safeguards, neglecting due diligence in credit information collection, and using data for purposes not explicitly stated, thus contravening the principle of purpose limitation.
The Petitioner further highlighted the companies’ alleged inadequacies in implementing robust security measures to protect sensitive financial data and instances of unauthorized access and misuse of credit information by third parties.
WAY FORWARD
Moving ahead, the findings of the Supreme Court in the Surya Prakash case (supra) is expected to be a turning point in amending and revisiting the concept of data governance in India. Addressing major privacy concerns in India’s credit information sector requires a multi-faceted approach. First, stricter regulations and compliance standards must be enforced to ensure that credit information companies prioritize data privacy. This includes implementing robust data protection measures and conducting regular audits. Second, there should be greater transparency in how personal data is collected, used, and shared, giving individuals more control over their information. Finally, public awareness campaigns are essential to educate consumers about their rights and the importance of data privacy in the credit sector.
AMLEGALS REMARKS
The Surya Prakash case (supra) has far-reaching implications for data privacy and consumer rights in India. At its core, the case challenges the adequacy of existing regulatory frameworks in protecting citizen’s data in the face of increasingly sophisticated data collection and processing technologies. The Supreme Court’s decision to issue notices and also appoint an amicus curiae signals a recognition of the need for stringent oversight of credit information companies and their practices.
Notably, the issues in the present case reiterates the importance of several key rights of data subjects under the GDPR. These include the right to access personal data (Article 15), the right to object to the processing of personal data (Article 21), and the right to erasure and rectification of personal data. It also defines profiling, including predictive analysis based on personal data (Article 4), and provides protection against decisions based solely on automated processing that significantly affects the data subject (Article 22(1) read with Recital 71).
Moreover, this case brings to the forefront the debate over data localization, a topic that has gained significant traction in recent years. As India continues to grapple with the complexities of regulating cross-border data flows, the outcome of this case could set a crucial precedent for how foreign companies operating in India handle sensitive data.
As the case progresses, several key questions will need to be addressed. Will the Supreme Court mandate stricter enforcement of the CICR Act to ensure compliance with privacy principles? Will the Supreme Court order a review of the data localization policies to safeguard Indian citizen’s data? How will the Supreme Court balance the need for robust data protection with the operational realities of credit information companies in a globalized economy?
These questions have been of utmost importance and the judgement shall be a precedent for all the data fiduciaries.
– Team AMLEGALS assisted by Ms. Roshni Naskar
For any queries or feedback, feel free to reach out to mridusha.guha@amlegals.com or liza.vanjani@amlegals.com