A Bengaluru-based entrepreneur and educational trainee, Surya Prakash, filed a plea in the Supreme Court against Credit Information Companies (CICs) for illegally collecting people’s financial information through forced consent and selling the data to their members. However, the Reserve Bank of India (RBI) defended the collection of bank users’ data, stating that it was precisely the purpose behind Parliament enacting the Credit Information Companies (Regulation) Act, 2005, which allows these companies to access such information without customers’ consent.
The petition filed by Surya also accused the CICs of the “blatant abuse and violation of the right to privacy.”
Read also: Legendary Bengali Singer Pratul Mukhopadhyay Dies At 83
Following the petition, the Supreme Court appointed Senior Advocate K. Parameswar as amicus curiae. In a separate affidavit, the Indian Cyber Crime Coordination Centre (I4C), under the Ministry of Home Affairs (MHA), stated: “In response to the averment made by the petitioner regarding data theft, I4C has requested the nodal officer of cybercrime units in all States/UTs, via letter dated 14.08.2024, seeking information regarding FIRs/cases registered against credit information companies and fintech companies. However, the response is awaited.”
In a counter affidavit, the RBI argued that the plea raised “baseless, unfounded, and speculative issues in complete ignorance of the provisions of the CICR Act and regulations.” Elaborating further, the RBI stated that the Act “was introduced as part of the government’s risk-mitigating policy to prevent the accumulation of fresh NPAs (non-performing assets) in the banking sector.” It explained that the Act provides for the establishment of CICs to collect, share, process, collate, and disseminate credit information of clients, borrowers, and prospective borrowers, enabling banks and financial institutions to make informed lending decisions.
The RBI further asserted that the law empowers credit information companies to collect, store, maintain, and process borrowers’ credit information. With the enactment of the CICR Act, the requirement for borrowers’ consent has become unnecessary.
The counter affidavit pointed out that RBI had given registration to four CICs — TransUnion CIBIL Ltd, Experian Credit Information Company of India Private Ltd, Equifax Credit Information Services Pvt Ltd, and CRIF High Mark Credit Information Services Pvt Ltd.
Additionally, the petitioner pointed out that CICs were retaining citizens’ data beyond the seven-year period prescribed by the Act, violating their privacy rights.
Read also: Kolkota’s SSKM Hospital Performs 175 Gallbladder Surgeries In 5 Days, Sets Record
However, as per the affidavit, seven years is the minimum period for which CICs are mandated to retain data, and the Act does not specify an upper limit on how long the data can be stored.
A bench presided over by Justice Surya Kant is scheduled to hear the matter next on February 17.
