DPDP Act: Banking access may be at risk if you seek to delete credit data

If bank customers request deletion of loan data from the database of a credit information company (CIC), exercising a right under the Digital Personal Data Protection (DPDP) Act, they may no longer be able to continue with the banking system in the future, an IT ministry official told ET.
The DPDP Act, 2023, was notified in August last year but the rules under the Act that provide guidance for its implementation are yet to be notified.

“With regard to CICs, if a user decides that they do not want to have to do anything with the banking system, they can approach the Data Protection Board (DPB) to get their personal data deleted. That will be a one-way street though, and such customers will no longer be able to continue with the banking system in future,” the IT ministry official said.

Technology experts and policy lawyers were split on whether CICs can be exempt under the new data law and if people can request complete data deletion for privacy reasons.

Credit scores are generated by CICs based on the credit history of customers. CICs are licensed by the Reserve Bank of India (RBI) under the Credit Information Companies (Regulation) Act, 2005 (CIC Act).

Although CICs follow the CIC Act for collecting and storing personal financial information of their users, they will also have to follow the provisions under the DPDP Act.

The IT ministry is unlikely to give blanket exemptions to any government or non-government bodies when it comes to the implementation of the rules under the DPDP Act.All such bodies that seek exemption must approach the DPB and present their case before that body to seek the specified exception, a source said.

A consultant who has previously worked with a leading credit bureau told ET on the condition of anonymity that a bank may choose not to give a loan to a customer after she exercises the right to request deletion of her personal credit data from the CIC’s database.

With less granular data to assess credit-risk, it is possible for lenders to avoid extending credit to certain individuals, Sajai Singh, Partner, JSA Advocates & Solicitors said.

Credit bureaus such as TransUnion CIBIL, Experian, Equifax, and CRIF High Mark are approved by the RBI to operate in India. TransUnion CIBIL, for example, maintains credit files on 600 million individuals and 32 million businesses.

None of the four credit bureaus mentioned above responded to ET’s queries.

ET could not independently verify if the RBI had given any inputs, formal or informal, on the DPDP Act to the Ministry of Electronics and Information Technology (MeitY). RBI did not respond to ET’s queries. A senior MeitY official told ET no exemptions were sought by CICs yet under the DPDP Act.

Traditionally, CICs use information on an individual’s outstanding loans and history of repayment/defaults, to generate credit scores.

“Today, the internet has allowed CICs to spread their net wider to seek information and data (credit information) on individuals,” pointed out Singh.

Third parties, using algorithms and automated processing, supply datasets to CICs – which, ironically, are a much better reflection on the credit scores of individuals, he said.

These data intensive credit profiles include the use of several data sets, in addition to credit information. These data sets may include employment details, social media activity, and web browsing history.

“Such a rich data-intensive credit profile is far more useful to a lender making a ‘grant a loan or not to grant a loan’ / credit extension decision,” Singh explained.

“In most cases, the information that is picked up by these third parties is available online. Thus, the issue of consent may not arise,” he said.

Of course, there may be grey areas where the information may fall within the purview of consent requirement for processing of personal information under the DPDP Act, Singh added.

If bank customers request deletion of loan data from the database of a credit information company (CIC), exercising a right under the Digital Personal Data Protection (DPDP) Act, they may no longer be able to continue with the banking system in the future, an IT ministry official told ET.
The DPDP Act, 2023, was notified in August last year but the rules under the Act that provide guidance for its implementation are yet to be notified.

“With regard to CICs, if a user decides that they do not want to have to do anything with the banking system, they can approach the Data Protection Board (DPB) to get their personal data deleted. That will be a one-way street though, and such customers will no longer be able to continue with the banking system in future,” the IT ministry official said.

Technology experts and policy lawyers were split on whether CICs can be exempt under the new data law and if people can request complete data deletion for privacy reasons.

Credit scores are generated by CICs based on the credit history of customers. CICs are licensed by the Reserve Bank of India (RBI) under the Credit Information Companies (Regulation) Act, 2005 (CIC Act).

Although CICs follow the CIC Act for collecting and storing personal financial information of their users, they will also have to follow the provisions under the DPDP Act.

The IT ministry is unlikely to give blanket exemptions to any government or non-government bodies when it comes to the implementation of the rules under the DPDP Act.All such bodies that seek exemption must approach the DPB and present their case before that body to seek the specified exception, a source said.

A consultant who has previously worked with a leading credit bureau told ET on the condition of anonymity that a bank may choose not to give a loan to a customer after she exercises the right to request deletion of her personal credit data from the CIC’s database.

With less granular data to assess credit-risk, it is possible for lenders to avoid extending credit to certain individuals, Sajai Singh, Partner, JSA Advocates & Solicitors said.

Credit bureaus such as TransUnion CIBIL, Experian, Equifax, and CRIF High Mark are approved by the RBI to operate in India. TransUnion CIBIL, for example, maintains credit files on 600 million individuals and 32 million businesses.

None of the four credit bureaus mentioned above responded to ET’s queries.

ET could not independently verify if the RBI had given any inputs, formal or informal, on the DPDP Act to the Ministry of Electronics and Information Technology (MeitY). RBI did not respond to ET’s queries. A senior MeitY official told ET no exemptions were sought by CICs yet under the DPDP Act.

Traditionally, CICs use information on an individual’s outstanding loans and history of repayment/defaults, to generate credit scores.

“Today, the internet has allowed CICs to spread their net wider to seek information and data (credit information) on individuals,” pointed out Singh.

Third parties, using algorithms and automated processing, supply datasets to CICs – which, ironically, are a much better reflection on the credit scores of individuals, he said.

These data intensive credit profiles include the use of several data sets, in addition to credit information. These data sets may include employment details, social media activity, and web browsing history.

“Such a rich data-intensive credit profile is far more useful to a lender making a ‘grant a loan or not to grant a loan’ / credit extension decision,” Singh explained.

“In most cases, the information that is picked up by these third parties is available online. Thus, the issue of consent may not arise,” he said.

Of course, there may be grey areas where the information may fall within the purview of consent requirement for processing of personal information under the DPDP Act, Singh added.