The Supreme Court of India took action on Monday by issuing a notice concerning a legal challenge that claims four international credit reporting agencies are violating privacy rights in India (Surya Prakash v. Union of India and Others). This decision was made even though no one represented the person who filed the case.
A panel led by Chief Justice DY Chandrachud, along with Justices JB Pardiwala and Manoj Misra, has called for responses from several government entities, including the Ministry of Finance, the Reserve Bank of India (RBI), the Ministry for Electronics & Information Technology, and the Ministry of Home Affairs. They also require explanations from the four credit information companies involved: TransUnion CIBIL, Experian Credit Information Company of India, Equifax Credit Information Services, and CRIF High Mark Credit Information Services.
The Court also appointed Advocate K Parameshwar to help as amicus curiae, which means he will provide insight and support in understanding the legal issues at play. The Court stated, “No one appears…we issue notice. Considering the serious issues raised, we appoint an amicus curiae in the proceedings. Advocate K Parameshwar appointed as the amicus. The petitioner, who is representing himself, will be informed of this order.”
The petitioner argues that the principle of data localisation is blatantly violated, since the computer servers and even data storage systems of these companies are located outside India.
“The Respondents 5, 6, 7 & 8 after collecting ·the above mentioned sensitive data from all the Banks,’ Financial Institutions and from various other sources, all illegally without the knowledge & by forced consent of the customers, literally dress up & repackage the sensitive confidential information of the customers and is put on SALE for all their members, for any type of lending institutions in the country or abroad and for the general public and profit from them in a very big way,” the petitioner argued.
The complaint accuses these companies of improperly handling personal and financial data of people by collecting, storing, and processing this information without their permission. This, the petitioner claims, violates the Credit Information Companies Regulation (CICR) Act of 2005. The petitioner also argues that these companies are working together with the RBI and government ministries to breach over a billion people’s privacy.
Additionally, the petitioner claims that these companies do not comply with Indian laws requiring data to be stored within the country, as their servers and data storage facilities are located abroad. He further accuses these companies of selling sensitive and confidential consumer data to various financial bodies, both locally and internationally, thereby profiting significantly from these transactions.
With the generation of credit scores and credit history from personal data, these companies pass judgment, convict citizens as ‘untouchables’ and discriminate against them based on creditworthiness, the petition argued.
“Armed with the Credit Scores & Credit history the Respondents 5, 6, 7 & 8 completely dominate & control the entire Indian Banking ecosystem, literally deciding who should get all the Credit Facilities & who should not. Citizens who get low credit scores “are Financially Paralyzed for their entire lives thus making them incapable to achieve anything worthwhile in their entire lives and literally killing millions of honest struggling business entrepreneurs. This does not augur well for the benefit of the citizens & our country at large,” the petition stated.
The petitioner expresses concern over the creation of a “parallel underworld economy” due to the practices of these companies. He alleges they have unethical business relationships with several financial websites such as Bank Bazaar, Paisa Bazaar, My Loan Care, Loan Adda, and Credit Mantri.
Moreover, the petitioner discusses how these companies assess and influence people’s credit scores and histories, essentially deciding their financial fate and excluding many from essential financial services based on these scores. This control, according to the petitioner, negatively impacts numerous honest business owners and could have long-term detrimental effects on India’s economic landscape.
Because of these concerns, the petitioner is urging the Supreme Court to direct the RBI and concerned ministries to regulate how these companies share data and ensure they comply with the CICR Act, 2005 to protect citizens’ privacy and financial integrity.
Overview of the Credit Information Companies (Regulation) Act, 2005 in India
The Credit Information Companies (Regulation) Act, 2005, commonly known as the CICR Act, is legislation in India that governs the functioning of credit information companies. These companies collect and maintain records of individuals’ and businesses’ credit histories, including loans and credit cards, which they then provide to banks, financial institutions, and other creditors to help them make informed lending decisions.
The primary objectives of the CICR Act are to ensure the accuracy, confidentiality, and secure handling of credit information, and to protect consumers’ privacy. The Act stipulates regulations for credit information companies regarding data collection, its processing, and sharing. It also lays down the rights of borrowers or clients to access their credit reports, dispute inaccuracies, and obtain corrections to ensure the information remains accurate.
Under this act, credit information companies are required to obtain a certificate of registration from the Reserve Bank of India (RBI), ensuring that they meet specific standards of operation. The Act also provides a framework for the interaction between credit institutions and credit information companies, and sets out penalties for violations of the regulations. This helps in maintaining a fair and transparent system for credit reporting in India, thereby fostering a healthy credit environment.
