Supreme Court Agrees To Hear Plea Alleging Data Privacy Violation By Foreign Credit Information Companies

The Supreme Court on Monday (May 6) issued notice in a Public Interest Litigation which seeks directions to the Ministry of Finance, RBI, Ministry for Electronics & Information Technology and Ministry of Home Affairs to take appropriate steps against four foreign credit information companies for alleged financial data privacy violation of citizens.  

The bench led by CJI DY Chandrachud agreed to consider the matter and appointed Mr K Parameswar as the Amicus Curiae to assist the Court. While the petitioner-in-person was not present in court, the bench directed that the present development be informed to him. 

It is the contention of the Petitioner-in-Person that the four private multinational companies with head offices and data storage systems located outside India, have been retrieving and storing sensitive financial information of banking customers without their consent and thereafter selling it further. These companies include Transunion CIBIL Limited, Experian Credit Information Company Of India Pvt. Ltd, Equifax Credit Information Services and CRIF High Mark Credit Information Services Pvt. Ltd.  It is further contended by the petitioner that this constitutes a grave violation of the Right to Privacy as laid down in the landmark judgement of KS Puttaswamy v. UOI. 

"The Respondents 5, 6, 7 & 8 after collecting the above mentioned sensitive data from all the Banks,' Financial Institutions and from various other sources, all illegally without the knowledge & by forced consent of the customers, literally dress up & repackage the sensitive confidential information of the customers and is put on SALE for all their members, for any type of lending institutions in the country or abroad and for the general public and profit from them in a very big way,"the plea stated.

It is contended that the companies have been in dire breach of the 'Privacy Principles' of the CICR Act 2005 (Credit Information Companies Regulation Act). CICR Act regulates credit information companies (CICs)  by ensuring that there is no breach of confidential information of the banking data and citizens. Guidelines are laid down as per the Act which monitors the collection, storage, and dissemination of credit information, ensuring consumer privacy and data security, and facilitating efficient credit markets. 

The 12 main principles which have been violated by the present CICs as contended by the Petitioner are : 

4.1: Privacy Principle on Personal Data ;

4.2: Privacy Principle on "Care in collection of Credit Information";

4.3: Privacy Principle on "Personal Data Collection Purpose"; 

4.4: Privacy Principle on "Personal Data Preservation/ Archiving" ;

4.5: Privacy Principle on "Data Security & Secrecy" ;

4.6: Privacy Principle on "Data Collection Limitation" ;

4.7: Privacy Principle on "Data Accuracy & Security of Credit; Information" - Abused & Violated;

4.8: Privacy Principle on "Unauthorized access to Credit Information" ;

4.9: Privacy Principle on "Access & Modification "of Credit Information ;

4.10: Privacy Principle on "Data Use Limitation" ;

4.11: Privacy Principle on "Alteration of Credit Information files & Credit Reports"; 

4.12: Privacy Principle on "Offenses & Penalties" 

The matter will now be heard on July 15. 

Case Details : SURYA PRAKASH VS. UNION OF INDIA DIARY NO. - 23982/2023